February 3, 2017
There has been some discussion recently that rightly points out that Direct Marketing is an activity that is categorised as ‘legitimate interest’ for a charity within the General Data Protection Regulation (GDPR) and that charities, therefore, do not need to seek explicit consent. That is true, but there is not just one BUT, but several BIG BUTS (please excuse the poor English).
- You need a legal basis for collecting, storing, and using personal data.
Yes, it is a legitimate interest, once you have obtained the personal data legally, i.e. the individuals need to have given you consent to store and process their data in the first place. Under GDPR, it is up to the charity to prove that this consent has been granted.
- Privacy and Electronic Communications Regulations (PECR) prevent charities from using soft opt-in for electronic (email, SMS, and phone) direct marketing.
In the above link, the ICO describes soft opt-in as follows: “The term ‘soft opt-in’ is sometimes used to describe the rule about existing customers. The idea is that if an individual bought something from you recently, gave you their details, and did not opt out of marketing messages, they are probably happy to receive marketing from you about similar products or services even if they haven’t specifically consented.”
Great for commercial companies, but not so for charities. Also quoted from the ICO page above: “It also does not apply to non-commercial promotions (eg charity fundraising or political campaigning).” In other words, you have to seek consent to communicate with donors, even if they have donated to you. The act of donating alone is not sufficient to act as consent to allow you to direct market to them in future campaigns.
- Surely, GDPR will make PECR redundant?
Unfortunately, no. In January 2017, the European Commission announced its plan to update the e-privacy regulation (the EU version of the regulation that PECR is based on) and for the updates to come into effect by 25th May 2018, the same date as GDPR. It has been confirmed that electronic communications will still form a strong part of the new e-privacy regulation.
In summary, you still need to have consent to store someone’s data and consent to include that person in digital direct marketing. There are various forms this consent could take (including an opt-in check-box), and finding the right solution for your charity requires some thought and analysis.
How seriously you take GDPR and PECR will depend on how risk-averse you are, but it’s important that you have all the facts before you make that decision.
Contact [email protected] for details on how Graham-Pelton can help you through to GDPR and PECR to ensure you remain in contact with your supporters, inform your supporters, and achieve the best fundraising results possible.
— Christian Propper, Senior Consultant