The road to GDPR for prospect research

We recently undertook a survey of prospect research teams in the UK to find out how they are coping with GDPR preparations. We’d like to thank each of the 95 respondents – your answers have given us a real sense of the current situation for the prospect research community as we all work towards May 2018.

We thought it might be useful to share some of the responses as we know that many prospect researchers are struggling with GDPR and it may help to know that you are not alone! That said, it’s not all doom and gloom out there, as the answers to the survey reflect, and there are many positives that we can take from the results.

First, the not-so-good news

Perhaps unsurprisingly, the overwhelming feeling from most of our respondents (77%) is that there is still a lack of clarity around GDPR – specifically around how prospect research can operate in a compliant fashion within the principles of GDPR.

There are also concerns with the practical aspects of GDPR preparation; over 34% of respondents would like more information on undertaking a privacy impact assessment and 38% of respondents are struggling with understanding how to integrate GDPR practices with their CRM system.

Frustratingly, almost 35% of prospect researchers reported that they have not been involved in the GDPR discussions at all in their organisations so they feel they have been unable to provide valuable input to the process.

Some of the other concerns highlighted by our survey are:

  • Misinformation or conflicting advice on GDPR issues is very confusing and unhelpful when it comes to planning
  • The lack of evidence that supports the need for prospect research which can be used to argue the case for continued prospect research with senior leadership
  • The difficulty of understanding and analysing donors’ reasonable expectations
  • The lack of support from leadership within organisations in preparing for GDPR, and the lack of communication between teams on this issue
  • The potential impact of GDPR on smaller organisations is worrying as they may not be able to fully prepare in time for May 2018 due to a lack of resources
  • PECR seems to be a particular concern for many, especially when it comes to consent for channels of communication and how this integrates with GDPR requirements
  • The overwhelming workload and resources required to prepare for GDPR

All that said, it wasn’t all bad news…

Readiness for GDPR

Whilst only 2% of respondents stated that they are ‘completely ready’ for GDPR, the vast majority of respondents, 91%, stated that, for prospect research at least, their organisations are ‘not quite ready, but getting there’. Only 4% of respondents felt that they are ‘not at all’ ready.

Consent or Legitimate Interest?

Most interesting to note from the results was that 54% of respondents stated that their organisation will be relying on legitimate interests as their basis to process data for prospect research purposes.

Only 3% noted that they will be relying on consent as their basis for processing whilst almost 35% of respondents stated their organisations were not yet to make a decision on this.

Privacy Notices

Only 16% of respondents felt that writing privacy notices / policies was an area of concern for their organisations – this is perhaps due in part to the specific guidance that does exist in this area.

Hearteningly, over 63% of organisations have updated their privacy notice to be GDPR compliant. Just over 26% have not yet done this, and 10% of respondents were not sure on the state of their organisation’s privacy notice.

Of the 63% which have updated their notice, over half (58%) have now uploaded this to their website. Only 14% have taken the step to post or email this updated notice to their supporters but this number will inevitably grow at a pace as we work towards May 2018.

Impact on prospect research activity

We also wanted to find out whether researchers have been able to continue providing prospect research services in recent months as the answer to this may help us to understand the likely long-term impact of the ICO fines and GDPR preparation.

The results below show the 5 main areas of prospect research activity and the % of respondents who stated they have either a) stopped doing this activity altogether, b) paused this activity whilst they prepare for GDPR, c) have continued to do this activity or, d) were unable to answer or didn’t do this activity in the first place.

Type of research Stopped Paused Continuing D/K or N/A
Database (Wealth) Screening 31% 41% 7% 21%
Individual research/profiling 4% 21% 68% 7%
New prospects identification 4% 18% 69% 9%
Due diligence research 1% 3% 78% 18%
Network research 4% 13% 57% 25%

We have followed up specifically with those individuals who stated they have ‘stopped’ or ‘paused’ Database Screening to obtain more details on these decisions, and we will be able to provide more insight into this at our session with Prospecting for Gold at the RiF Conference on November 6th. For those unable to be at the conference we will follow up with a blog about this shortly afterwards.

For now, it is heartening to see that, aside from Screening, the majority of prospect research activities have continued, although some have fared better than others.

Due diligence in particular seems to have continued, with only 1% of respondents stopping this activity and 3% pausing it. Individual research (i.e. profiling), which was previously undertaken by over 92% of respondents, has stopped or paused in a quarter of organisations as GDPR preparation is undertaken.

Network research was highlighted in the open questions as a particular area of concern, with many unclear how to balance GDPR requirements with the need to identify relevant contacts of key supporters, although of the 50% of respondents who previously undertook this type of research, 86% are continuing to do so, so it is unclear how much this has been affected in reality.

It will be interesting to review the long-term consequences of organisations stopping or pausing these activities as we look in particular at major donor income in 2018 and beyond. Many respondents in the open questions highlighted their concerns that their particular organisations and institutions are losing opportunities to identify and engage potential supporters for fundraising during the process of preparing for GDPR.

