DMA provides GDPR advice for charities

According to an article by Civil Society (15th May) The Direct Marketing Association has said that focusing purely on a fully opted-in consent model for fundraising is “not totally necessary” under GDPR, as it is only one of six legal grounds on which personal data can be processed.

Speaking at the Institute of Fundraising Technology Conference John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association, said it was “not totally necessary” for charities to focus purely on consent in order to process data under the new General Data Protection Regulation.

Mitchison said he had spoken to a number of charities who “feel that they are being pressured to go down this fully consent road”, but pointed out that consent is only one of six legal grounds on which personal data can be processed under GDPR, and that “no one is any better than the other”.

"So if you choose the consent route and you only want to deal with people who have expressly opted in to receiving marketing material from you, that’s fine but it is no better legally than if you choose to do it by legitimate interest and use an opt-out method of communicating with people.

“You may have a significant part of your database for which you’ve never really bothered to collect consent and maybe you only deal with them on a direct mail basis, and you may want to just continue doing that and that’s perfectly fine to do under the basis of legitimate interest.”

Mitchison however warned that processing data under legitimate interest was not “a get out of jail free card” which could be used to “mail anybody”. He said that organisations wishing to process data based on legitimate interest must “make sure that the legitimate interest of your organisations is balanced against the rights of the consumer; that it’s reasonable and you provide an unsubscribe option so the person can stop whenever they want to”.

He said organisations currently relying on consent to legally process personal data would need to go through a "recommissioning process, as your current consent is almost certainly not going to be valid" after GDPR comes into force in May 2018. 

Mitchison also spoke about the recent series of fines issued by the Information Commissioner’s Office to 13 charities for various data protection breaches, including some third-party data profiling and wealth screening.

He said the problem with this was “nobody can really define what profiling is. The ICO has yet to announce when it will publish its guidance on data profiling under GDPR, but Mitchsion said:“What we at the DMA expect is that profiling will be judged on a spectrum, with the use of plain data for segmentation and basic selections at one end and the more intrusive activities – like scraping a person’s Facebook page to append further data – at the other end, due to it being obviously more intrusive”.

(Excerpts taken from Civil Society 15th May)