One of the biggest GDPR questions for fundraisers relates to researching major donors and what constitutes an invasion of privacy. Andrew Cross at Lightful
explains how GDPR will affect current practices.
What is prospect research?
Prospect research is a technique used by organisations to learn more about an individual. For non-profits it would be around potential or existing donors' personal backgrounds, combined with areas of interest such as their charity giving history, wealth indicators (registered companies, company shares etc) and philanthropic involvement.
The individual might then be scored based on their capacity and propensity to give as well as their affinity towards the cause.
A lot of information is publicly available so how is it breaching data protection?
Some information that is gathered from the public domain could still be considered personal data, however let’s look at gathering this from two aspects:
Gathering data on existing supporters should be addressed by having a Fair Processing Notice (FPN) along the lines of the following:
Potential or new donors
Let’s say you have found a potential donor from the Sunday Times 100 Rich List and you then gather additional information around their charitable giving to assess their affinity to give to your cause.
Under current laws, you would need to possess consent to contact them by text, phone or email (Privacy Electronic Communication Regulation, PECR, 2003). Therefore, the only way to make contact is to write to them.
You will also need to explain that you have their details on your system and will either:
- Delete it (upon not gaining consent). This will need to tie in with your Data Retention Policies.
- Suppress it (upon not gaining consent, if they don’t want to hear from you again).
- Enact their communication wishes based on the reply to the initial contact.
It would be more commonplace here to rely on legitimate interests to process the data as it could be seen as a 'Reasonable Expectation' that some of the public information is being processed by entities that would be interested in the individual; again, on that first point of contact you will need to explain what those legitimate interests are.
While there is no guide to what would constitute 'Reasonable' expectations from the individual aside from case law precedence, you must tread carefully when approaching them, especially for the first time. You must also treat their data as you would any other supporter on your system. Any evidence you can obtain could be used to argue why you are processing their data under the legitimate interests’ area.
Under no circumstances should you process any 'Special Categories' of data as this would pose additional complications and consent would be needed. These would include any of the following:
- Racial or ethnic origin,
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data,
- Biometric data for the purpose of uniquely identifying a natural person
- Data concerning health
- Data concerning a natural person’s sex life or sexual orientation
After the first point of contact, and the consent being gained from the individual, you have ascertained that they wish to hear from your charity and you can then communicate with them in the methods that they have consented to.
How do we re-contact donors to obtain opt-in consent?
If you are planning to wealth screen or tag additional metrics to additional supporters, you will need to contact these supporters and let them know how their data is now going to be processed, therefore giving them the choice to opt out of this exercise.
What about processing B2B Data?
Some B2B data could be considered personal data as opposed to business data. This applies to organisations that are partnerships or sole traders. The new rules around either consent or legitimate interests would need to be followed.
The individual email address, of other organisations, could also be considered as personal data as you could identify an individual from an address that is (first name) dot (surname) for example. Although you can process these individuals in the same way as you would generic business data like sales@Lightful.com as long as you provide an opt-out at point of initial contact and then any subsequent contact.
Essentially the GDPR only changes the ways in which you would process the Sole Trader/Partnership data and go on to contact them, though it is yet too soon to see how the new E-Privacy Directive (the replacement to PECR) will affect the above.
For prospect research it is still very much a grey area affecting not only charities but also other institutions such as higher education and research organisations so there is not an abundance of guidance out there for this particular area of concern.
GDPR comes into force on 25 May 2018. If you’ve not started yet on the road to compliance, it’s not too late. Previous posts in our GDPR series can be found here:
What is GDPR and how will it affect my charity? (Guest post)
GDPR: What does it mean for your charity?
GDPR: An explanation of data retention and why it is important for charities
GDPR & Data Governance – who is responsible for your data?
The above article offers general advice, based on our understanding of facts and guidance issued to date by various bodies, this in no way, shape or form constitutes legal advice.