This website uses cookies for anonymised analytics and for account authentication. See our privacy and cookies policies for more information.





The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

Charities need a viable plan to ensure GDPR-compliant marketing - part 1

This opinion piece is over 6 years old
 

Nimarta Cheema of Lindsays with the first part of a two part look at how charities can prepare for GDPR

Marketing is a crucial element to many charities’ operations - it can help to raise your charity’s profile, engage with your audience and attract donations.

Lots of marketing activities use information about individuals (including names, addresses and email addresses) and so must be carried out in compliance with data protection laws.

Consequently, four letters are currently raising concerns for many charities and charity trustees - GDPR, short for the General Data Protection Regulation.

Nimarta Cheema

Four letters are currently raising concerns for many charities and charity trustees - GDPR

Nimarta Cheema

The GDPR is an overhaul of the law on how organisations (including charities) gather, process and use information about individuals, known as personal data. The stories about the stringent penalties under the new rules have become overblown and so, for many charities, the level of panic surrounding the new rules is an over-reaction.

Even so, the new data protection regime is a significant issue for charities of all sizes and one which must be taken seriously. Even if you comply with current data protection rules, the new rules will almost certainly require you to adapt your practices.

You will have to carefully consider the effect the changes will have on personal data which you already hold, not just new information you gather after the GDPR takes effect in May 2018.

In these articles (part two will be published next week), we offer some guidance and practical tips to ensure your marketing activities comply with the new rules.

Consent

For most marketing activities, you must have the consent of the individual you are contacting. One major change under the GDPR is to how this consent to hold and use personal data is obtained.

Consent has to be freely given, specific, informed, properly documented and easy to withdraw. This new definition creates a higher bar than the current rules and has many practical implications.

For example, if someone consents to one type of email communication - say, details about a one-off event - this does not give you free rein to send them other communications. The consent in this example would not be sufficient to allow you to also add that person to your mailing list for your monthly newsletter.

The new definition also means that it will no longer be acceptable to use pre-ticked consent boxes on websites or apps. The presumption will be that individuals will have to opt in rather than opt out.

Furthermore, consent needs to be documented and stored in a way that you can demonstrate compliance with the new rules. This also allows you to be able to act quickly and effectively if you receive a request from an individual who wishes to withdraw consent.

The change to the definition of consent is significant and will impose additional operational burdens on charities to ensure adequate processes are in place.

As a practical example, say a local children's charity produces a regular newsletter containing information about its work and to promote upcoming fundraising events. The charity only sends the newsletter to people who have signed up for it via their website. Does the charity's procedure for obtaining consent meet the new requirements under the GDPR?

By asking the recipients to sign up for the newsletter, the charity is asking recipients for their freely given, specific consent.

However, it is important that the website form requires the recipients to actively opt-in and that it is clear what they are signing up for.

The charity will also need to put in place a privacy policy which clearly sets out how the recipients’ information will be used and how they can withdraw their consent if they choose to do so.

Charities should take advice on whether they need to re-approach all their existing supporters to seek new consent.

Nimarta Cheema is a solicitor at Lindsays.