Call Girls Mehsana / 8250092165 Genuine Call girls with real Photos and Number
B2: Fundraising in an age of GDPR
1. FUNDRAISING IN AN
AGE OF GDPR
SPEAKERS
DANIEL FLUSKEY
HEAD OF POLICY AND RESEARCH,
INSTITUTE OF FUNDRAISING
GERALD OPPENHEIM
HEAD OF POLICY AND COMMUNICATIONS,
FUNDRAISING REGULATOR
Dinner
sponsors:
Media
partner:
Headline
sponsor:
Lead
sponsor:
Digital
partner:
2. Fundraising in age of GDPR
Gerald Oppenheim,
Head of Policy and Communications, Fundraising Regulator
NCVO Conference
16 April 2018
3. • GDPR comes into effect on 25th May 2018
• Government legislating to ensure GDPR passes into law before UK
leaves European Union
• New rules strengthen the rights of individuals over their personal
data
• Charities must:
Show they have a lawful bases to process personal data
Recognise and act on the rights of individuals under GDPR
Have adequate decision-making, monitoring and reporting
processes in the organisation
In brief
4. Information/data which relate to a living individual who can
be identified directly or indirectly by reference to:
a) an identifier such as a name, an identification number,
location data or an online identifier, or
b) one or more factors specific to the physical, physiological,
genetic, mental, economic, cultural or social identity of the
individual.
What is personal data?
5. • Consent: You can evidence a positive indication from the individual to say they are
happy for you to use their data in a particular way.
• A public task: if you need to process personal data to carry out your official functions
or a task in the public interest – and you have a legal basis for the processing under
UK law – you can.
• A contract with the individual: eg. to supply goods or services they requested, or
fulfil your obligations under an employment contract.
• Legitimate interests: you can process personal data without consent if you have a
genuine and legitimate reason (including direct marketing), unless this is
overridden by the individual’s rights and interests.
• Compliance with a legal obligation: if you are required by UK or EU law to process
the data for a particular purpose, you can.
• Vital interests: you can process personal data if it’s necessary to protect someone’s
life. This could be the life of the data subject or someone else
The 6 lawful bases for processing someone’s
personal data: consent and legitimate interest
6. Consent must:
• Be given through a clear affirmative action from the individual.
• Give granular options to consent separately to different types of processing (you may
combine some of your processing purposes if you can show they are sufficiently similar).
• Be separate from other terms and conditions and not be a precondition of signing up to a
service (unless necessary for that service).
• Name the organisation and any third parties which will be relying on the consent.
• Inform individuals about their right to remove consent at any time and offer easy ways to
opt out in subsequent communications.
• Be recorded in a format which enables the organisation to evidence who consented, when
they consented, how they consented, and what they were told.
• Be kept under review, and refreshed if anything changes.
Consent: a “freely given, specific, informed and
unambiguous indication of the individual’s wishes”
7. Where legitimate interest is your basis for processing, you need to:
• Conduct a legitimate interest assessment:
Purpose test: are you pursuing a legitimate interest?
Necessity test: is the processing necessary for that purpose?
Balancing test: do the individual’s interests override the legitimate interest?
• Let the individual concerned know that you are processing their data and
for what purpose (usually through a privacy notice).
• Offer them the opportunity to opt out if they wish to do so.
• Keep it under review and repeat the legitimate interest assessment if
anything changes.
Legitimate interest:
8. Consent is likely to be most appropriate where:
• you can offer people genuine choice and control over how you
use their data, and want to build their trust and engagement
Legitimate Interest is likely to be most appropriate where:
• you use people’s data in ways they would reasonably expect
and which have a minimal privacy impact.
When is each appropriate?
9. • Following consultation (Oct – Dec 2017), we have:
made the rules on data protection more accessible
ensured consistent terminology between Code & GDPR
removed or replaced Code where inconsistent with GDPR
added and expanded definitions for key terms
increased signposting to existing ICO and FR guidance
• Published in February (Comes into effect May 2018)
Updating data protection in the code
of Fundraising Practice
10. A few caveats…
• Awaiting Data Protection Bill and in 2019 or 2020 PECR changes in the E
Privacy draft directive.
• Further ICO guidance expected on use of legitimate interest and
consent.
However…
• ICO advice to charities is to get ready as draft guidance will not change
much.
• ICO have reviewed the revised Code and support it. Caveats are flagged
where applicable.
