The Institute of Fundraising has said draft guidance on the General Data Protection Regulation, published by the Information Commissioner’s Office, needs to be clearer and less fragmented if it is to help charities prepare for the new legislation.
The IoF also warned that charities might not have enough time to prepare between the publication of the final version of the guidance and the implementation of the GDPR, more stringent data protection rules that are due to come into force in May 2018. It called for a transition period to be introduced.
The ICO published draft guidance that focues on consent under the GDPR, and opened it up to consultation throughout March.
In its response to the consultation, published on its website, the IoF said that although the guidance was written in an accessible style and had "the right tone", areas of the guidance needed further explanation and detail.
The GDPR will require all organisations, including charities, to be able to show that they have people’s explicit consent before they send them direct marketing or process their data. However, they may also process some data where they can show they have a "legitimate interest" to do so.
But the IoF called for the guidance to contain a more detailed explanation of when an organisation can be seen to have a legitimate interest.
"We believe that the consent guidance, particularly in relation to direct marketing purposes, must be more strongly and explicitly joined up with other legal conditions for processing personal data, and have more practical and illustrative examples," the IoF response said.
"While it is useful to include links to other documents and resources, we are concerned that this creates a fragmented approach, which could lead to people understanding one strand of the GDPR rather than the whole."
Placing all the different conditions for data processing in one place, the response said, would allow charities to understand each different lawful basis and put in place appropriate plans to deliver the best experience for individual donors.
It also called for more illustrative examples of "opt-in" and "opt-out" mechanisms that would be acceptable under the GDPR.
The response pointed out that the final version of the guidance was likely to be published less than a year before the GDPR became effective, saying it did not believe that this would give organisations enough time to implement the requirements. It said there should be a transition process that allowed adequate time for charities to comply because they could make mistakes in the implementation if they were rushed.
It also called for more charity-sector specific guidance, saying it appreciated that the ICO regulated all sectors but, because the nature of fundraising was fundamentally different from a commercial transaction bound by a contract, it required more tailored advice.
In a statement accompanying the response, Daniel Fluskey, head of policy and research at the IoF, said: "It is welcome and important that the ICO is consulting on its guidance around consent and the GDPR. Charities want to make sure they get this right and need clear guidance to be able to implement the legal requirements and give supporters the best experience of fundraising.
"The standard for consent is raised under the GDPR, and we think that the guidance could be clearer and more helpful for charities in certain areas."
If you’re interested in fundraising, you can’t miss Third Sector’s Annual Fundraising Conference on 23 and 24 May. Click here for more information and how to book