The future

Whilst this is a worrying time, there was a view from many respondents that GDPR will ultimately have a positive impact on prospect research…in the end.

This is because despite being, as one respondent put it, “painful”, four of the main benefits highlighted were:

  • GDPR will help to promote prospect research within organisations and institutions (as one respondent put it, “We are no longer a dark art!”)
  • It will make prospect research more efficient and effective
  • The process will educate supporters, donors and the public in how non-profits operate/fundraise, which is a good and positive thing
  • The situation so far has shown researchers to be resilient – working hard and standing up for themselves and the sector

So, the future seems bright but, in the present, if you are one of the many researchers who would like more clarity on specific issues, we know that the IoF are working to produce some specific GDPR guidance for prospect research. We don’t yet know when this will be available, but it will hopefully provide some much needed insight into how we can better prepare for GDPR.

Whilst you wait for that, you may want to download our paper on legitimate interests and prospect research, as it signposts to other useful pieces of guidance and gives a basic overview of the GDPR situation.

If you’d like more details on the survey or would like to chat about prospect research and/or GDPR, please do get in touch with me.

Prospect Research and Legitimate Interests

Something quite remarkable happened a few weeks ago. I went to a conference on GDPR (the CASE Regulation and Compliance Conference) and, by the end of the day, I was actually feeling upbeat, hopeful and – even – vaguely excited about the future of prospect research. This was not at all how I was expecting to feel after a GDPR conference, based on the countless other GDPR conferences and events that I have attended over the past 18 months which have mostly left me feeling a mixture of despondency and frustration.

So, why the sudden shift? Well, a few things. Firstly, the brilliant presentations were, for the first time, practical, focusing on what people are working on and achieving as they build towards compliancy for GDPR. To be at a GDPR event which was about positive action in regards to things like privacy notices or data analysis, and not just about all the things we can’t or mustn’t do, felt like progress.

Secondly, there was a real focus on analysing the ‘legitimate interest’ condition for processing data for prospect research. This is a huge step forwards. For too long now ‘legitimate interest’ has been viewed as a second-best option, a condition for processing that non-profits can maybe use, which is kind of OK, but probably just not quite as good or as ‘safe’ as consent. Obviously, this is due in no small part to the Regulator and ICO’s view that non-profits should probably get consent for wealth screening (by which they seem to imply most forms of prospect research). Alongside this, as Adrian Salmon’s recent blogpost highlights, one of the problems of principles’ based regulation is that, whilst it should encourage flexibility, it tends to lead to a “very conservative compliance mind-set”. So, it was great to see the all the relevant conditions for processing being analysed in an informed and practical way at the conference.

And lastly, many Higher Education Institutions (HEIs) are actively choosing legitimate interests (after careful analysis) as their condition for processing data for prospect research. This is another good, positive step.

All that said…

There is still confusion and misinformation. In the past two weeks alone I have received a number of emails from researchers who are still asking if wealth screening is illegal or if they need to get consent from all their donors before doing research. I also speak to many organisations that have suspended some or all forms of prospect research whilst they try to work out their next steps. Occasionally, I speak to smaller charities who have no idea that any of this is even happening.

So, despite great advances in the HE sector and with some charities, it is clear that there is still a long way to go for prospect research before we reach May 2018, when GDPR becomes law.

The main aspect which seems to be paralysing many organisations is the question of whether to rely on consent or legitimate interests as the condition for processing for prospect research. Many researchers have been tasked with coming up with a plan for assessing this and making recommendations, which is a tall order. Much has already been written about consent (see, for example, The Fundraising Regulator’s Guidance on Consent) and we thought, therefore, that it might be useful to add some thoughts around legitimate interests, specifically in relation to prospect research.

Please click here to download our paper on this, which is a meander around the topic (you’ll be asked to subcribe to Factary Updates, so you’ll receive other reports and updates like this in the future). We hope the report is useful. Please do come back to us with any questions or comments. Also, remember that we are not data protection lawyers, so don’t make any decisions based solely on the information we provide!

5 Questions to Ask the ICO

The Information Commissioner, the Fundraising Regulator and the Charity Commission are due to meet fundraisers in Manchester tomorrow, on Tuesday 21st February, for the Fundraising and Regulatory Compliance Conference. The ICO have produced a conference paper for delegates to read prior to 21st, which can be accessed here.

The paper, amongst other things, sets out the ICO’s view of data protection in relation to Database Screening and, it seems, prospect research – although, whilst it mentions ‘Screening’ specifically, the paper rather ambiguously only refers to other [research] “…activities such as profiling individuals”. We do need to get some clarification on what they mean by this but, from the context, it does appear to refer to researching donors and supporters using public domain sources and/or using information not supplied directly by the data subject (so, prospect research).

The paper initially outlines why an organisation should use a privacy policy to explain how they make use of data. It then explains the ‘legitimate interests’ condition in relation to the DPA. In this sense, the paper is useful in outlining that charities need to be honest and fair in their processing of data. This is something that cannot and should not be argued with. As we have said before (e.g. here and here), all charities must make sure they have robust, fair and easily accessible privacy policies which openly explain how they collect, store, use and process data.

The conference paper outlines situations in which such a policy must be communicated to a supporter, some ways this can be done, and even when it is not necessary / practical to do so. This is all useful and welcome information. We now hope that perhaps the Fundraising Regulator will issue some sample privacy policies at the conference on Tuesday that provide examples of the language that charities can use to comply with fair processing of data for fundraising.

However, the paper then states that it is ‘highly unlikely’ that charities will be able to rely on legitimate interests as a condition to process data for Database Screening – specifically using third party providers or involving any personal data not supplied by the data subject – or for ‘profiling individuals’. Instead these activities will require explicit consent from data subjects. This is because, the ICO states, these activities are a) not ‘compatible’ with processing data collected from a donor at the point of donation and b) not within the ‘reasonable expectations’ of a donor.

Please read the conference paper. Think about how it will affect you and your work and highlight any areas you feel are not clear. The conference on 21st February is a very important event and the questions we ask (and the answers we receive) about this paper are likely to have a long-term effect on fundraising and research. If you are not going to be at the conference on Tuesday, you can pass any questions that you may have about it directly to the ICO (send them to events@ico.org.uk and ask for them to be forwarded to the relevant dept).

Below are 5 of the questions we would like to ask, now that we have read the paper:

  1. The ICO say in its paper for this conference that individuals are “highly unlikely to expect” certain types of data processing. In the ICO’s press release announcing the British Heart Foundation and RSPCA monetary penalties they are quoted as saying “millions of people who give their time and money to benefit good causes will be saddened…” to know that charities would ask them for more money.
    1. Does the ICO have evidence that shows what donors expect?
    2. There is, in fact, strong evidence to support the fact that processing of personal data for research is within the reasonable expectations of many donors; a recent study concluded that 78% of donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. Therefore, if fair processing is adhered to and prospect research is within the reasonable expectations of donors, then can the ICO confirm that charities can rely on legitimate interests to undertake this type of activity?
    3. Sources
      1. ICO, Fundraising and regulatory compliance, 21st February 2017
      2. ICO investigation reveals how charities have been exploiting supporters, 16th December 2016
      3. Breeze & Lloyd, (2013); Why Rich People Give. London, DSC.
  2. Tesco’s Privacy Policy, which customers using its loyalty card must accept, says: “We may also use personal data from other sources, such as specialist companies that supply information, online media channels (online media channels include websites, social media sites, pay TV providers and any other channels that become available to us), our Retail Partners and public registers (for example, the electoral roll)”. They state that they do this in order to provide a better service and experience to their customers.
    1. If a charity used this same statement in its privacy policy, could charities use the public and private domain sources listed by Tesco in research so as to provide a better service and experience to donors?
    2. If not, why not?
    3. Source: Tesco Privacy and Cookie Policy
  3. The paper for the conference says: “It’s legitimate for you to process personal data in order to properly administer donations received from individuals”. The paper suggests throughout, as highlighted above, that “administering donations” is the only purpose for which a charity would use data collected at the point of donation or at the point a supporter joins a charity database. It suggests, therefore, that fundraising (including the market research necessary for raising funds) is not a compatible purpose for processing donation information.
    1. Is it?
    2. If not, why can, for example, Tesco use transaction information for more than simply administering a transaction (see their privacy policy linked above)?
    3. As charities rely on fundraising to carry out their work, is it not within their legitimate interests to use data collected from supporters for fundraising purposes, providing that fair processing and the rules of PECR, the MPS/TPS/FPS etc. are all adhered to?
  4. Here is a common story: a charity Board member meets an individual at, say, a cocktail party. The Board member comes back to the charity fundraiser with the individual’s name and says “X is interested in what we do. And he is wealthy.” The ICO says in its paper for this conference: “Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing.”
    1. The X named by our Board member is not a donor. We have no permissions or opt-ins or opt-outs. Can we look him up on Google or LinkedIn or Companies House without his permission?
  5. The Charity Commission imposes a duty to check on donors and potential donors. The Charity Commission recommends that trustees understand their donors and asks: “Have any public concerns been raised about the donors or their activities?” The Commission suggests that “full use should be made of internet websites” to check on donors. This is directly contrary to the ICO guidance which would not permit the use of public domain information until the donor has signed up to our privacy policy.
    1. Given that we want to research a potential donor before she does this, whose guidance should we follow – that of the ICO or that of the Charity Commission?
    2. Source: Charity Commission for England and Wales, Tool 6: Know Your Donor – Key Questions

These are just some of the questions we feel require clarification from the ICO and we’ll be submitting these prior to the event. We will also be attending the event on Tuesday and we’ll report back on what happened as soon as possible afterwards through this blog.

Please also keep an eye on Factary’s Twitter feed during the day as we will attempt, where possible, to Tweet any significant points or answers to any questions raised during the conference.

