Data Protection Reform: What to be aware of
Top tips for the education sector to help you digest the data protection reform.
GDPR, DPA, FPS, ICO… confused? You should be.
Over the last 18 months, enquiries, reviews, a media frenzy around over-communicating, a new fundraising regulatory body and a perceived public mistrust of the sector all mean that the next two years will see significant changes that affect us all. Organisations close to the centre like Blackbaud and CASE are well placed to support and inform you every step of the way.
Take 3 minutes and digest our handy guide to what’s going on:
The key bodies, laws and acronyms to be aware of:
• Data Protection Act (DPA) 1998 — EU law
• Privacy and Electronic Communications Regulations (PECR) 2003 — EU law
• General Data Protection Regulation (GDPR) 2018 — EU law
• Information Commissioners Office (ICO) — UK regulator responsible for interpreting and enforcing GDPR
• Public Fundraising Regulatory Association (PFRA) — now replaced by Fundraising Regulator
• Fundraising Standards Board (FRSB) — now replaced by Fundraising Regulator
• The Fundraising Regulator (FR)
GDPR:
General Data Protection Regulation
An EU law passed by Council of the European Union on 27th April 2016.
What is it?
Replaces the DPA (1998) and PECR (2003)
Who is impacted?
All organisations that process personal data. It affects both non-profit and for-profit organisations, big and small.
What about Brexit?
Brexit will not change the UK’s compliance requirements. Any negotiations as we leave the EU will include equivalency with EU law on data protection.
When?
GDPR “enters into application” (becomes active law) on May 25th 2018. For the UK, the ICO will release its interpretation of the law in November 2016. Unlike a European Directive, GDPR is a Regulation that does not require any enabling legislation to be passed by national governments.
What’s changed from the Data Protection Act 1998?
Some of the key differences to be aware of are:
• Increased enforcement powers: eg. maximum fines of up to €20 million or 4% of total annual worldwide turnover of the preceding year (whichever is higher).
• Extended geographical scope: non-EU businesses will be subject to the regulation if they provide their service to EU organisations, or monitor the behaviour of EU residents.
• Consent: More rigorous criteria will be applied to obtaining individuals’ consent: it must be freely given, specific, informed and unambiguous. Eg. fundraising consent may not be valid if it is given when grouped with non-fundraising matters.
• Opt-in: Crucially, where consent is involved, non-profits must gain explicit, ‘opt-in’ consent. (See below.)
• Profiling: Individuals will have the right to object to profiling, which includes most forms of online tracking and wealth screening.
• The right to be forgotten: Individuals will have the right to request that an organisation delete all their personal data.
Opt-In, instead of Opt-Out
This is one of the most significant changes: data can only be legally ‘held and used’ if a person has actively and positively opted in. Consent under the GDPR requires some form of “clear affirmative action”.
• Silence, pre-ticked boxes or inactivity does not constitute consent.
• Consent must be verifiable. This means that some form of record must be kept of how and when consent was given.
• Individuals have a right to withdraw consent at any time.
• Explicit permission to contact through different channels, eg. phone / email / text / post.
• The consent must be “informed consent”.
Note that the ICO’s November interpretation of GDPR will give us all greater clarity around ‘legitimate interest’ — ie. do we need to get a supporter’s opt-in consent if we have a legitimate interest to market to them? This was allowed under DPA — it’s not so clear now.
Fundraising Regulator and Fundraising Preference Service
Following Sir Stuart Etherington’s 2015 review into the self-regulation of charities, he made two key recommendations to Parliament:
- One single regulator should replace IoF Guidelines + PFRA + FRSB: ‘The Fundraising Regulator’
Chair: Lord Michael Grade
CEO: Stephen Dunmore (interim)
- There should be a fundraising equivalent to the Mail Preference Service (MPS) and the Telephone Preference Service (TPS): the ‘Fundraising Preference Service’ (FPS).
The Fundraising Regulator
What is it?
• New, voluntary and independent regulator
• Set fundraising practice code for UK
• Charity-funded (48 of the largest charities)
• Responsible for fundraising preference service
• Investigates donor complaints
Who is impacted?
• UK non-profits
When?
• Active immediately — the Fundraising Regulator came into being on 7th July 2016.
Fundraising Preference Service
What is it?
• An ‘opt-out’ mechanism that will be introduced in the first half of 2017, to address donor frustration over how and when they are solicited
• Allow individuals a “complete opt-out from receipt of future specified fundraising communications” from a single place — the so-called “large red button”.
• Also allow individuals to opt-out of fundraising selectively, by registering with FPS but exempting specified organisations of their choosing.
• The FPS works in conjunction with the TPS and MPS. It “should not be seen as some form of over-ride to the TPS and MPS”. Charities must “respect the preferences expressed by individuals under these schemes”.
• An individual’s registration with the FPS is for two years, and will lapse if not renewed.
• A charity with a pre-existing relationship with an individual who registers with the FPS will be permitted to contact them once within 28 days of their registration to confirm the individuals’ intent was to exclude them.
Who is impacted?
• UK non-profits
• Due to necessary operational costs of adhering to the FPS, it has been deemed “necessary to initially limit the scope of the FPS” as regards the size of organisation to which is applies. The threshold has not yet been set, though is expected to be organisations whose expenditure on direct marketing exceeds £100,000 per year.
When?
• Due to launch in the first half of 2017
Quotes taken from the Fundraising Regulator’s final report, issued September 2016.
Remember the Upcoming key dates:
· November 2016: ICO to release its interpretation of GPDR. (ICO is the regulator, they interpret the GDPR and have the power to audit and fine organisations.)
· 2017: Launch of FPS (exact date TBC, but likely to be before June.)
· May 2018: GDPR becomes law
Blackbaud will be keeping their Data Protection Form page updated whenever new information is released.