• Working with IoF, NCVO, charities and third parties on compliance
issues.
• Close relationship with ICO, Charity Commission, other regulators
Data protection: next steps
11. Guidance on GDPR
February 2017: Personal Information & Fundraising - guidance and toolkit
• Developed with Protecture – data protection advisers.
• Defining a Direct Marketing approach under GDPR.
October 2017: GDPR resource library
• Compiles key guidance and resources from a range of bodies.
February 2018: Guidance with Institute of Fundraising
• New 6 part "bitesize" GDPR guidance for fundraisers.
• Identifies ways that personal data is used in 4
fundraising methods (community, trust, corporate
and legacy fundraising).
• Addresses key GDPR questions received from charities.
12. • Ongoing journey rather than a race ending on 25 May.
• No surprises - much of the GDPR builds on existing DPA 1998.
• Bigger fines possible for non-compliance, but ICO will use those
powers “proportionately and judiciously” and “as a last resort”.
• Lots of guidance and support out there.
• “Those who self-report, who engage with us to resolve issues and
who can demonstrate effective accountability arrangements can
expect this to be taken into account when we consider any
regulatory action.”
Information Commissioner
GDPR in summary – no reason to
panic…
14. Excellent fundraising for a better world
Fundraising in an age of
GDPR
Daniel Fluskey
Head of Policy and External Affairs
15. Excellent fundraising for a better world
GDPR
Rules and
compliance
Culture and
best
practice
Governance
and
leadership
Donors and
supporters
16. Trying to answer three questions at the
same time
How do charities make sure they’re properly following data protection
law (GDPR and PECR)?
Should charities be held to the same standards as businesses and other
sectors, or should they be held to different/higher standards?
How SHOULD charites be fundraising in a way that raises money,
improves the experience for supporters & the public, and brings long-
term sustainability?
Excellent fundraising for a better world
17. Trying to answer three questions at the
same time
How do charities make sure they’re properly following data protection
law (GDPR and PECR)? LEGAL COMPLIANCE
Should charities be held to the same standards as businesses and other
sectors, or should they be held to different/higher standards?
FUNDRAISING REGULATION
How SHOULD charites be fundraising in a way that raises money,
improves the experience for supporters & the public, and brings long-
term sustainability? EXCELLENT FUNDRAISING
Excellent fundraising for a better world
18. Excellent fundraising for a better world
Legal
requirements
Charity’s
values/ethical
approach/
excellence
Code of
Fundraising
Practice
21. Opt in or opt out? (consent or
legitimate interest?)
Excellent fundraising for a better world
1. First off, check the rules and review the guidance.
Consent is required for email and SMS.
Consent or legitimate interest can be used for post or telephone (non-TPS).
Do you know what each requires and how to do them fairly and lawfully?
2. Understand your options, scenario plan, budget and assess
Should be a strategic and informed decision – not just fundraising
Decide what’s right for your charity – a fully ‘opt in’ approach might not be
best for all
3. Whichever way you go, make sure you do it right!
And don’t just think about it as a ‘compliance’ question, what’s going to raise
you money and give supporters a great experience?
22. What the rules can’t tell you…
Excellent fundraising for a better world
• How often to contact a supporter?
• Whether to use consent or legitimate interest? (for non-electronic
marketing!)
• How long to keep donor records for?
• How long does consent or your legitimate interest last?
• The exact wording to use in your privacy policy and in fundraising
communications
23. Five things to think about – for
organisations
1. Accountability and governance. Not enough to ‘be compliant’. Need to be
able to demonstrate that you are. How are you going to do that?
2. Make the right decisions for your charity (consent or legitimate interest?)
3. How will you be talking to supporters, providing information and giving them
choices? (in a way that sounds human and engaging!)
4. Getting a joined up approach across your organisation – not just a fundraising
issue!
5. However much guidance is out there – some things are up to YOU
Excellent fundraising for a better world
25. FUNDRAISING IN AN
AGE OF GDPR
SPEAKERS
DANIEL FLUSKEY
HEAD OF POLICY AND RESEARCH,
INSTITUTE OF FUNDRAISING
GERALD OPPENHEIM
HEAD OF POLICY AND COMMUNICATIONS,
FUNDRAISING REGULATOR
Dinner
sponsors:
Media
partner:
Headline
sponsor:
Lead
sponsor:
Digital
partner: