Val Surgenor says the new General Data Protection Regulation (GDPR) which will apply from 25 May 2018 will affect how charities work with fundraising agents
Under the GDPR, your charity will have continued responsibility for how third party fundraising agents deal with the personal information of your supporters and donors, and from a data protection perspective at least, you will need to think about:
- How you appoint agents i.e. a contract
- How you monitor their fundraising activities i.e. asking for updates and asking questions (sometimes difficult ones)
- The ongoing nature of your relationship with agents.
Appointment of fundraising agents – who, what and how?
Consider how you will monitor your fundraising agents’ activities to ensure they are compliant
Val Surgenor
Critical to the appointment of your fundraising third parties will be what guarantees they can give your charity in relation to compliance with data protection laws. While this is true now, it is of paramount importance under the GDPR. The GDPR not only requires that you appoint fundraising agents under a written contract but also decides what that contract should say, for example the duration, nature and purpose of using supporters and donors information (and the types of information that will be used).
It should also state that the fundraising agent, to name but a few:
- acts only on your “documented” instructions
- keeps information confidential and secure
- implements procedures to help you uphold the rights of supporters
- needs your prior written consent to sub-contract its services
- will return or destroy (as you may decide) supporters personal data at the end of your relationship
- will provide you with all information necessary to show you are GDPR compliant.
This is all in your favour, but your charity will only benefit from it if you can be sure that the agent is carrying out its obligations effectively – consider how you would review this.
You can’t delegate your responsibility for data
Just because your charity can appoint someone to deal with your data doesn’t mean you can transfer your obligation to protect that data. Under the GDPR, you are responsible for how fundraising agents deal with data and you need to maintain a record of that data use. Think now how you would monitor and record the activities of fundraising agents when they act on your behalf – it will be up to you to ensure their ongoing compliance with the GDPR.
Joint responsibility
If you campaign with other charities or fundraising agents and you all have a say in how the personal information of supporters is used then you are likely to be deemed “joint controllers” under the GDPR.
Under the GDPR joint controllers must have an arrangement which apportions responsibility for data protection and supporters must be given a summary of the arrangement - to do this, you need to know when you are in joint controllership!
Despite what the arrangement may say, supporters can enforce their rights against any joint controller.
Under the GDPR, fundraising agents will have data protection responsibilities for the first time. This may blur the lines somewhat between your role and their role and could mean that your relationship becomes one of joint controllership overtime. So be aware.
How can you prepare?
Review your existing contracts with fundraising agents.
Consider how you will monitor your fundraising agents’ activities to ensure they are compliant under the contract and the GDPR.
Think about how you will monitor the ongoing nature of your relationship with fundraising agents.
Val Surgenor is a partner at MacRoberts LLP. Its team of data protection specialists can provide expertise and advice to charities wishing to adopt a proactive approach to compliance preparation.