Opt in, opt out, shake it all about?

This blog has been written by Hempsons - Leading Health and Social Care Lawyers


Charities have had something of a bumpy ride lately… and the bad news is that it’s not over yet. On top of increasing scrutiny of fundraising carried out by charities, data protection law and the Information Commissioner has now come to the fore with some big-name charities fined for data protection breaches. To top everything off, the new General Data Protection Regulations (GDPR) will be law by the end of May 2018 and this will have an impact on charities and social enterprises alike.


Although the data protection and charities has mainly hit the headlines in the context of fundraising and use of donors’ details, it is important to understand that data protection law and the new GDPR affects all personal data held by charities even those who do little or no fundraising.


It is also important to understand that this isn’t just an issue for charities – whilst non-charity social enterprises are unlikely to have the same issues on fundraising, the new GDPR will affect social enterprises too.


Such data might include members’ details and information about staff and volunteers as well as that about donors. With the GDPR introducing even bigger penalties than have been seen to date, it is important for all charities and social enterprises to get their heads round what is on the horizon and to plan accordingly.


In this piece, we answer a number of key questions and help you plan for the future.


1. How will our lives change with GDPR?

  • You may need to appoint a Data Protection Officer (DPO). If your core activities involve regular or systematic monitoring on a large scale, or processing special categories of data e.g. medical information. Their role is to inform, advise and monitor compliance. More guidance is awaited from the ICO on requirements
  • You will have to be in a position to demonstrate compliance with Accountability Principles. This means you will need to keep detailed records that may need to be presented to the regulator on request; building in evidence of your data protection compliance throughout your processes and implementing appropriate technical / organisations measures to ensure and demonstrate compliance – i.e. policies and procedures


2. Opt in or opt out: what’s the position?

  • Opt in is now the only way forward. Consent must be freely given. Silence, pre-ticked boxes on forms or inactivity is not acceptable. An individual must give a statement of clear affirmative action

3. What about personal data that we already hold, such as members’ or donors’ information?

  • You need to review what information you hold
  • You need to secure consent from members – either at the time of joining or on renewal
  • Anyone whose data you hold needs to know why you hold their data and what you’re going to use it for


4. Do people have to consent to everything we do with their data?

  • Yes.
  • Individuals rights will increase under the GDPR
  • Data must only be used for the purposes for which the individual has given consent
  • Individuals must have the ability to easily ask you to delete their data

5. What could happen if we get it wrong?

  • You could be inspected by the ICO
  • You could be fined. Maximum fines of €20m or 4% of turnover
  • You could suffer significant reputational damage


As can be seen from the above, data protection is a complicated business and the cost of getting it wrong, both in monetary penalties from the Information Commissioner and perhaps more importantly, reputational damage, could be high.


It can really pay dividends to check out key documents like consent forms, and fundraising materials if applicable, to ensure compatibility with your stated privacy policy, and take care that those actually at the coalface of fundraising (both staff and volunteers) are properly trained.


If you get these things in order, and keep them that way, then (for fundraising charities) the combination of new fundraising law and practice and the interface with the GDPR and (for all charities and social enterprises) the GDPR won’t end up being as bad as it may seem.


If you don’t, then you could end up being led a merry dance.