The regulatory framework for fundraising is shifting: the Fundraising Regulator has been established, the General Data Protection Regulation (GDPR) will be adopted from May 2018 and the Information Commissioner’s Office (ICO) has been scrutinising adherence to the Privacy and Electronic Communications Regulations (PECR). Understandably, this change has created anxiety.
If you’re a Director of Development, Head, Bursar or Governor at an independent school1 in the UK trying to make sense of it all, then I would argue that the most important things you need to know are:
The shifts in the regulatory framework concern two things: data processing and communication. GDPR concerns how you should process an individual’s data so as not to infringe on their rights; the second (PECR) sets out the permission you must obtain before communicating with an individual by telephone, email or SMS.
Importantly, GDPR is a rights-based framework; PECR is a rules-based system. Put simply, with PECR you either are - or you are not – complying with the law. In contrast, the question of whether or not you are complying with GDPR requires you explicitly to weigh your interests against those of the people whose data you wish to process. In the end someone, somewhere (the ICO, in fact, should one of your constituents complain about the way you have handled their particular data) will judge whether or not you made the right assessment.
So PECR is straightforward: you cannot direct market to me via telephone, email or SMS if I have not given you permission to do so. You must have my freely given, clear, specific, informed and unambiguous consent to communicate with me through those channels. Once I withdraw that consent, you may not use that channel to check whether I really meant it. As with the rest of life – no really does mean no. Fortunately, you may write to me by letter as much as you like: direct mail is unaffected.
GDPR requires a different mindset. It requires you to be clear and transparent about the legal basis(es) you are using to process data: to make the case. The regulation offers you a menu of nine items from which to choose in order to do so and, while specific regulations will apply to data held on children, the three most relevant to the relationship schools have with parents and alumni are:
saying that you believe what you are doing with someone’s data is in your legitimate interests;
seeking someone’s consent to do things with their data;
advising someone that you are obliged to process specific data in specific ways so as to fulfil the contract you have with them.
You are likely to need to use different grounds to cover different aspects of your relationship with a constituent. For example, thinking about a parent who is also an alumna:
you might make the case that the reason you wish to store the alumna’s marital status is in order to provide appropriate pastoral care and therefore in fulfilment of your contractual obligation to educate her daughter.
equally you might ALSO make the case that a strong and flourishing community is in the legitimate interests of the organisation. As such, you actively seek the support of current parents, former staff, former pupils and friends in a number of ways: 1) with their time, through careers talks and volunteering to staff the lost property box; 2) with their skills, through becoming Governors or giving us their professional advice; 3) with donations, which enable you to advance your ambitions more than you could with fees alone. You therefore undertake research on community members in order 1) to understand better who might have the time, the talent and/or financial capacity to make a difference to our community, 2) to minimise the risk of causing offence, and 3) to tailor the approach you make. As such, you believe it is in your legitimate interest to collect and store the alumna’s job title, place of work and contact details.
When the purpose for which you wish to use an individual piece of data changes, you will need to seek explicit consent to do so.
It therefore stands to reason that to minimise complexity, IT expenditure and the risk of offices drowning under administrative burden, a sensible organisation-wide data protection policy will make as strong a case as it possibly can for the majority of community-focussed activities to take place under legitimate interest.
Which is why I wonder whether we might not fall in love with GDPR? For the first time, we’re being asked to be clear about the reasons we do what we do; clear about why “development” and “advancement” exist; clear that it isn’t grubby or underhand; clear that advancing education and strengthening communities is a hugely noble ambition to have. All because of a little bit of red tape. Red...the colour of love.
This blog was originally published by CASE Europe.