Many of Factary’s clients and colleagues have been in touch with us recently voicing their concerns, frustrations and confusion over recent news regarding the use of personal data in fundraising and prospect research. It’s not surprising that there is confusion; this year has seen a whirlwind of news and opinion from various regulatory bodies, some of it conflicting.
Our clients have asked if we can provide some clarity – this is a tall order right now as the situation is not completely clear and evolving more-or-less by the day, but below we have outlined recent events, the current situation and news on what is happening over the next few months.
The current situation – how did we get here?
As we know, 2015 was a challenging year for fundraising and charities in the UK. Negative press reports regarding certain fundraising practices ultimately resulted in a review of all fundraising and the publication of the Etherington Review in September 2015, which outlined recommendations for the future of fundraising.
Recommendations in the Etherington Review included that a new Fundraising Regulator be established (to set and promote standards for fundraising practice) and a ‘Fundraising Preference Service’ (FPS) be launched. The Fundraising Regulator launched in July 2016 and is in the process of setting up the FPS so that “individuals only get the fundraising communications they want and need”.
Whether or not people feel the FPS is necessary (alongside the MPS, the TPS and PECR), the decision has been made and the Regulator is aiming to launch it sometime in 2017. The official consultation period on the FPS has passed but the proposal papers can be viewed here.
The Etherington Review also worked closely with the ICO in developing the recommendations. It was outlined in the Review that the ICO had not been communicated with sufficiently in the past by either the Institute of Fundraising or the (now defunct) Fundraising Standards Board and that a stronger relationship between the new Regulator and the ICO should be established.
The upshot of this is that the ICO turned its attention to the non-profit sector and began reviewing if and/or how charities were adhering to the Data Protection Act (DPA) and PECR through fundraising practices such as direct marketing, telephone fundraising and electronic communications.
The general issue of consent
The ICO have been in attendance at many fundraising conferences, seminars and events this year, usually alongside representatives from the Regulator. The ICO have outlined their concerns over how well (or otherwise) non-profits have been adhering to the DPA, with a particular focus on the apparent lack of evidence around ‘consent’ for non-profits to use the personal data of their supporters. This is not just about obtaining consent from supporters for non-profits to hold personal data on a database but also about obtaining consent for how the data is then used for marketing, fundraising and, importantly for us, in prospect research.
The issue of gaining consent is simultaneously very clear and also incredibly complex. On the one hand, it is straightforward because there is universal agreement in the sector that supporters and donors should have proper control over their data, be able to communicate preferences to their chosen charities and have those preferences acted upon. The complexity comes with how and to what extent non-profits are expected to communicate with current and future supporters to gain consent for the use of personal data.
With the looming presence of the GDPR, scheduled to come into force in May 2018, the issue of consent becomes even more important (that said, to what extent the current format of the GDPR will be implemented is Brexit-dependent, so even this is unclear).
Current guidance on consent – where can you go for help?
There are several documents detailing regulations and guidance from the ICO in relation to consent and data protection:
- The ICO’s new Data Code of Practice (launched on 7th October) sets out how organisations should explain they are using personal information
- Also, see their guidance on privacy statements, including examples of good and bad practice
- There are also guidelines on marketing and PECR which have been updated slightly to address some of the specific needs of non-profits
- The ICO also has a GDPR preparation document ‘12 steps to take now to prepare for GDPR‘
Unfortunately, whilst useful, these aren’t hugely specific to the non-profit sector and only go some way towards clarifying the situation.
Helpfully, there are some other places where we can gain more clarity:
- The Fundraising Regulator will be translating the ICO regulations and issuing some guidance on the consents that charities should obtain, sometime in the autumn/winter of 2016 (so, very soon).
- In February 2017, the Regulator will also be starting a 3-month consultation period on updates/changes to the Code of Fundraising Practice, which will include reviewing guidance on data protection and consent (this is according to Head of Policy, Gerald Oppenheimer, speaking at the CASE Development Services conference in October 2016). Keep an eye on the Regulator’s website and Twitter feed and try to make sure you are a part of the consultation next year. The Code will potentially have a huge impact on fundraising practice – including prospect research – so try to make sure you and the organisations you work for have a say on the development and changes.
- The NCVO have produced a report ‘Charities relationships with donors; a vision for a better future’. This report contains sample statements showing how non-profits can obtain consent to use personal data and it will inform the Regulator’s development of guidelines for the Code of Fundraising Practice. It is worth noting that these guidelines conflict with the ICO’s recent statements around how consent for prospect research should be obtained (see below).
- CASE are also in the process of writing guidelines on consent for education institutions. These will be available on 25th January 2017. These guidelines will contain example privacy policies and sample donor communications, hopefully also including information on prospect research. Whilst the guidelines will inevitably be steered towards alumni databases and communications, they will no doubt be helpful to all non-profits, so they’ll be worth looking out for. Keep an eye on the CASE Twitter feed for more information.
