Charities and other organisations will need to refresh consent on any data that does not comply with the forthcoming General Data Protection Regulation, the Information Commissioner’s Office has said.
The ICO is seeking views on its draft guidance, published yesterday, which focuses on consent under the GDPR, which is due to come into force on 25 May next year.
The draft guidance is the first piece of detailed, topic-specific guidance on elements of the GDPR to be published by the ICO. A second piece of guidance on contracts and liability is expected in the next few months.
The GDPR will supersede the Data Protection Act 1998 and has more stringent requirements. It will apply to all organisations that process personal data, including charitable bodies. All fundraisers will have to be able to show that all recipients of direct marketing have explicitly consented to receiving materials by actively opting in.
The draft consent guidance says charities and other bodies processing data will not be automatically required to go back to the people whose data they hold and seek fresh consent under GDPR, providing the existing consent was given in line with the GDPR’s requirements.
It urges organisations to check their processes and records in detail and to ensure consent is properly documented.
"If existing DPA consents don’t meet the GDPR’s high standards or are poorly documented, you will need to seek fresh GDPR compliant consent, identify a different lawful basis for your processing (and ensure continued processing is fair), or stop the processing," the guidance says.
Charities and other organisations will also be required to name any third parties that will be relying on the person’s consent to use the data. Even precisely defined categories of organisation will not be acceptable under GDPR, the guidance says, so charities will not be able simply to say they planned to pass the data to fundraising partners or other animal welfare charities, for example.
Consent requests will need to be prominent and separate from any other information, such as general terms and conditions, and will have to detail each separate process the charity would like to use the data for, giving the person the chance to opt in to each one individually.
The GDPR says people have the right to withdraw consent at any time and the ICO guidance advises organisations to include details of how to do so when they collect the consent.
The guidance warns that if charities seek consent but process the information even if the person said no – for example, under the "legitimate interests" clause of the GDPR – asking for consent would be misleading and inherently unfair.
Failure to comply with the GDPR once it comes into force could mean "a fine of up to €20m [about £17.3m], or 4 per cent of your total worldwide annual turnover, whichever is higher", the guidance says.
In a blog post announcing the consultation, Jo Pedder, interim head of policy and engagement at the ICO, said the ICO planned to issue a call for evidence to get a better sense of what technical solutions were available or were being developed for obtaining and managing consent later in the year.
The consultation will run until 31 March and the final version of the guidance is expected to be published in May, although Pedder said this timescale might be affected by developments at the European level.
If you’re interested in fundraising, you can’t miss Third Sector’s Annual Fundraising Conference on 23 and 24 May. Click here for more information and to book at the Early Bird rate.