Blog

Factary’s Privacy Notice Project

For the past few months we have been engaged in a project to understand the reaction of donors, supporters and alumni when they receive a privacy notice from a non-profit organisation or university which is relying on its legitimate interest to process data for prospect research purposes.

We undertook the project because, under GDPR, in order to be able to rely on legitimate interest as a basis to process personal data for prospect research purposes (and therefore not obtain consent), non-profits must ensure they have fulfilled certain criteria – including undertaking a balancing exercise to ensure that the legitimate interests of the organisation do not override individuals’ interests, rights & freedoms and to ensure that the data processing does not have a disproportionate impact on data subjects.

Whilst many non-profits and universities feel they have successfully carried out balancing exercises and provided fair and transparent privacy notices detailing prospect research activities, the decision they have taken to rely on their legitimate interests is not without its risks. The opinion of the Information Commissioner’s Office (ICO) in early 2017 was that “millions of people” would “be upset to discover that charities [would] target them for even more money” by undertaking activities such as prospect research. If it is indeed the case that millions of people would feel this way then it could be argued that prospect research activities do have a disproportionate impact on data subjects.

However, so far the ICO have provided no evidence that “millions of people” would be upset to discover that non-profit organisations undertake prospect research. In fact, in a recent ongoing correspondence in relation to a Freedom of Information request, the ICO state they have “no specific evidence” to support their assertion that donors, supporters or alumni would not reasonably expect non-profits to undertake prospect research, much less that people would be upset about it.

That said, the non-profit sector itself cannot currently provide any empirical evidence that millions of people would not feel this way. The lack of evidence to support some aspects of the decision many non-profits have taken to rely on the legitimate interest condition is something that concerns us at Factary and for this reason we decided to try and understand the reaction of donors, supporters and alumni when they are told about prospect research via a privacy notice.

The project

This project aimed to capture data on the reactions of data subjects when they received a privacy notice containing information about prospect research activities. To do this, a questionnaire was sent only to non-profits which:

  • undertake prospect research activities (such as profiling and screening)
  • have decided to rely on legitimate interests for prospect research purposes
  • have included specific information about prospect research activities in their privacy notice
  • have provided the privacy notice to their constituents (not just made it available on their website)
  • told recipients how they could opt out of their data being used for prospect research and how they could complain about data being used in this way

Results

To date, 17 non-profits organisations (a mixture of charities and universities) have completed the questionnaire.

In total 2,433,901 privacy notices have been provided by the 17 organisations.

Privacy notices (or links to privacy notices) have been provided using the following methods:

  • 1,174,930 sent by email
  • 947,791 sent by post
  • 307,180 sent by SMS
  • 4,000 provided face to face (by one higher education institution at an alumni event)
Graph comparing the methods by which organisations have provided privacy notices to data subjects.

From the 2.4m privacy notices that were provided by the 17 different organisations, we asked:

  • How many recipients contacted the non-profit to opt-out of their data being used for prospect research purposes?
  • How many recipients contacted the non-profit to complain about the use of personal data for prospect research purposes?

The results show:

  • Overall 0.0000411% of recipients complained about prospect research
  • Overall 0.00825% of recipients opted out of prospect research

What do these results mean?

As is shown, the number of individuals complaining about prospect research, or requesting to ‘opt out’ of their data being used in prospect research, is infinitesimal.

This data therefore provides an evidence base that can be used to argue that the balancing exercise carried out by non-profit organisations to review individuals’ interests, rights and freedoms was fairly judged because, if it hadn’t been, then presumably the number of individuals complaining about or opting out of prospect research would be significantly higher.

Whilst we do not necessarily feel the results of the project can be used to argue that people ‘reasonably expect’ to be researched, the data can be used to argue that prospect research activities do not appear to have a disproportionate impact on data subjects. The ICO state that

You should avoid using legitimate interests if you are using personal data in ways … you think some people would object [to] if you explained it to them.

This data shows that the rate of objection is negligible which makes the legitimate interests condition an entirely viable option for non-profits.

Of course, one of the limitations of this data is that it is difficult to know how many individuals have actually read the privacy notices that they were sent in various formats (our research shows that, on average, around 30% of individuals who received privacy notices via email clicked to open the email but we have no way of knowing how many people read the copies that were posted to them or that were given to them face to face). However, we do not believe that this invalidates the results. In fact, given the widespread negative publicity afforded to the use of personal data in fundraising by charities and universities over the past few years in the national press, it would be difficult to state that there is a total lack of awareness amongst donors, supporters and alumni of how personal data is used in fundraising. It could be argued that the open rate indicates that, despite negative press reports about wealth screening and research, people trust their chosen charities and universities to use their data responsibly.