But what does this all mean for prospect research?
All the guidance and regulation noted above is (or probably will be) quite broad, relating to consent for all forms of fundraising/marketing – but the ICO review process has also had some interesting consequences for those of us working in prospect research and, by extension, major donor fundraising.
Throughout the course of 2016, a representative of the ICO has stated at various events that non-profits will not only need to obtain consent to use personal data for fundraising/marketing but also for all forms of prospect research. This could mean that consent will need to be obtained for each part of the research process (e.g. data screening, segmentation, data modelling, appending wealth, profiling etc.). Additionally, the ICO have outlined that this isn’t just about gaining consent to use the personal data given when a supporter, for example, makes a donation, but also for any data pertaining to the person in the public domain; so, in practice, this might mean obtaining consent from individual supporters to access their details on Companies House or other common research sources.
There are clearly numerous concerns with this.
The main problem is that, as this has been a relatively fast moving situation, there is currently very little guidance on how non-profits should go about incorporating prospect research consent into their privacy policies, consent forms or fundraising communications. Nor has then been any clarity on how explicit the consent will need to be. Our view is that it is unworkable to expect supporters to give separate consent to each and every fundraising, marketing and research option that they may be presented with.
Also, on a practical note, in this post on the GDPR, Christian Propper at Graham Pelton Consultants asks two pertinent questions:
- How can we ask for consent for database screening, profiling and other research techniques in a way that doesn’t unduly worry supporters?
- How can non-profits future-proof their current consent/privacy statements to encompass research practices they may adopt in the future (but might not yet even know about)?
In short, how can prospect research ensure it is on the right side of regulation whilst also being able to continue contributing to fundraising in all its myriad, wonderful ways? The short answer right now is that, unfortunately, there is no clear guidance on this. All we know is that (as outlined above) the Regulator is working on best practice guidelines on consent which we assume will include consent for prospect research.
There are a few papers/articles that might be helpful to review around this issue;
- The NCVO report, mentioned above, which can be downloaded here, is useful to read if only from the point of view that the ‘best practice’ sample statements on consent only mention research in passing and certainly not to the extent that the ICO has suggested is necessary, e.g. ‘We may from time to time use your data for profiling, targeting and research purposes so that our communications to you are as appropriate and cost effective as possible’ . It will be interesting to see if this approach is adopted by the Regulator when they bring out their official guidance.
- The team at the Commission on the Donor Experience are working on a project around ‘giving choices and managing preferences’. Ken Burnett from the Commission wrote this article in which he outlines a practical way to ensure ‘continuous donor choice’. This step-by-step guide could easily be modified to include information on prospect research and is one sensible option for communicating with supporters. The Commission is working with the Regulator so something akin to this approach may be adopted in the guidelines for the Code of Practice.
- Adrian Beney at More Partnership produced an excellent briefing paper on ‘More Partnership briefing for NCVO on Wealth Screening and Profiling’ earlier this year in response to the initial draft report from the NCVO. The paper puts prospect research into context and questions some of the ICO’s opinions on how data is used in fundraising and the types of consents non-profits should reasonably be expected to ask for. If your role encompasses prospect research this paper would be an excellent reference guide to understanding ICO regulations and prospect research.
So, what should I do now?
Our advice would be, first of all, not to panic about the conflicting news and opinion you may have heard. If you feel there are possibly areas where your organisation needs to improve communications around consent to use personal data then, alongside your day job, you could perhaps:
- look into the consent options, donor communications, privacy policies and data processes that are in place in your organisation, alongside reviewing the ICO documents for direct marketing and PECR (links above)
- consider undertaking a ‘privacy impact assessment’ to highlight areas your organisation may falling short on data protection
- ensure you are a part of the Fundraising Regulator’s consultation process in 2017; the more involved we all are, the more likely that the guidelines will be workable for us
- attend the Researchers in Fundraising conference in November 2016 – a representative from the ICO is speaking on the topic of data protection and consent
- support the Researchers in Fundraising ‘data protection working group’, who are working with the ICO and the Fundraising Regulator to ensure prospect research is part of the conversation – keep an eye on the RiF news webpage and Twitter feed for developments on this
Also, keep an eye on Factary’s Twitter feed or let me know if you’d like to join our mailing list to be kept informed of any further news or announcements relating to this topic. We’re keeping a close eye on developments and would be happy to disseminate information.
And finally; remember that prospect research has an enormously positive role to play in fundraising. We need to keep in mind that our work is of tremendous consequence. So, when it comes to drafting future communications / privacy policies with supporters, please keep in mind this excellent Tweet from Adrian Beney at More Partnership wherein he encourages us to, “Tell people what you’re doing. Be honest. And open. And unashamed of what we do to help create a better world.”
If you’d like to discuss any of this in more detail or if you are concerned about consent or data protection, please contact me firstname.lastname@example.org.