The Institute of Fundraising has called for clarity on how donor profiling by charities will be treated under the General Data Protection Regulation.
The Information Commissioner’s Office published a consultation in April on how the new EU rules, due to come into force in May 2018, will affect the practice of automated profiling, where information on a person is gathered and analysed by computer programs to establish whether they would be interested in or eligible for certain products.
In the private sector, profiling that involves automated processing can have detrimental effects on the people who are analysed: for example, if they are turned down for a loan or rejected for a job, a discussion paper accompanying the consultation says.
But the IoF response to the consultation says this automated decision processing is relatively rare in charities and more explanation is required to cover decisions that involve some human interaction.
According to the ICO discussion paper, the GDPR introduces new obligations for data controllers to be more transparent about how and when profiling is happening and gives data subjects greater individual control.
But the paper acknowledges that, although the focus of the GDPR is on automated processing, it does not solely mention automated processing and "it is debatable therefore whether ‘automated processing’ means purely automated, or whether human involvement at any stage takes the processing out of the definition".
The IoF response, published on its website, says the vast majority of charities use publicly available data to carry out profiling to help identify new potential donors and to ensure their communications with existing supporters are appropriately tailored.
"This inevitably has to involve individuals who make decisions, rather than automated processes," the response says.
"As such, we believe that there is a manifest difference in the GDPR definition of ‘automated processing’ compared to the profiling activities that charities undertake and we need clarity as to how the GDPR applies to this activity."
As with other forms of data processing under the GDPR, data processors will have to have a legal basis for profiling, so the data subject has to "opt-in" to the processing or the processor has to prove they have a legitimate interest in using the data, which can include marketing.
The discussion paper warns, however, that data processors "must be able to demonstrate that the profiling is necessary to achieve that purpose, rather than simply useful" and any profiling they carry out must not be discriminatory or have an unjustified impact on individuals’ lives.
The IoF response argues that profiling in fundraising is unlikely to be discriminatory and is necessary to allow charities to find donors and fulfil their objectives.
"It is hard to see how being approached to give a donation can have an unjustified or significant impact on an individual’s rights," the response says.
"As such, we believe that the majority of profiling activity should be counted as valid under the legitimate interests basis for processing data."
In December 2016 and April 2017, the ICO fined a total of 13 charities under the existing Data Protection Act for offences that included wealth-screening, a form of profiling that assesses how much money someone has and how likely they are to donate.
The charities had not processed data fairly as required by the act, the ICO ruled, because they had failed to make it clear to data subjects – through privacy notices, for example – that their information would be used in this way.
The IoF’s response says charities would ensure profiling was fair and information about the practice "would be very likely to be included in privacy statements, which will be easily available and with clear information on how an individual can object".