Of course, more can be done to ensure donors, supporters and alumni are engaged in matters of data privacy over and above just sending a privacy notice – for example, many organisations are speaking directly with donors about data privacy matters to make sure individuals have a thorough understanding of what happens with their data and to gauge reasonable expectations. That said, each organisation that completed our questionnaire provided a clear privacy notice to data subjects to enable them to exercise their rights (to be informed, to object the processing, to minimise processing, to access their data etc.) and so they have met the standards of transparency required under the legitimate interests condition, regardless of how many recipients found it necessary to read the privacy notice.

What next?

We would like to continue to add to this evidence base if possible so if your organisation is relying on legitimate interests to process data for prospect research and you would like to share your data on privacy notices, please do contact us at the details below. If we do receive more data on this, we’ll update this blog with fresh results.

We also believe there is more work that can to be done to gather wider evidence to support the justification to rely on legitimate interests for prospect research. This includes gathering and disseminating data on the reasonable expectations of supporters (particularly major donors), the purposes of prospect research, how necessary research is to fundraising and the benefits of doing it. There is more to come from us on some of these issues, so keep an eye on the blog – but if you are engaging in any evidence gathering on these matters we’d love to hear from you!

And, last but not least, we’d like to thank the organisations and higher ed institutions that submitted data to us for this project.

If you have any questions about any of the above (or GDPR or research in general) please do get in touch with Nicola Williams, Research Director, at nicolaw@factary.com.

Factary New Trust Update 2018 Review

In 2018 Factary’s New Trust Update contained profiles of 224 newly-registered grant-making trusts and foundations. Our review of the year found that 62 of these were founded by individuals with an estimated wealth of at least £10m which equates to more than 1 out of every 4 trusts featured in our reports. This is an increase of 30% from last year. The combined wealth of these philanthropists is in excess of £25bn and includes a number of global philanthropists who have chosen to set up a foundation in the UK.

Our New Trust Update 2018 infographic report includes a range of useful analysis and statistics including the philanthropic areas of interest of the trusts and foundations featured throughout the year, the source of funds of the High Net Worth Individuals creating their own foundations and their geographical distribution. It also includes mini profiles on a handful of the most interesting and potentially major foundations and their settlors.

Whilst there are on average around 100 new organisations registered with the Charity Commission each month that state they make grants to other organisations, in practice the vast majority of these are not what would be considered grant-making trusts or foundations. We scrutinise and carefully select the organisations that are featured in New Trust Update, making it a vital resource for finding out about new sources of funding in the foundations market, particularly from High Net Worth families and corporates. With details on around 20 new grant-makers each month, including notes on the professional and philanthropic interests of the settlors and interview notes on the aims and objectives of the trusts and foundations, New Trust Update gives fundraisers a head-start on building relationships with these new philanthropic vehicles before they appear on any other directories.

Subscriber numbers for New Trust Update are limited to maintain exclusivity of the information contained. If you would like to find out more, or to receive a downloadable version of the report, then please contact Nicola Williams or call us on 0117 9166740.

Why 18?

Why do we say that strategic donor (‘major donor’) programmes take eighteen months to break even? It’s a number I have heard again and again, and that I repeat when I am teaching strategy at the Postgraduate in fundraising at the University of Barcelona, without having hard data to back up the claim.

To find an answer, I have been experimenting on myself. Since January 2017 I have been working a few days a week with Pallapupas, the healthcare clown organisation in Catalonia. I’m their strategic donor fundraiser. I thought, with the arrogance of years of experience as a consultant and researcher, that – ha! – this was going to be easy. In six months, I thought, we’ll fix this and I can sit back and watch the money roll in.

And here we are, almost eighteen months later and now, after a lot of blood, sweat and tears, now we can see the money starting to roll in.

So why? Why does it take eighteen months to get to the tipping point in a strategic donor programme? I have worked with many different programmes across Europe, but there are common threads in all of them:

You, and Me

Fundraising shines a bright light on your own character. So I have learned, in the last 18 months, that I am no blooming good at cold calling by phone (OK, I am doing it in my second language, but that’s no excuse); that I really enjoy building networks of people and sometimes focus more on that than on the money; and that I develop relationships with people over time, not at speed. All of these factors help explain why it takes me time to reach breakeven.

But this is not some embarrassing confessional. I’m illustrating the point that each of us who takes on a strategic fundraising role brings our character to play – and that affects how long it takes to reach the moment when the programme is up and running.

The Case

Many European NGOs are starting strategic donor programmes after years of running mass-marketing, mail- and email-driven, fundraising programmes. They have had years, therefore, of making offers to donors like ‘with €10 a month you can save a life.’

So the first challenge for the new strategic donor fundraiser is how to build a case for €10,000, or €100,000, or €10m. That is an enormous leap for many organisations. Some of them back out, building middle donor programmes with asks in the hundreds, not the thousands of Euros.

Making the case means putting together a budget, making a business plan, winning buy-in from colleagues and key staff, and producing a convincing elevator pitch. All of which takes time…and more, if you hit problems with the Project Pipeline, or the words.

