the charities property association the impact of the gdpr
play

The Charities Property Association The impact of the GDPR - PowerPoint PPT Presentation

The Charities Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities) Mark Harvey, Consultant Jonathan McDonald, Senior Associate charlesrussellspeechlys.com Introduction 2


  1. The Charities’ Property Association The impact of the GDPR (including its affect on your direct marketing and fundraising activities) Mark Harvey, Consultant Jonathan McDonald, Senior Associate charlesrussellspeechlys.com

  2. Introduction 2

  3. What we’ll cover • The data protection regulatory landscape • Main changes under the GDPR • Changes relating to direct marketing and fundraising • GDPR compliance strategy 3

  4. What will the regulatory landscape look like? • GDPR – 25 May 2018 • E-Privacy Regulation (repealing the E-Privacy Directive) – planned date for implementation still 25 May 2018 • Data Protection Bill (Queen’s speech) – the GDPR renamed?

  5. What regulatory guidance has been published? • Article 29 WP: • Guidelines on data portability • Guidelines on data protection officers • Guidelines on identifying a controller or processor’s lead supervisory authority • Draft guidelines on Data Protection Impact Assessments • ICO: • Preparing for the GDPR: 12 steps to take now • Overview of the GDPR • Privacy notices code of practice (short section on GDPR) • Draft consent guidance for public consultation

  6. The main changes under the GDPR • Extra-territorial applicability (and the one-stop shop) • Breach notification • Data Protection Officers • Sanctions for non-compliance • Accountability • Appointing a data processor • Impact on direct marketing and fundraising

  7. Accountability “ Arguably the biggest change is around accountability. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks. It’s about moving away from seeing the law as a box ticking exercise, and instead to work on a framework that can be used to build a culture of privacy that pervades an entire organisation” Elizabeth Denham, Jan 2017 • A specific obligation on data controllers (although also impacts data processors) • Practical implications: • Data protection by design and default • Record keeping • Data Protection Impact Assessments

  8. Appointing a data processor… Issues to consider: • Due diligence of processors • Specific processing terms set out in the GDPR need to be incorporated in any written agreements between data controllers and data processors • Negotiating processor agreements when the stakes are raised Practical implications: • Review of template standard terms • Review of pre-2018 contracts • Dealing with third party ‘GDPR-ready’ patches

  9. Impact on direct marketing and fundraising • No GDPR definition of direct marketing • DPA definition still workable (and very broad): “the communication (by whatever means) of any advertising or marketing material which is directed to particular individuals”. • Covers the promotion of aims and ideals as well as the sale of products and services, i.e. includes not-for-profit organisations (eg charities). • Fundraising - specific requirements in the new Charities (Protection and Social Investment) Act 2016. 9

  10. Fundraising and the bigger picture Currently methods of fundraising highlighted in the media and with the general public – intensified scrutiny. Concerns to raise standards in fundraising. Specific requirements in the new Charities (Protection and Social Investment) Act 2016. A number of new provisions relating specifically to: • Information provided in agreements as part of some charities’ annual reports • Reserve powers to introduce statutory regulation 10

  11. Fundraising (contd.) The new Act requires that fundraising agreements now include the following clauses: • Details of any voluntary fundraising scheme or standard that the commercial organisation undertakes to be bound by • Details of how the commercial organisation will protect vulnerable people and others from unreasonable intrusion on a person’s privacy, unreasonably persistent fundraising and undue pressure to donate • Details of arrangements enabling the charity to monitor compliance with the requirements in the agreement 11

  12. Grounds for direct marketing Article 6 [of the GDPR] Lawfulness of processing 1. Processing shall be lawful only if and to the extent that at least one of the following applies: (a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; […] (f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. 12

  13. Legitimate interest • “…what changes with GDPR is a shift in focus. The new legislation creates an onus on companies to understand the risks that they create for others, and to mitigate those risks . It’s about moving away from seeing the law as a box ticking exercise , and instead pushes you to build a culture of privacy that pervades your entire organisation.” Elizabeth Denham's speech at the DMA Annual Conference 24 February 2017 • Conduct the balancing test (and document it) • Article 29 Working Party ‘ Opinion 06/2014 on the notion of legitimate interests of the data controller under Article 7 of Directive 95/46/EC ’ 13

  14. Consent 14

  15. Consent, the Fundraising Regulator and the Charity Code Fundraising regulator acquired “code of conduct” from Institute of Fundraising. Consultation on change to Code of Fundraising practice. This consultation has dealt with “current and pressing issues and concerns” in the following areas: a) Charity trustees duties to oversee the fundraising activities of their charity b) The fundraising ask c) Solicitation statements d) Raising concerns about fundraising practice (whistleblowing) e) People in vulnerable circumstances f) The delivery of charity collection bags g) How charities oversee their contracts with third party fundraisers Has impact on use of data and how relates to owners 15

  16. Fundraising Preference Service This will enable individuals to select charities they no longer wish to receive communications from. Intention for this to come into operation in spring or early summer 2017. Fundraising Regulator guidance document issued entitled “Personal Information and Fundraising Consent, Purpose and Transparency”. Recommended only communicating with individuals who have “opted in”. Communications should include a mechanism to withdraw consent easily at any time. Data should be obtained “fairly and lawfully”. 16

  17. Electronic marketing • “Any form of advertising, whether written or oral, sent to one or more identified or identifiable end-users of electronic communications services, including the use of automated calling and communication systems with or without human interaction, electronic mail , SMS, etc.” • New draft e-Privacy Regulation (also May 2018?) • GDPR-consent are your only grounds (Art 16(1)) • The ‘soft opt-in’ remains “in the context of the sale of a product or a service” (Art 16(2)) 17

  18. Communication Making sense of it all… - Wider GDPR processing will apply if personal data Communication processed - Awareness of recipients circumstances 18

  19. Direct marketing Communication Making sense of it all… - Wider GDPR communication - processing will apply if Communication + - Consent or legitimate personal data Communication interest processed - - Always include opt-out Awareness of recipients Direct marketing - The fundraising ask circumstances communication 19

  20. Electronic Direct Direct marketing Making sense of it all… communication marketing - Communication + communication - - Direct marketing rules + Consent or legitimate Communication - interest Consent only (no legit - interests) Always include opt-out Direct marketing - - The fundraising ask Rules for SMS, Auto-tel calls and tell calls communication - Particularly, fundraising preference service Electronic direct marketing communication Email SMS Auto- tel call Tel Call 20

  21. Electronic Direct Soft Opt-in Making sense of it all… - Electronic direct marketing marketing rules for communication - Direct marketing rules + email + Communication - - Consent only (no legit Where a commercial communication – interests) Direct marketing - - Soft opt-in allowed for Rules for SMS, Auto-tel previous customers calls and tell calls communication - Particularly, fundraising (commercial arm?) preference service Electronic direct marketing communication Email SMS Soft opt- Auto- in tel call Tel Call 21

Recommend


More recommend