'Charities should not feel pressured into opt-in model under GDPR', says DMA

15 May 2017 News

John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association

The Direct Marketing Association has said that focusing purely on a fully opted-in consent model for fundraising is “not totally necessary” under GDPR, as it is only one of six legal grounds on which personal data can be processed.

Speaking at the Institute of Fundraising Technology Conference in London on Friday, John Mitchison, head of preference services, compliance and legal at the Direct Marketing Association, said it was “not totally necessary” for charities to focus purely on consent in order to process data under the new General Data Protection Regulation.

Mitchison said he had spoken to a number of charities who “feel that they are being pressured to go down this fully consent road”, but pointed out that consent is only one of six legal grounds on which personal data can be processed under GDPR, and that “no one is any better than the other”.

“It’s important to point out that consent is only one of the legal grounds on which you can process personal data. There are actually six legal grounds and no one is any better than the other.

"So if you choose the consent route and you only want to deal with people who have expressly opted in to receiving marketing material from you, that’s fine but it is no better legally than if you choose to do it by legitimate interest and use an opt-out method of communicating with people.

“You may have a significant part of your database for which you’ve never really bothered to collect consent and maybe you only deal with them on a direct mail basis, and you may want to just continue doing that and that’s perfectly fine to do under the basis of legitimate interest.”

Mitchison however warned that processing data under legitimate interest was not “a get out of jail free card” which could be used to “mail anybody”. He said that organisations wishing to process data based on legitimate interest must “make sure that the legitimate interest of your organisations is balanced against the rights of the consumer; that it’s reasonable and you provide an unsubscribe option so the person can stop whenever they want to”.

He said organisations currently relying on consent to legally process personal data would need to go through a "recommissioning process, as your current consent is almost certainly not going to be valid" after GDPR comes into force in May 2018. 

‘The problem with profiling is that nobody really knows what it is’

Mitchison also spoke about the recent series of fines issued by the Information Commissioner’s Office to 13 charities for various data protection breaches, including some third-party data profiling and wealth screening.

He said the problem with this was “nobody can really define what profiling is. It’s quite clear that the ICO don’t know what profiling is either, because they’ve just sent out a paper asking stakeholders to inform them of what they do and what they consider profiling to be”.

The ICO has yet to announce when it will publish its guidance on data profiling under GDPR, but Mitchsion said he expected the final guidance to grade data profiling activities “on a spectrum”.

“What we at the DMA expect is that profiling will be judged on a spectrum, with the use of plain data for segmentation and basic selections at one end and the more intrusive activities – like scraping a person’s Facebook page to append further data – at the other end, due to it being obviously more intrusive”.

Implementing GDPR may come down to ‘business risk’

Mitchison also said that, particularly around certain practices charities use including data profiling and third party wealth screening, implementing decisions around GDPR may well come down to “a business risk”.

He said that charities worried about listing all of the ways in which they use personal data in a privacy notice may simply be forced to “take a risk”.

“A lot of the decision that charities are going to have to make about implementing GDPR are going to come down to a business risk. You’re just going to have to think about it, develop a policy, get that approved by your board and then go with it.

"If you think that listing it all out is going to have a negative effect on the way your supporters hand over their data, you may consider making your privacy notices a little bit simpler and, effectively, taking a risk.”

 

More on