The Project Pipeline

Does the organisation have €100,000 projects? Or €10m projects? Or dreams at these levels of funding? For many organisations this is a challenge. The project pipeline does not exist – there is no ‘deal flow’ in investment terms – so there is nothing for the fundraiser to propose to her prospects. Sometimes, in large, complex organisations, you can see the projects but they are distant and hazy, and there are 30 layers of stakeholders between you, the fundraiser, and the project. You know it is going to take an age to cut through the jungle.

Even when you can see the projects, you need permission to use them. In some organisations this can take a long time. In others, it’s a race to own a project before another colleague grabs it to pitch to her favourite donor.

The Words

When you join an organisation as a new fundraiser, you have to learn that organisation’s language. Some of this is technical language – of the type you would use in a medical research organisation for example – and some of it is an adaptation to the language of your end-users or beneficiaries, as happens when you shift from talking about ‘people with disabilities’ to ‘people with different abilities.’

Your choice of words is sensitive, and more so when you are working with strategic donors because you will be working alongside the board and the director, both highly tuned to the right words. Eighteen months in, and I am still learning how to paraphrase the mix of culture, theatre, humour and hospitalised kids that typifies clowns in healthcare.

The Data

Too many organisations in Europe have too little data. We know so little about our donors. Yes, data protection and privacy are key issues, but your local supermarket knows more about you, your interests, your attitudes and your wealth than the biggest organisation that you donate to. Many organisations don’t know what jobs their donors do, what age they are, or anything about their family situation. Without this data we are working in the dark.

Compare this to the private banks, who are increasingly entering the HNWI and UHNWI area to offer philanthropic services. I spoke with the head of philanthropy at a leading private bank (50,000 clients, 500 account managers) a few weeks ago; he told me that because he can see the banking account details of his clients he knows exactly which charities they are giving to, and can work out which causes the client is interested in. He can offer philanthropic services (including channelling money via the bank’s own foundation) precisely tailored to that client’s needs.

Because they have too little data, many organisations have to focus on the tiny handful of prospects whom they know directly, via personal contacts. So instead of broadening their strategic donor programme to reach the hundreds of existing donors who have the money, they rely on the tiny inner circle.

That means lower productivity, a limited focus, and slow programme growth – because growth is organic, person-to-person.

Systems

Our systems don’t just slow us up, they can clog us up. A simple system problem – when, for example, the donor database does not talk to the accounts system, or where the two use a slightly different coding system – can mean that we have to manually re-enter data. Or it can mean that searches for a donor’s history are a headache.

Sometimes it is the thank-you system. I have worked with organisations that have an automated process for sending out thank-yous of the ‘Dear Sir/Madam Thank you for your gift of €xxxx [fill in number]…’ type. So Madame LaRiche, who has just sent you half a million, gets a ‘Dear Sir/Madam…’ letter and there is nothing you can do to stop it. It takes time to persuade the I.T. team to change their ways.

These are stupid niggles in the system. But they slow us down. Or more likely, catch us out just when we think we have a programme ready to go.

Leadership

You have produced the case, sharpened your elevator pitch, identified potential donors and built a workplan. But you need the leadership to be engaged if this is going to work. You need their buy-in because you want to work with them and their contacts, but also because you and they are going to have to take some tough decisions (this ALWAYS happens with strategic donor programmes); should we work with that potential donor? What do we do when a prospect offers us a lot of money…to do the project he wants, not the one we want?

“Bring in leadership from the start.” Yes, that is what the textbooks say. But making that happen in real, busy lives where people have a load of other priorities, takes time.

Reporting, and donor stewardship

This is going to happen after you win the new donations and partnerships. But you simply have to get this sorted out before you meet your first prospect. Bench-test the process with your colleagues so that you understand every potential glitch on the way. Your donors and partners want to see the numbers, the stories, the videos and the pictures of ‘their’ project. So if that information is going to be hard to collect because your field office is hard to reach, because you need special permission to use this or that photo, or because the impact report is still being compiled, then either find alternatives, or wait until the material is sorted out.

So that’s why it takes 18 months

Because you need to get all of this moving at the same time, involving players right across your organisation, from the chair of the board to the lab technician or assistant field worker. In amongst all of these threads of action is a critical path, the line you must follow in order to achieve your goal. But when you are new to the organisation, you simply cannot know where that path lies, nor where the potholes are that are going to slow you down. You have to learn, to listen, to find all this out. And that takes time.

Inside, not Outside

None of this is the market, or the culture of philanthropy – the reasons most commonly cited for the time it takes to get a programme to maturity. These are all internal reasons – stuff inside the organisation, combined with your own character traits, that limit your speed of action.

Faster?

Are there shortcuts? Could we be working faster? In hindsight, you can see that there are. But the problem is that you can’t get to the hindsight until you have put time behind you. Getting leadership onside early certainly speeds up the process, in part because it opens doors to stakeholders in technical, financial and communications departments. Quick work with the case – especially, building and testing case documents internally to get buy-in – is also a help. But neither of these routes is going to shave a lot off your timescale.