FTSE100 Chairmen, Companies and Philanthropy: a new report

How much do you know about the leaders of the largest companies in the UK? How are they interconnected? What are their philanthropic interests? And those of their fellow directors or the companies that they lead?

Whilst much information is available in the public domain concerning corporate giving by the FTSE100, limited information is easily available concerning the philanthropic activities of their board directors.

Factary’s new report provides in-depth research into each of the 94 Chairmen – and women – of the FTSE100, including biographical information, key professional and philanthropic interests and details of links to other FTSE100 Chairmen. We also provide a brief overview of each company and their CSR activities, including known major gifts, together with details of a further 189 notable board directors from the 100 companies.

The report highlights that the vast majority of FTSE100 Chairmen are philanthropically active, with over 94% providing money, time and expertise to support a wide variety of causes across the UK and internationally. The most popular causes receiving support are education, arts and heritage but with an average of 2.9 causes supported by each Chairman there is also evidence of support for environment, sport and disability services. There is a notable is difference between the chosen philanthropic interests of individual Chairmen and those of the companies they head up, which are more likely to support health, welfare, children and international development.

The philanthropic interests of the companies and the people behind them are further detailed in an Excel spreadsheet, accompanying the full report, which contains a breakdown of all identified philanthropic interests which can be filtered to focus on specific companies, Chairmen or directors.

The report also shines a light on how the FTSE100 Chairmen interconnect through professional and philanthropic involvements, educational institutions and club memberships. The report shows that 70% of the FTSE100 Chairmen connect directly to at least two other Chairmen, highlighting that there is significant potential for networking and relationship building within this group.

We present this network information in the form of an interactive, online Factary Atom map, access to which is included with the report.

If you are about to launch a major campaign, or just want to see who your key volunteers may know and what their interests are, then this latest report from Factary will be an invaluable resource for major donor and corporate fundraisers or prospect researchers – providing you with detailed and up-to-date information on some of the most high profile and well-connected philanthropists in the UK.

The report is £495, for which you receive:

  • The full 325-page report containing:
    • Full profiles of the 94 current FTSE100 Chairmen (as of January 2017)
    • Brief profiles of companies (including CSR and major gifts)
    • Factary analysis, observations and conclusions
  • Excel spreadsheet to filter for relevant philanthropic interests by Chairman, director or FTSE100 company
  • Online network map to identify how the Chairmen are connected through professional or philanthropic interests, education institutions, club memberships and leisure interests

If you are interested in ordering a copy or would like more information, please email research@factary.com or call 0117 916 6740.

ICO rulings and Database Screenings

The ICO fines for BHF and RSPCA that were announced this week have caused understandable concern for prospect researchers and wider fundraising teams across the sector. This blog post is Factary’s initial response to this news.

The ICO has so far issued two statements about the fines levied (these can be seen here and here). The statements outline that the fines are being issued for various infringements of the Data Protection Act through wealth screening, data appending and data sharing. To be clear, this blog post refers only to the situation with wealth screening, or, as we call it, Database Screening. Data appending and data sharing of bulk data are not services we provide at Factary so we won’t comment on the situation with these fines.

The first thing to mention is that we are expecting more comprehensive information about these fines to be issued on Friday 9th December by the ICO. The full penalty notices will be published on the ICO website and Twitter feed along with details of the enforcement action. Until we have reviewed the full documents it will be difficult to respond properly to this situation. That said, since the Daily Mail broke the story (ahead of the ICO announcement) of the fines on Tuesday 6th, we have received many emails from concerned clients, colleagues and friends worrying about the implication of these fines for non-profits and prospect research, so we wanted to issue a response as soon as possible to answer some of the most pressing questions, some of which are…

Can we still carry out Database Screenings?

It seems that one of the main reasons for the fines levied for ‘wealth screenings’, as explained in the information we have seen from the ICO so far, was because “Donors were not informed of these [Screening] practices, and so were unable to consent or object” to them. The lesson here is not that Screening is unlawful from the ICO’s viewpoint, but that non-profits and Screening service providers need to be open and transparent about what they will use personal data for. This is something that we mentioned in our previous blog on data protection.

The problem still remains, of course, that we feel neither the ICO nor the Fundraising Regulator have been too clear on how this information should be presented to supporters or indeed what information is necessary / sufficient. Hopefully they will do more to educate the sector and provide greater clarity. In the meantime we would expect that the vast majority of non-profits have completed and published, or are working on, improved privacy notices that include information about prospect research so that their supporters are fully aware of what their data is used for. The RiF ‘data protection working group’ will be drawing together samples of these, and this is something Factary will be helping with. We’ll post news on this here on the blog, on our Twitter feed and the RiF committee will also post on their Twitter feed, so keep an eye out.

If you’d like to discuss privacy notices or statements please do email me.

What about previous Screenings?

One of the questions many are asking now is, “When I last undertook a Screening, the non-profit I work for did not have a robust privacy policy in place. Is there a chance that we will be fined, too?” The short answer to this is, of course, that it is entirely possible more fines will be issued. The long answer may have to wait until we have received more information from the ICO on the nature of the fines against BHF and RSPCA in relation to Screening; until we know the full extent of the infringement, it will be difficult to understand the full impact.

Either way, there is very little you can do about previous Screenings; you can really only make sure you are fully prepared and compliant for the next.

What can the sector do?

From our point of view, some of the ICO’s latest statements set a tone which portrays Screening (and prospect research more generally) negatively. The ICO statements said, “The millions of people who give their time and money to benefit good causes…will be upset to discover that charities abused their trust to target them for even more money”. This kind of reporting will no doubt result in harmful press articles (aside from the inevitable articles from the Daily Mail which I won’t reference here) such as the BBC and even Third Sector where they have reported negatively that charities are “secretly screening donors” with a “disregard for people’s privacy”.

We feel the general tone used to report on these fines suggests a lack of understanding of what Screening is and why it is used – and, by extension, what prospect research is and what it is for. We should, as a sector, take some responsibility for this as we have not historically been very open in explaining how Screening and prospect research benefits donors and helps to improve their relationships with the causes they support. That said, we can’t shoulder all the blame, as many people I have spoken to have found the ICO’s approach to communication on these issues (and when directly speaking at conferences during 2016) to also be quite negative. For example, many of the emails I have received since Tuesday start with, “One of my trustees has read the Daily Mail article…” or, “Our compliance team has seen the ICO report…”, followed by concerned questions about the legality of Screening / research. This highlights that the negative and sometimes misleading reports that are in the public domain are already having a troubling impact on our abilities to carry out the normal functions of prospect research. We understand the genuine reasons for the ICO’s actions, but it serves no purpose to paint a negative image of the sector, who largely do incredible work for people and society.

This means it is up to us push back on the negativity and educate our supporters, the wider public and even (in some instances) our own colleagues about prospect research. This echoes what was said at the RiF Conference; we need to take ownership of communicating the need, impact and benefits of prospect research through privacy statements, protocol and policies. We need to be positive in our communication and underline the benefits to donors and non-profits of prospect research – and, to highlight the negative consequences of fundraising without prospect research.

What should we do now?

  • Be clear on why prospect research is vital for fundraising in your organisation
  • Educate trustees (and wider colleagues) if necessary on the need and impact of research
  • Ensure privacy notices are robust and include information on Screening and research
  • Share best practice with colleagues from other non-profits on privacy notices
  • Also, note that when including information on Screening in a privacy notice you’ll need to link to the privacy statements of your chosen Screening company to ensure that the company is also compliant with data protection (as examples, Factary’s is here and Prospecting for Gold’s can be found here)

What happens next?

  • Friday 9 December: The penalty notices will be published on the ICO website along with details of the enforcement action. Hopefully this will give us more of an idea of what the scale of the Screening problem is (in comparison to the data appending and sharing), and exactly what the RSPCA and BHF have been fined for
  • The Institute of Fundraising is likely to respond properly to these fines when the full report has been released, keep an eye on their Twitter feed or the feed of Dan Fluskey, IoF Head of Policy and Research, who has been working with RiF on this issue. He wrote a great piece in fundraising.co.uk about this issue yesterday
  • The ICO is organising “an educational event in partnership with the Charity Commission and the Fundraising Regulator” (no date for this has been announced, presumably early 2017), keep an eye on their announcements for more information on this
  • The ICO will also present an in-depth report in regards to charity fundraising practices to Parliament in 2017; based on the negative stance the ICO has taken on fundraising practices, this has the potential to be damaging and as a sector we need to be ready to respond to this

As ever, if anyone has any questions on this please do not hesitate to contact me at nicolaw@factary.com.

We would also like to take this opportunity to thank many of our colleagues and friends from the sector who have contacted us with messages of support in the past 48 hours – we really appreciate it!

Data Protection, Consent and Prospect Research

Many of Factary’s clients and colleagues have been in touch with us recently voicing their concerns, frustrations and confusion over recent news regarding the use of personal data in fundraising and prospect research. It’s not surprising that there is confusion; this year has seen a whirlwind of news and opinion from various regulatory bodies, some of it conflicting.

Our clients have asked if we can provide some clarity – this is a tall order right now as the situation is not completely clear and evolving more-or-less by the day, but below we have outlined recent events, the current situation and news on what is happening over the next few months.

The current situation – how did we get here?

As we know, 2015 was a challenging year for fundraising and charities in the UK. Negative press reports regarding certain fundraising practices ultimately resulted in a review of all fundraising and the publication of the Etherington Review in September 2015, which outlined recommendations for the future of fundraising.

Recommendations in the Etherington Review included that a new Fundraising Regulator be established (to set and promote standards for fundraising practice) and a ‘Fundraising Preference Service’ (FPS) be launched. The Fundraising Regulator launched in July 2016 and is in the process of setting up the FPS so that “individuals only get the fundraising communications they want and need”.

Whether or not people feel the FPS is necessary (alongside the MPS, the TPS and PECR), the decision has been made and the Regulator is aiming to launch it sometime in 2017. The official consultation period on the FPS has passed but the proposal papers can be viewed here.

The Etherington Review also worked closely with the ICO in developing the recommendations. It was outlined in the Review that the ICO had not been communicated with sufficiently in the past by either the Institute of Fundraising or the (now defunct) Fundraising Standards Board and that a stronger relationship between the new Regulator and the ICO should be established.

The upshot of this is that the ICO turned its attention to the non-profit sector and began reviewing if and/or how charities were adhering to the Data Protection Act (DPA) and PECR through fundraising practices such as direct marketing, telephone fundraising and electronic communications.

The general issue of consent

The ICO have been in attendance at many fundraising conferences, seminars and events this year, usually alongside representatives from the Regulator. The ICO have outlined their concerns over how well (or otherwise) non-profits have been adhering to the DPA, with a particular focus on the apparent lack of evidence around ‘consent’ for non-profits to use the personal data of their supporters. This is not just about obtaining consent from supporters for non-profits to hold personal data on a database but also about obtaining consent for how the data is then used for marketing, fundraising and, importantly for us, in prospect research.

The issue of gaining consent is simultaneously very clear and also incredibly complex. On the one hand, it is straightforward because there is universal agreement in the sector that supporters and donors should have proper control over their data, be able to communicate preferences to their chosen charities and have those preferences acted upon. The complexity comes with how and to what extent non-profits are expected to communicate with current and future supporters to gain consent for the use of personal data.

With the looming presence of the GDPR, scheduled to come into force in May 2018, the issue of consent becomes even more important (that said, to what extent the current format of the GDPR will be implemented is Brexit-dependent, so even this is unclear).

Current guidance on consent – where can you go for help?

There are several documents detailing regulations and guidance from the ICO in relation to consent and data protection:

Unfortunately, whilst useful, these aren’t hugely specific to the non-profit sector and only go some way towards clarifying the situation.

Helpfully, there are some other places where we can gain more clarity:

  • The Fundraising Regulator will be translating the ICO regulations and issuing some guidance on the consents that charities should obtain, sometime in the autumn/winter of 2016 (so, very soon).
  • In February 2017, the Regulator will also be starting a 3-month consultation period on updates/changes to the Code of Fundraising Practice, which will include reviewing guidance on data protection and consent (this is according to Head of Policy, Gerald Oppenheimer, speaking at the CASE Development Services conference in October 2016). Keep an eye on the Regulator’s website and Twitter feed and try to make sure you are a part of the consultation next year. The Code will potentially have a huge impact on fundraising practice – including prospect research – so try to make sure you and the organisations you work for have a say on the development and changes.
  • The NCVO have produced a report ‘Charities relationships with donors; a vision for a better future’. This report contains sample statements showing how non-profits can obtain consent to use personal data and it will inform the Regulator’s development of guidelines for the Code of Fundraising Practice. It is worth noting that these guidelines conflict with the ICO’s recent statements around how consent for prospect research should be obtained (see below).
  • CASE are also in the process of writing guidelines on consent for education institutions. These will be available on 25th January 2017. These guidelines will contain example privacy policies and sample donor communications, hopefully also including information on prospect research. Whilst the guidelines will inevitably be steered towards alumni databases and communications, they will no doubt be helpful to all non-profits, so they’ll be worth looking out for. Keep an eye on the CASE Twitter feed for more information.

But what does this all mean for prospect research?

All the guidance and regulation noted above is (or probably will be) quite broad, relating to consent for all forms of fundraising/marketing – but the ICO review process has also had some interesting consequences for those of us working in prospect research and, by extension, major donor fundraising.

Throughout the course of 2016, a representative of the ICO has stated at various events that non-profits will not only need to obtain consent to use personal data for fundraising/marketing but also for all forms of prospect research. This could mean that consent will need to be obtained for each part of the research process (e.g. data screening, segmentation, data modelling, appending wealth, profiling etc.). Additionally, the ICO have outlined that this isn’t just about gaining consent to use the personal data given when a supporter, for example, makes a donation, but also for any data pertaining to the person in the public domain; so, in practice, this might mean obtaining consent from individual supporters to access their details on Companies House or other common research sources.

There are clearly numerous concerns with this.

The main problem is that, as this has been a relatively fast moving situation, there is currently very little guidance on how non-profits should go about incorporating prospect research consent into their privacy policies, consent forms or fundraising communications. Nor has then been any clarity on how explicit the consent will need to be. Our view is that it is unworkable to expect supporters to give separate consent to each and every fundraising, marketing and research option that they may be presented with.

