This is understandable; if you send campaigning, fundraising or awareness raising materials (i.e. send Direct Marketing) to donors, supporters or volunteers via electronic channels you need their consent.
But the desire to do something now should not mean starting a “consent project” without clearly understood or defined aims.
This Insight provides a summary of our Subscriber Briefing Paper on the key considerations when framing your consent project.
(1) Who are you looking to engage with?
Is the project looking at how you will collect personal information for new people in the future, or how you can legitimately continue to use the personal information you already hold on existing people?
(2) Do you need consent – or can you rely on legitimate interests?
If you are sending Direct Marketing via post, you have a choice: you could seek consent, or you could continue to rely on your legitimate interests.
If you are using the personal data for other purposes, such as administration of a payment, you should be able to rely on some other basis to justify your collection and use of the information.
If you are sending Direct Marketing via electronic channels you need consent. And if you need to rely on consent, three questions then follow.
(a) Can you rely on the consent you currently hold?
The GDPR highlights that consent held at the time the GDPR becomes law in May 2018 will remain valid, but only if (i) it already meets the existing standard of consent defined in the Directive; and
(ii) the manner in which the consent was previously collected was in line with the conditions outlined in the GDPR.
If you have any doubt whether the standard of consent meets the current Directive requirements, you should seek updated consent to ensure you have GDPR-ready consent.
(b) Can you just contact everyone to seek their updated consent?
It depends what channel you are looking to use. You can contact people via post – if you think the legitimate interests balance is in your favour.
But just because you hold their email address, SMS or phone number does not mean you can automatically contact them using these electronic channels in order to seek updated consent.
You need to already hold some degree of consent in order to make such an administrative communication.
So before contacting people, you should assess the standard of consent you currently hold – in order to identify methods (channels) you believe you can use to make an administrative communications which asks them to update their consent.
(c) How should you seek updated, GDPR-ready consent?
The Fundraising Regulator’s guidance, at Section B4, contains a section on “Consent – ways for individuals to express consent.” This reflects the ICO’s current consultation on GDPR consent – which includes a section on “What methods can be used to obtain consent” This notes:
“Clear affirmative action means someone must take deliberate action to opt in, even if this is not expressed as an opt-in box. For example, other affirmative opt-in methods might include signing a consent statement, oral confirmation, a binary choice presented with equal prominence, or switching technical settings away from the default."
“The key point is that all consent must be opt-in consent – there is no such thing as ‘opt-out consent’. Failure to opt out is not consent. You may not rely on silence, inactivity, default settings, pre-ticked boxes or your general terms and conditions, or seek to take advantage of inertia, inattention or default bias in any other way."
“The GDPR does not specifically ban opt-out boxes but they are essentially the same as pre-ticked boxes, which are banned. Both methods bundle up consent with other matters by default, and then rely on inactivity. The usual reason for using opt-out boxes is to get more people to consent by taking advantage of inaction – but this is a clear warning sign of a problem with the quality of the consent.”
(3) Are you actually just wanting to inform people?
Seeking consent can often get confused with being transparent, because the fair processing/privacy notice (the text you provide at the point you collect the personal information) is also typically the method used to obtain consent (i.e. it is where you ask the person to agree).
However, being transparent and seeking consent are different things: regardless of whether you are seeking consent, you have to be transparent; you have to be clear about what you wish to use the personal information for, as well as providing any other information required to ensure that the collection and subsequent use of their personal information is fair.
There may therefore be a need to inform existing donors, supporter and/or volunteers about your past and current use of their personal information – especially in cases where you think there might be a risk of them being unclear (or unaware) of how you are using their personal information.
(4) Are you actually (or also) wanting to seek clarity over what you can use their personal information for?
Many fair processing/privacy notices often fall into one of two camps. They either (a) lacked clarity on what personal information will actually be used for, or (b) they were very precise, resulting in the personal data being sat in a silo.
The consent project could therefore be used as a trigger to define more clearly the purposes you wish to use data for, and to then outline these proposes to your current donors, supports and volunteers – so that they can clarify precisely what they actually want to receive from you.
Protecture’s Fundraiser Focus + subscription service provides you with the tools required to continue generating income, campaigning and raising awareness in these times of unprecedented scrutiny, change and opportunity.