So I have learned to set expectations, right from the start. To say ‘eighteen months’ in the knowledge that that is how long it will probably take, but also in the hope that the break-through will come sooner.

Chris Carnie is the author of ‘How Philanthropy is Changing in Europe’, published by Policy Press.

Factary New Trust Update 2017 Review

Download free report here

According to the Association of Charitable Foundation’s (ACF) Foundation Giving Trends 2017 grant making by the Top 300 foundations reached a record high for the second year in a row in 2017, with giving totalling £2.9bn. 64% of this grant-making (£1.87bn) comes from personal and family philanthropy through foundations. The report also states that the top 50 corporate foundations gave grants totalling £269m – up 9% on the previous year. According to the report these top foundations account for around 90% of all foundation giving.

In addition, The Coutts Million Pound Donor Report 2017 shows that the total value of £1m+ donations in the UK was £1.83bn from 310 donations. Foundations continued to be the main source of donations of £1m or more, representing 55% of the overall value, and corporate donors significantly increased their giving – accounting for nearly a third of the overall value.

These statistics highlight the importance of keeping abreast of new sources of funding in the foundations market, particularly from High Net Worth families and corporates. That is where Factary’s New Trust Update can be a vital resource for fundraisers. With details on around 20 new grant-makers each month, including notes on the professional and philanthropic interests of the settlors and interview notes on the aims and objectives of the trusts and foundations, New Trust Update gives fundraisers a head start on building relationships with these new philanthropic vehicles.

Whilst there are on average around 100 new organisations registered with the Charity Commission each month that state they make grants to other organisations, in practice the vast majority of these are not what would be considered grant-making trusts or foundations. We scrutinise and carefully select the organisations that are featured in New Trust Update and as a result, our review of 2017 found that 1 in 5 of the trusts and foundations featured had been created by a settlor with an estimated wealth of £10m or more. The combined estimated wealth of these 48 philanthropists was in excess of £12bn. Our review also found that we included details of 38 newly created corporate foundations in 2017 with the companies involved having a combined turnover in excess of £4.25bn in the past financial year.

Our infographic report, available to download here, includes a range of useful analysis and statistics including the philanthropic areas of interest of the trusts and foundations featured throughout the year, the source of funds of the High Net Worth Individuals creating their own foundations and their geographical distribution. It also includes mini profiles on a handful of the most interesting and potentially major foundations and their settlors.

Subscriber numbers for New Trust Update are limited to maintain exclusivity of the information contained. If you would like to find out more then please contact Nicola Williams or call us on 0117 9166740.

New power, new conversations: the IFC report

The International Fundraising Congress is – I declare my interest as a volunteer – the world’s best fundraising conference. Each year in October around 1,000 people from over 60 countries gather in a conference centre just back from the beaches of the North Sea, west of Amsterdam. It’s a buzzing, active gathering of leaders, new thinkers, experts and innovators…and runs the best end-of-conference dance party I’ve ever attended.

This year’s theme was ‘A New Conversation’. It was about linking fundraisers with the social and environmental causes they promote, about activism and about participation.

Participation, and the ‘new power’ were the themes of Jeremy Heimans’ opening plenary. Jeremy, one of the founders of Avaaz, compared ‘new power’ with ‘old power’ using the tools he describes in a joint paper with Henry Timms, founder of Giving Tuesday. In his view, organisations must adapt to a world in which people want to move from consumers to shapers and designers of ideas, to crowdfunders and eventually to co-creators and co-owners of ideas and product. People want to participate. That participation may be short term – he described the short life of the Occupy movement – and it is certainly not loyal: people switch in and out of their membership of social media groups.

Old power is characterised by hoarding and controlling power, influence and ideas. We buy a car, a frozen pizza or a magazine, but have very little say, often no say at all, in what they contain or how they are produced; we are merely the consumers, buying the product, or not. When we don’t, the old power business rethinks the product and offers us a new one, until they produce the car/pizza/magazine that people are willing to purchase.

New power is, in Jeremy’s words, a ‘current’, like electricity or a fast-flowing stream. We can’t hoard it, but maybe we can channel it. It’s the fast-flowing current of knowledge that is filling the encyclopaedic sea of Wikipedia. It’s the brains behind Linux and open-source software. It’s the million people on the streets of Barcelona to protest police brutality, or the signatories on a campaign website.

Great, Jeremy, but how can we use this in major donor fundraising?

The clue came in another session at the conference. Led by Dr Max Martin, Global Head of Philanthropy at Lombard Odier bank in Geneva (and one of the most brilliant people working in philanthropy in Europe), the session was about innovations in finance for Social Purpose Organisations (SPOs). During the session we heard from the CEO of the Womanity Foundation about a cleverly designed funding model involving UBS Optimus and CIFF in which Optimus provide initial funding for an educational project, with CIFF paying the foundation back for each measureable outcome from the project. And from the International Red Cross and Red Crescent (ICRC) about the first Humanitarian Bond, a CHF26m bond issued by ICRC in conjunction with Lombard Odier and including, amongst others, Fundació LaCaixa, the formerly Catalan banking foundation.