Also, on a practical note, in this post on the GDPR, Christian Propper at Graham Pelton Consultants asks two pertinent questions:

  • How can we ask for consent for database screening, profiling and other research techniques in a way that doesn’t unduly worry supporters?
  • How can non-profits future-proof their current consent/privacy statements to encompass research practices they may adopt in the future (but might not yet even know about)?

In short, how can prospect research ensure it is on the right side of regulation whilst also being able to continue contributing to fundraising in all its myriad, wonderful ways? The short answer right now is that, unfortunately, there is no clear guidance on this. All we know is that (as outlined above) the Regulator is working on best practice guidelines on consent which we assume will include consent for prospect research.

There are a few papers/articles that might be helpful to review around this issue;

  • The NCVO report, mentioned above, which can be downloaded here, is useful to read if only from the point of view that the ‘best practice’ sample statements on consent only mention research in passing and certainly not to the extent that the ICO has suggested is necessary, e.g. ‘We may from time to time use your data for profiling, targeting and research purposes so that our communications to you are as appropriate and cost effective as possible’ . It will be interesting to see if this approach is adopted by the Regulator when they bring out their official guidance.
  • The team at the Commission on the Donor Experience are working on a project around ‘giving choices and managing preferences’. Ken Burnett from the Commission wrote this article in which he outlines a practical way to ensure ‘continuous donor choice’. This step-by-step guide could easily be modified to include information on prospect research and is one sensible option for communicating with supporters. The Commission is working with the Regulator so something akin to this approach may be adopted in the guidelines for the Code of Practice.
  • Adrian Beney at More Partnership produced an excellent briefing paper on ‘More Partnership briefing for NCVO on Wealth Screening and Profiling’ earlier this year in response to the initial draft report from the NCVO. The paper puts prospect research into context and questions some of the ICO’s opinions on how data is used in fundraising and the types of consents non-profits should reasonably be expected to ask for. If your role encompasses prospect research this paper would be an excellent reference guide to understanding ICO regulations and prospect research.

So, what should I do now?

Our advice would be, first of all, not to panic about the conflicting news and opinion you may have heard. If you feel there are possibly areas where your organisation needs to improve communications around consent to use personal data then, alongside your day job, you could perhaps:

  • look into the consent options, donor communications, privacy policies and data processes that are in place in your organisation, alongside reviewing the ICO documents for direct marketing and PECR (links above)
  • consider undertaking a ‘privacy impact assessment’ to highlight areas your organisation may falling short on data protection
  • ensure you are a part of the Fundraising Regulator’s consultation process in 2017; the more involved we all are, the more likely that the guidelines will be workable for us
  • attend the Researchers in Fundraising conference in November 2016 – a representative from the ICO is speaking on the topic of data protection and consent
  • support the Researchers in Fundraising ‘data protection working group’, who are working with the ICO and the Fundraising Regulator to ensure prospect research is part of the conversation – keep an eye on the RiF news webpage and Twitter feed for developments on this

Also, keep an eye on Factary’s Twitter feed or let me know if you’d like to join our mailing list to be kept informed of any further news or announcements relating to this topic. We’re keeping a close eye on developments and would be happy to disseminate information.

And finally; remember that prospect research has an enormously positive role to play in fundraising. We need to keep in mind that our work is of tremendous consequence. So, when it comes to drafting future communications / privacy policies with supporters, please keep in mind this excellent Tweet from Adrian Beney at More Partnership wherein he encourages us to, “Tell people what you’re doing. Be honest. And open. And unashamed of what we do to help create a better world.”

If you’d like to discuss any of this in more detail or if you are concerned about consent or data protection, please contact me nicolaw@factary.com.

Five ways to make use of donation data

There has been some interest online over the past few months in how prospect researchers can make the best use of ‘donation data’ – i.e. databases, reports and websites that list donations, showing who gave, how much, and to whom.

Recent blogs such as this one from iWave inspired us to carry out a survey amongst our subscribers to Factary Phi to find out for ourselves how and why they are using donation data. Some of their answers were unexpected – we found out that our subscribers are very imaginative when it comes to making use of data on donations in their research. Below we have outlined some of the ways our subscribers have told us they’re making use of the data.

If you use donation data in your research, we hope the innovative approaches of our subscribers prove inspirational to you!

The five ways our subscribers are using Phi data

  1. To understand philanthropic interests to help identify the best prospects

    Overall (and perhaps the least surprising in many ways) was that a whopping 90% of respondents to our survey mentioned that the two ways they mainly use the donation data in Phi were to:

    1. Research existing prospects, e.g.:
      • “Searching by name and checking which causes [prospects] are giving to, to determine philanthropic interests”
      • “Get a sense of causes these donors or prospects support”
      • “Research other charities supported by existing supporters and prospects”
    2. Find new prospects, e.g.:
      • “Identify people supporting competitor charities/similar causes through searching by [recipients] activity type”
      • “To identify new potential prospects giving to a similar cause”
      • “Check who is giving to similar causes [and] check who is giving to particular causes”

    As we know, using research on donation history to find prospects with an affinity to a particular cause has been long proven as an effective strategy for understanding which of your current prospects might prove to be the most likely to donate – and also for finding new potential likely donors. This is because many donors will have a specific interest in a particular cause and will more readily consider donating to organisations operating in a similar field in the future (Breeze & Lloyd, 2013). This type of approach to the research was said to be useful for researching all types of prospects on Phi, including individuals, trusts and companies.

  2. To help researchers shape fundraising strategy

    Interestingly, prospect researchers using Phi told us that researching donation data can be a way that they can help their organisations to plan fundraising strategy. Subscribers noted that the breadth of data on Phi allowed them, together with additional research, to benchmark types of donors to similar organisations or projects, thereby gaining an understanding of the current fundraising market. So, for example, the research might show if individual major donors would be more or less likely to support a particular type of project or campaign than trusts & foundations. Armed with this knowledge, researchers can then advise senior management on the likely avenues for support, thereby shaping the fundraising strategy around the type of donor most likely to give.

    The ability for researchers to ascertain potential levels of giving was another factor mentioned in helping to shape strategy – by using Phi to research donation levels, researchers are able to estimate the potential eventual Ask for current donors and existing / potential prospects. Knowing a prospect’s previous donation levels to different causes is a useful way to gauge their likely or potential future donation to your cause – and arguably more accurate than basing their estimated gift capacity on wealth data alone. This donation information enables researchers to contribute to discussions around fundraising targets for campaigns and projects, potentially putting them in a central role during decision-making around prospect allocation and fundraising strategy development.

    Also, some researchers stated that the data on Phi also helps them identify local recipient organisations (by searching for donations to a particular region or town) to see if there are common funders or funding networks prevalent in that local area, thereby contributing to an understanding of the potential local prospect pool or philanthropic networks to be cultivated. This approach was said to help both national charities with local offices and also regional organisations (such as hospices).

  3. To encourage stronger relationships between fundraisers and researchers

    We thought this was a particularly nice benefit to researching donation data!

    Some of our respondents reported that fundraisers were more willing to take on prospects that a prospect researcher had identified if they could provide information to the fundraiser on the prospects’ previous donations. When these prospects turned out to be decent (and ultimately donated to the cause), the fundraisers were then more open to working with the researcher’s suggestions in the future, thereby creating a better working relationship.

    Respondents also noted that even where information on specific gift amounts was omitted from the donation search, simply identifying that the prospect is philanthropic was sometimes enough to encourage fundraisers to act on their suggestions.

  4. To understand how donors give

    Turns out, knowing how donors give is almost as important to researchers as knowing how much they give.

    Subscribers reported that having donation data which covers a broad range of types of giving is incredibly useful. Being able to see prospects giving via their charitable trust, their company and as an individual gives a quick overview of the prospects’ philanthropic portfolio. Using this information, researchers can then advise on approach strategies – e.g. whether to approach a prospect as an individual major donor or via their charitable trust for a specific project.

    Breeze & Lloyd (2013) reported that whilst 73% of rich donors give via their charitable trust, 49% also give one off donations, 28% give via standing order/direct debit and 22% are planning to give via their will. This breadth of giving is reflected in Phi, with donations showing donors giving via multiple channels, making the data useful for trust fundraisers, corporate fundraisers and major donor or individual giving teams. Being able to contribute to so many areas of fundraising can make a prospect researcher an invaluable and valued part of the wider team.

    One subscriber also mentioned that the inclusion of political donations on Phi was especially useful as, because they were new to prospect research when they first started using Phi, they wouldn’t have thought of political donations as a source for prospect information. Also, US research in 2015 by DonorSearch reported that individuals who gave >$2.5k in political donations were 15 times more likely to give to a charitable organisation than those who hadn’t (whether this is also true of political donors in the UK is unclear, however).

  5. To improve the perception of researchers in their own organisations

    Perhaps our favourite benefit of all!

    As stated above, relationships with fundraisers have been known to improve through using donation data as a research tool, but subscribers further noted ways in which making use of donation data in different ways can highlight the enormous contribution prospect research makes to a team. Some examples are:

    • Prospect researchers use the data to increase their knowledge of the prospect pool and to prioritise long lists of prospects by previous giving – this is invaluable information when discussing cultivation strategies and allocating prospects to fundraisers.
    • Data on giving history enables researchers to boost numbers of new prospects, which can bring research into a more central role when moving through a campaign, for example.
    • Research into philanthropic interests had highlighted where prospects had made large gifts to other organisations that had strong links to their own Trustees or Chairman. Noting these links and connections was hugely important in devising an approach strategy for the prospect and wouldn’t have happened about without the research into philanthropic affiliations and donation history.

One more thing…

Perhaps the best outcome of all, for everyone involved, is to know that some of our subscribers have stated that research into prospects’ donation history ultimately helps lead to new gifts for their organisations. Which is, after all, what it’s all about!

We hope this proves useful for you in your own research.

And, finally…thanks to all of the subscribers to Factary Phi who took part in our survey!