Update on CASE activities to support members in their GDPR planning from Jennie Moule, Interim Executive Director, CASE Europe

It has been a busy few months since I last wrote to update you on CASE’s activities to support our members with their preparations for the incoming General Data Protection Regulations (GDPR) in May 2018. This blog post will provide details of the advocacy we have been doing on your behalf, the events and resources we are putting in place, and updates from three of our partners: Blackbaud Europe, Grenzebach Glier & Associates, and More Partnership. Apologies in advance for its length but it is important news and I wanted to make sure you had all the details.

Universities have an alternative to opt-in consent

On the 23rd May, I went to meet with the Department of Culture, Media and Sport and the Information Commissioner’s Office to talk about the definition of public authorities under GDPR and what that will mean for universities, and the use of prospect research in major gift fundraising.

The big news from this meeting is that both DCMS and ICO confirmed that, whilst we do not have clarity at this stage as to whether universities will be defined as Public Authorities under GDPR, HEIs will be able to rely on either legitimate interest or public task as an alternative legal basis to consent for processing personal data under GDPR*.

[*caveats apply! Consent will still be required under PECR for electronic communications and some fundraising activities may still require consent. See below for more info]

I am sure you will agree that this is hugely reassuring news. You do not need to rush to embark on a full-scale consent campaign in order to continue building respectful and mutually beneficial relationships with your alumni and other supporters, unless you want to.

Here are the full details of that meeting:

The meeting had been arranged by the University of Cambridge, to whom we are very grateful for their ongoing advocacy and support. We met with Amanda Williams, who is leading the team at the Department of Culture, Media and Sport that are overseeing the GDPR implementation in the UK; Lynsey Smith, Group Policy Manager at the Information Commissioner’s Office and their consent lead; and Vicky Cetinkaya, Senior Policy Officer at the ICO. As well as a Cambridge delegation including their Director of Communications, Head of Legal Services, Data Protection Officer, and Head of Information Services for Development and Alumni Relations, Barry Skingle, I was joined by Sarah Howes, chair of the CASE UUK working group on regulation and compliance, and Rosalind Lowe, Policy Researcher at UUK.

We are awaiting the write-up of the meeting from the DCMS, which we plan to circulate, but in the meantime I wanted to share with you the things I took away:

• It is highly likely that the definition of a Public Authority under FOI will be maintained, and we will get clarification about this from the DCMS shortly. There didn’t appear to be an appetite for new legislation where definitions already exist (eg in FOI).

• However, and this is the biggy when it comes to how universities can respond to GDPR, there was acceptance that for Public Authorities such as HEIs we may have core functions (Education, Research) for which we may process data in performance of our public task; and non-core functions (Alumni Relations and Fundraising etc). This makes us a ‘hybrid’ public authority. There is unlikely to be any formal definition of this term.

Lynsey confirmed that it is the ICO view that for most fundraising and alumni relations activities, we will be able to rely on either legitimate interest or public task as an alternative legal basis to consent for processing personal data under GDPR.

Should we choose to rely on legitimate or public interest, we will need to justify that our interests do not override the interests of our alumni and supporters. This means showing that by continuing to undertake alumni engagement and fundraising activities we are not causing distress and that our activities are within the reasonable expectations of our supporters. In practice this would be contained within a Data Policy which provided your justification for using this legal basis.

• There may be some tasks for which we cannot justify legitimate interest, and we would need to consider other grounds, i.e. consent. This may come to light during your pre-GDPR data audit activities. Consent should be reserved for those scenarios where we cannot justify that our interests do not override the interests of our alumni and supporters.

The IOF has an excellent guide which includes advice about how to conduct a balancing exercise between your interests and those of your supporters to help you decide whether consent or legitimate interest are the way to go. You can access it here.

• We need to be transparent about prospect research, use of publicly available data, and wealth screening and our Privacy Notices should be updated to reflect that we will be processing data either in our legitimate interest or in performance of public tasks. It was understood that it would not be possible to gain prior consent from somebody who had not got a previous relationship with the University, and therefore we would need to satisfy another ground for processing — which could be legitimate interest.

• Third-party wealth screening may still be possible providing it is conducted transparently and ethically against the criteria above.

• I proposed to ICO that CASE could provide assistance in drafting guidance or principles on how to conduct compliant prospect research. ICO took this offer away for consideration. If they accept this offer, we will bring a group together to develop these principles and will look to engage other sector membership bodies in this task.

We will continue to work with DCMS and ICO as they work towards implementing the GDPR next year, and will do so in partnership with UUK and the Institute of Fundraising in particular.

Don’t forget though, that this does not affect the need to gain opt-in consent for telephone and email communications under the existing Privacy and Electronic Communications Regulations — more info on which can be found here.

Planning for GDPR

Although the confirmation from DCMS and ICO that universities can process data on other grounds than just consent is a big step forwards, this doesn’t mean that there is nothing to do to prepare for GDPR. HEIs can now join our non-public authority members in thinking through the other implications. This handy guide from the ICO details some of the main changes.

You might also find this speech from the new ICO Deputy Commissioner, Rob Luke, interesting and in particular this:

Those organisations which thrive under GDPR will be those who recognise that the key feature of GDPR is to put the individual at the heart of data protection law.

Thinking first about how people want their data handled and then using those principles to underpin how you go about preparing for GDPR means you won’t go far wrong.

*ICO update on ‘will GDPR change the world event’.

Every time I am invited to talk about GDPR, this is always my take-away message: GDPR provides us with a great opportunity to refresh how we view our alumni and supporters. What is our ‘value proposition’ to them? Why should they stay in touch with us? How can we make sure we are offering a service or a product that they want? I believe that our preparations around GDPR are as much about marketing and communications as they are about data and compliance. Let’s think of our alumni as ‘members’ of an exclusive club. Let’s thinks of our non-alumni supporters as ‘friends’. How does that alter how we engage with them and ultimately how we process their data?

This will be really important when it comes to writing your Privacy Notices. These documents will become key in persuading people not to opt-out and I recommend that they are written by your comms and legal teams together. There are some good examples now starting to emerge in the charity sector:

· CRUK

· NSPCC

Events and Resources

We had an overwhelming response to the Regulation and Compliance Conference on 14th June and it is now sold out. This will not be your only opportunity to hear from the CASE community about GDPR though.

· There will be GDPR sessions at the CASE Europe Annual Conference in August. Booking is open for that here.

· The annual Development Services Conference will have a half day devoted to GDPR. That event will be in November in Manchester. You can register your interest by emailing: europe@case.org and we will contact you once registration is open.

· We are also looking into the possibility of a GDPR event aimed at Directors of Development, Heads of Alumni Relations and Directors of Marketing and Communications for the autumn. Again, please do let us know if this would be of interest.

We now have over 230 members in our GDPR and Fundraising Regulation web community and have been regularly uploading resources and content. We have also been uploading the responses we have made on behalf of the community to DCMS and ICO consultations. This is the best place to pose questions about GDPR and where you can get regular updates and news. Login here for further details.

CASE UUK Working Group

The working group continues to meet around four themes: advocacy, technology, research and consent/legitimate interest. You may remember that CASE, through the group, had decided to commission a piece of academic research from the Hartsook Centre for Sustainable Philanthropy, University of Plymouth about what our alumni’s reasonable expectations might be in how we process their data. It is an important piece of work and should hopefully give our members vital intel for your revised Data Policies.

We will be asking all members to promote the survey to your alumni (we are not contacting non-alumni at this stage) and the responses will be analysed by the Hartsook Centre. We are hoping to get the survey promotion out by the end of this month and for the results to be available by the end of August. We are very grateful to More Partnership for sponsoring this piece of work. Look out for that email asking you to send the survey link out to your alumni. The more respondents we get, the more robust the results.

Thank you to our Partners and Volunteers

I just want to take a moment to recognise and thank three of our partners: Dan Keyworth at Blackbaud Europe, Adrian Salmon at Grenzebach Glier & Associates, and Adrian Beney at More Partnership; and the members of the working group, who are giving their time and expertise as volunteers to CASE and our community. In particular Sarah Howes for chairing the group and the event on the 14th June. CASE is built on the generosity of our volunteers and we are grateful to all of you. The full membership list of the group is included on our web community.

A last mention too for our very own Kate Wallace, UK Membership Services Manager, who is doing a fabulous job of responding to your questions and supporting our members. A big thank you to her too.

Dan, Adrian S and Adrian B have each written a blog to accompany mine with their perspectives on where we are at the moment and what comes next.

“Technology should empower you to best utilise supporters’ data, not just to comply, but to deliver progressively relevant, personalised and engaging communications that reflect each person’s interests and passions, and help you serve your mission.” To read more of Dan’s blog about how technology can be an enabler, click here

“If there’s one word that has been running through all discussions on the GDPR and the new fundraising regulatory regime for the last two years, it’s been clarity. Is it necessary to go purely opt-in for any kind of communication with our constituents? Is wealth screening against the law?” To read more on Adrian Salmon’s thoughts about clarity, click here

“GDPR puts great emphasis on “privacy by design”. This means being able to show how decisions about data processing were taken. It’s a bit like being told by your ‘O’-level / GSCE maths teacher to “show your workings” To read more from Adrian Beney who has distilled two years’ of reading, thinking, debating and discussing into some bullet points, click here.

And Finally

Although it feels like it at times, supporting our members in preparing for GDPR is not the only thing we do! The CASE team are busy working across Europe supporting members and delivering incredible education programmes.

CASE Europe upcoming events are:

· CASE Europe Annual Conference taking place on the 28 August — 1 September in Birmingham. For more than 26 years the CASE Europe Annual Conference has been the place to meet with colleagues from across the globe and this year will be no different! Don’t miss out.

·CASE Education Fundraising UK Study Tour 2017 taking place on 25 October — 27 October 2017. Aimed at Vice Chancellors and academic leaders providing an opportunity to strengthen their understanding of philanthropic fundraising and alumni engagement. Visiting Nottingham University, St. Hilda’s College, Oxford and SOAS, University of London.

I’d also like to remind you that if you need some bespoke training on site to help you prepare for GDPR, or on any other topic relating to marketing, communications, fundraising, alumni relations or development services, you can book a CASE on Campus session and have an experienced practitioner from within our member community all to yourself for a day!

If you would like to discuss having your very own CASE on Campus session, please contact Fon Browndy, Head of Education and Professional Development, at fbrowndy@case.org

That’s it. I warned you it was a long one. Please do get in touch if you have any questions. We love to hear from you.

Jennie Moule, Interim Executive Director, CASE Europe