Developing the bond was a long and arduous process for ICRC. But it started with a clever move; before they had gone any further than having the idea of a bond, ICRC involved the bank. That meant persuading board members of ICRC, a very venerable organisation, to sit down with bankers and work out what they wanted to do, and how they would do it. The donor – in this case the leading financier – was involved right from the start of the project.

And that’s the connection with Jeremy Heimans. Because although ICRC and Lombard Odier are both, most definitely, ‘old power’ organisations, this CHF26m project worked in part because ICRC gave up their power, opened up to a donor and shared the process of development with them. Together they came to a bigger, better solution than each player could have managed on their own.

So although crowdsourcing and ‘new power’ sound like the antithesis of the kinds of understated high-level philanthropy that result from our relationships with strategic donors, the same underlying force occurs in both; involve your donors, your investors and your stakeholders RIGHT FROM THE START. Share your power of project- and programme-creation with them, and you could win, big-time.

The road to GDPR for prospect research

We recently undertook a survey of prospect research teams in the UK to find out how they are coping with GDPR preparations. We’d like to thank each of the 95 respondents – your answers have given us a real sense of the current situation for the prospect research community as we all work towards May 2018.

We thought it might be useful to share some of the responses as we know that many prospect researchers are struggling with GDPR and it may help to know that you are not alone! That said, it’s not all doom and gloom out there, as the answers to the survey reflect, and there are many positives that we can take from the results.

First, the not-so-good news

Perhaps unsurprisingly, the overwhelming feeling from most of our respondents (77%) is that there is still a lack of clarity around GDPR – specifically around how prospect research can operate in a compliant fashion within the principles of GDPR.

There are also concerns with the practical aspects of GDPR preparation; over 34% of respondents would like more information on undertaking a privacy impact assessment and 38% of respondents are struggling with understanding how to integrate GDPR practices with their CRM system.

Frustratingly, almost 35% of prospect researchers reported that they have not been involved in the GDPR discussions at all in their organisations so they feel they have been unable to provide valuable input to the process.

Some of the other concerns highlighted by our survey are:

  • Misinformation or conflicting advice on GDPR issues is very confusing and unhelpful when it comes to planning
  • The lack of evidence that supports the need for prospect research which can be used to argue the case for continued prospect research with senior leadership
  • The difficulty of understanding and analysing donors’ reasonable expectations
  • The lack of support from leadership within organisations in preparing for GDPR, and the lack of communication between teams on this issue
  • The potential impact of GDPR on smaller organisations is worrying as they may not be able to fully prepare in time for May 2018 due to a lack of resources
  • PECR seems to be a particular concern for many, especially when it comes to consent for channels of communication and how this integrates with GDPR requirements
  • The overwhelming workload and resources required to prepare for GDPR

All that said, it wasn’t all bad news…

Readiness for GDPR

Whilst only 2% of respondents stated that they are ‘completely ready’ for GDPR, the vast majority of respondents, 91%, stated that, for prospect research at least, their organisations are ‘not quite ready, but getting there’. Only 4% of respondents felt that they are ‘not at all’ ready.

Consent or Legitimate Interest?

Most interesting to note from the results was that 54% of respondents stated that their organisation will be relying on legitimate interests as their basis to process data for prospect research purposes.

Only 3% noted that they will be relying on consent as their basis for processing whilst almost 35% of respondents stated their organisations were not yet to make a decision on this.

Privacy Notices

Only 16% of respondents felt that writing privacy notices / policies was an area of concern for their organisations – this is perhaps due in part to the specific guidance that does exist in this area.

Hearteningly, over 63% of organisations have updated their privacy notice to be GDPR compliant. Just over 26% have not yet done this, and 10% of respondents were not sure on the state of their organisation’s privacy notice.

Of the 63% which have updated their notice, over half (58%) have now uploaded this to their website. Only 14% have taken the step to post or email this updated notice to their supporters but this number will inevitably grow at a pace as we work towards May 2018.

Impact on prospect research activity

We also wanted to find out whether researchers have been able to continue providing prospect research services in recent months as the answer to this may help us to understand the likely long-term impact of the ICO fines and GDPR preparation.

The results below show the 5 main areas of prospect research activity and the % of respondents who stated they have either a) stopped doing this activity altogether, b) paused this activity whilst they prepare for GDPR, c) have continued to do this activity or, d) were unable to answer or didn’t do this activity in the first place.

Type of researchStoppedPausedContinuingD/K or N/A
Database (Wealth) Screening31%41%7%21%
Individual research/profiling4%21%68%7%
New prospects identification4%18%69%9%
Due diligence research1%3%78%18%
Network research4%13%57%25%

We have followed up specifically with those individuals who stated they have ‘stopped’ or ‘paused’ Database Screening to obtain more details on these decisions, and we will be able to provide more insight into this at our session with Prospecting for Gold at the RiF Conference on November 6th. For those unable to be at the conference we will follow up with a blog about this shortly afterwards.

For now, it is heartening to see that, aside from Screening, the majority of prospect research activities have continued, although some have fared better than others.

Due diligence in particular seems to have continued, with only 1% of respondents stopping this activity and 3% pausing it. Individual research (i.e. profiling), which was previously undertaken by over 92% of respondents, has stopped or paused in a quarter of organisations as GDPR preparation is undertaken.

Network research was highlighted in the open questions as a particular area of concern, with many unclear how to balance GDPR requirements with the need to identify relevant contacts of key supporters, although of the 50% of respondents who previously undertook this type of research, 86% are continuing to do so, so it is unclear how much this has been affected in reality.

It will be interesting to review the long-term consequences of organisations stopping or pausing these activities as we look in particular at major donor income in 2018 and beyond. Many respondents in the open questions highlighted their concerns that their particular organisations and institutions are losing opportunities to identify and engage potential supporters for fundraising during the process of preparing for GDPR.

The future

Whilst this is a worrying time, there was a view from many respondents that GDPR will ultimately have a positive impact on prospect research…in the end.

This is because despite being, as one respondent put it, “painful”, four of the main benefits highlighted were:

  • GDPR will help to promote prospect research within organisations and institutions (as one respondent put it, “We are no longer a dark art!”)
  • It will make prospect research more efficient and effective
  • The process will educate supporters, donors and the public in how non-profits operate/fundraise, which is a good and positive thing
  • The situation so far has shown researchers to be resilient – working hard and standing up for themselves and the sector

So, the future seems bright but, in the present, if you are one of the many researchers who would like more clarity on specific issues, we know that the IoF are working to produce some specific GDPR guidance for prospect research. We don’t yet know when this will be available, but it will hopefully provide some much needed insight into how we can better prepare for GDPR.

Whilst you wait for that, you may want to download our paper on legitimate interests and prospect research, as it signposts to other useful pieces of guidance and gives a basic overview of the GDPR situation.

If you’d like more details on the survey or would like to chat about prospect research and/or GDPR, please do get in touch with me.

Prospect Research and Legitimate Interests

Something quite remarkable happened a few weeks ago. I went to a conference on GDPR (the CASE Regulation and Compliance Conference) and, by the end of the day, I was actually feeling upbeat, hopeful and – even – vaguely excited about the future of prospect research. This was not at all how I was expecting to feel after a GDPR conference, based on the countless other GDPR conferences and events that I have attended over the past 18 months which have mostly left me feeling a mixture of despondency and frustration.

So, why the sudden shift? Well, a few things. Firstly, the brilliant presentations were, for the first time, practical, focusing on what people are working on and achieving as they build towards compliancy for GDPR. To be at a GDPR event which was about positive action in regards to things like privacy notices or data analysis, and not just about all the things we can’t or mustn’t do, felt like progress.

Secondly, there was a real focus on analysing the ‘legitimate interest’ condition for processing data for prospect research. This is a huge step forwards. For too long now ‘legitimate interest’ has been viewed as a second-best option, a condition for processing that non-profits can maybe use, which is kind of OK, but probably just not quite as good or as ‘safe’ as consent. Obviously, this is due in no small part to the Regulator and ICO’s view that non-profits should probably get consent for wealth screening (by which they seem to imply most forms of prospect research). Alongside this, as Adrian Salmon’s recent blogpost highlights, one of the problems of principles’ based regulation is that, whilst it should encourage flexibility, it tends to lead to a “very conservative compliance mind-set”. So, it was great to see the all the relevant conditions for processing being analysed in an informed and practical way at the conference.

And lastly, many Higher Education Institutions (HEIs) are actively choosing legitimate interests (after careful analysis) as their condition for processing data for prospect research. This is another good, positive step.

All that said…

There is still confusion and misinformation. In the past two weeks alone I have received a number of emails from researchers who are still asking if wealth screening is illegal or if they need to get consent from all their donors before doing research. I also speak to many organisations that have suspended some or all forms of prospect research whilst they try to work out their next steps. Occasionally, I speak to smaller charities who have no idea that any of this is even happening.

So, despite great advances in the HE sector and with some charities, it is clear that there is still a long way to go for prospect research before we reach May 2018, when GDPR becomes law.

The main aspect which seems to be paralysing many organisations is the question of whether to rely on consent or legitimate interests as the condition for processing for prospect research. Many researchers have been tasked with coming up with a plan for assessing this and making recommendations, which is a tall order. Much has already been written about consent (see, for example, The Fundraising Regulator’s Guidance on Consent) and we thought, therefore, that it might be useful to add some thoughts around legitimate interests, specifically in relation to prospect research.

Please click here to download our paper on this, which is a meander around the topic (you’ll be asked to subcribe to Factary Updates, so you’ll receive other reports and updates like this in the future). We hope the report is useful. Please do come back to us with any questions or comments. Also, remember that we are not data protection lawyers, so don’t make any decisions based solely on the information we provide!

Professionals, in Fundraising

The team at the University of Barcelona Postgraduate Certificate in Fundraising – on which I teach – have produced a new video promoting the profession of fundraiser and, yes, our course.

If you have friends or colleagues in Spain or Catalonia, pass them the link!

It ends with Google

On Tuesday I spent the morning at the Ship2B Foundation in Barcelona. Ship2B brings together social change organisations – charities and social enterprises – with grant-making foundations, companies, family offices and venture philanthropists. The social change organisations work on themes in ‘Laboratories’ where the foundations, companies and philanthropists provide advice, contacts and money to accelerate their growth, to ‘scale.’

I sat in on a presentation by the Water4Life lab group. Here were a range of projects on water use and water management. One project was using data from Aigües de Barcelona, the Barcelona water utility, to pinpoint areas of poverty in the city based on how much water each household was using. The project was analysing mass data gathered for one purpose (water supply bills) and using it for another (mapping and understanding poverty).

Which led me to think about the Information Commissioner’s current focus on public domain information collected for one purpose, being used for another.

The ICO have told charities that “publicly available data…is not fair game.” It is not enough to claim that you have a “legitimate interest” in using data from public registers such as Companies House, and news and press reports; you “must balance this against the prejudice to the rights and freedoms of individuals.”

The team at Factary is working hard to ensure we are fully compliant with this new emphasis from the ICO. So this week we contacted one of our suppliers to check that their data was fully compliant. They told us that “…in light of the new GDPR legislation we are currently in discussions…” with suppliers. This is a leading data house that provides data drawn from Companies House. Their end supplier is Companies House.

The Supply Chain

Factary – and any prospect researcher who uses UK companies information from one of the large data houses – is in a supply chain that starts at Companies House. At some point, someone is going to knock on the door of Companies House and ask “are you compliant?”

Before they made their data freely available to anyone, Companies House earned £8.7m in a year, selling it to data users. I have been registered at Companies House as a director since 1990. I have never, ever, had a letter from them asking me if it’s OK to publish my name and address in their register, and then to sell that data on to the big data houses.

I was never asked, because Companies House had a duty in law to gather my personal information and publish it. They turned my private information into public information. They promoted my private information “to power a great range of products” and to encourage “even more people to explore and use [the] data.”

Companies House represents the contradictions at the heart of the legislation that ICO is forced to apply. Data from Companies House that we all believed to be publicly available, and in which we all had a legitimate interest, is no longer “fair game.”

So who is the biggest supplier of publicly available data?

Google, of course.

A Little Light Googling

Every day, millions of people in Britain type the name of a person – a celebrity, a footballer, a friend, a company owner – into Google. Google returns thousands or millions of results; “Theresa May” returns 24 million publicly available results this morning, ranging from press reports to biographic reference sites.

I did not ask the Prime Minister if I might check her name in Google. I am certainly prejudicing her right to privacy by putting her name into Google, because thanks to Google I can see all sorts of scurrilous, unrepeatable stuff about our glorious leader.

Google is a massive re-purposer of publicly available data. Data gathered for one purpose (selling newspapers, or adverts in scurrilous blogs) is re-purposed every single day by Google on behalf of its millions of users.

This is where the contradictions in UK privacy legislation are crystallised. This is where the ICO is heading in its search for the right balance between legitimate interest and the rights and freedoms of individuals.

I want to be a fly on the wall when the ICO knock on the door of number 6, Pancras Square, London N1, the UK headquarters of Google. That battle – between the ICO and Google – will be one to watch.

5 Questions to Ask the ICO

The Information Commissioner, the Fundraising Regulator and the Charity Commission are due to meet fundraisers in Manchester tomorrow, on Tuesday 21st February, for the Fundraising and Regulatory Compliance Conference. The ICO have produced a conference paper for delegates to read prior to 21st, which can be accessed here.

The paper, amongst other things, sets out the ICO’s view of data protection in relation to Database Screening and, it seems, prospect research – although, whilst it mentions ‘Screening’ specifically, the paper rather ambiguously only refers to other [research] “…activities such as profiling individuals”. We do need to get some clarification on what they mean by this but, from the context, it does appear to refer to researching donors and supporters using public domain sources and/or using information not supplied directly by the data subject (so, prospect research).

The paper initially outlines why an organisation should use a privacy policy to explain how they make use of data. It then explains the ‘legitimate interests’ condition in relation to the DPA. In this sense, the paper is useful in outlining that charities need to be honest and fair in their processing of data. This is something that cannot and should not be argued with. As we have said before (e.g. here and here), all charities must make sure they have robust, fair and easily accessible privacy policies which openly explain how they collect, store, use and process data.

The conference paper outlines situations in which such a policy must be communicated to a supporter, some ways this can be done, and even when it is not necessary / practical to do so. This is all useful and welcome information. We now hope that perhaps the Fundraising Regulator will issue some sample privacy policies at the conference on Tuesday that provide examples of the language that charities can use to comply with fair processing of data for fundraising.

However, the paper then states that it is ‘highly unlikely’ that charities will be able to rely on legitimate interests as a condition to process data for Database Screening – specifically using third party providers or involving any personal data not supplied by the data subject – or for ‘profiling individuals’. Instead these activities will require explicit consent from data subjects. This is because, the ICO states, these activities are a) not ‘compatible’ with processing data collected from a donor at the point of donation and b) not within the ‘reasonable expectations’ of a donor.

Please read the conference paper. Think about how it will affect you and your work and highlight any areas you feel are not clear. The conference on 21st February is a very important event and the questions we ask (and the answers we receive) about this paper are likely to have a long-term effect on fundraising and research. If you are not going to be at the conference on Tuesday, you can pass any questions that you may have about it directly to the ICO (send them to events@ico.org.uk and ask for them to be forwarded to the relevant dept).

Below are 5 of the questions we would like to ask, now that we have read the paper:

  1. The ICO say in its paper for this conference that individuals are “highly unlikely to expect” certain types of data processing. In the ICO’s press release announcing the British Heart Foundation and RSPCA monetary penalties they are quoted as saying “millions of people who give their time and money to benefit good causes will be saddened…” to know that charities would ask them for more money.
    1. Does the ICO have evidence that shows what donors expect?
    2. There is, in fact, strong evidence to support the fact that processing of personal data for research is within the reasonable expectations of many donors; a recent study concluded that 78% of donors said that better research before they are approached by a non-profit is the most significant area of improvement in fundraising in the past 10 years. Therefore, if fair processing is adhered to and prospect research is within the reasonable expectations of donors, then can the ICO confirm that charities can rely on legitimate interests to undertake this type of activity?
    3. Sources
      1. ICO, Fundraising and regulatory compliance, 21st February 2017
      2. ICO investigation reveals how charities have been exploiting supporters, 16th December 2016
      3. Breeze & Lloyd, (2013); Why Rich People Give. London, DSC.
  2. Tesco’s Privacy Policy, which customers using its loyalty card must accept, says: “We may also use personal data from other sources, such as specialist companies that supply information, online media channels (online media channels include websites, social media sites, pay TV providers and any other channels that become available to us), our Retail Partners and public registers (for example, the electoral roll)”. They state that they do this in order to provide a better service and experience to their customers.
    1. If a charity used this same statement in its privacy policy, could charities use the public and private domain sources listed by Tesco in research so as to provide a better service and experience to donors?
    2. If not, why not?
    3. Source: Tesco Privacy and Cookie Policy
  3. The paper for the conference says: “It’s legitimate for you to process personal data in order to properly administer donations received from individuals”. The paper suggests throughout, as highlighted above, that “administering donations” is the only purpose for which a charity would use data collected at the point of donation or at the point a supporter joins a charity database. It suggests, therefore, that fundraising (including the market research necessary for raising funds) is not a compatible purpose for processing donation information.
    1. Is it?
    2. If not, why can, for example, Tesco use transaction information for more than simply administering a transaction (see their privacy policy linked above)?
    3. As charities rely on fundraising to carry out their work, is it not within their legitimate interests to use data collected from supporters for fundraising purposes, providing that fair processing and the rules of PECR, the MPS/TPS/FPS etc. are all adhered to?
  4. Here is a common story: a charity Board member meets an individual at, say, a cocktail party. The Board member comes back to the charity fundraiser with the individual’s name and says “X is interested in what we do. And he is wealthy.” The ICO says in its paper for this conference: “Far more intrusive are activities such as profiling individuals, particularly where this involves getting more information that the individual has not given you, either directly or via third-party companies. In these cases the legitimate interest condition is highly unlikely to apply. So you’d need to seek the consent of individuals before doing such processing.”
    1. The X named by our Board member is not a donor. We have no permissions or opt-ins or opt-outs. Can we look him up on Google or LinkedIn or Companies House without his permission?
  5. The Charity Commission imposes a duty to check on donors and potential donors. The Charity Commission recommends that trustees understand their donors and asks: “Have any public concerns been raised about the donors or their activities?” The Commission suggests that “full use should be made of internet websites” to check on donors. This is directly contrary to the ICO guidance which would not permit the use of public domain information until the donor has signed up to our privacy policy.
    1. Given that we want to research a potential donor before she does this, whose guidance should we follow – that of the ICO or that of the Charity Commission?
    2. Source: Charity Commission for England and Wales, Tool 6: Know Your Donor – Key Questions

These are just some of the questions we feel require clarification from the ICO and we’ll be submitting these prior to the event. We will also be attending the event on Tuesday and we’ll report back on what happened as soon as possible afterwards through this blog.

Please also keep an eye on Factary’s Twitter feed during the day as we will attempt, where possible, to Tweet any significant points or answers to any questions raised during the conference.