Fundraising Abroad and Data ProtectionHow to protect your reputation and reap the benefits

Gary Shipsey

Managing Director - ProtectureWebinar15 July 2015

“the communication (by whatever means) of anyadvertising or marketing material* which isdirected to particular individuals”.

* Includes promotional material - promoting charity aims / ideals / fundraising

Directmarketing

Data ProtectionAct 1998

Unsoliciteddirect

marketing

Privacy andElectronicCommunicationRegulation 2003

• Complements the DPA; more detailed privacyrules in relation to “electronic” communications*

• Must still comply with the DPA if using personaldata.

* Includes telephone calls (both live and automated) | faxes | emails | SMS

UK Institution

Reasonableexpectations

Fair Processing Notice(Privacy notice)

definedby

UK-based Alumni

Non-EEAInstitution

US / Non-EEA based Alumni

P1 - Fairness

Proof?Given to / seenby the person?

P8 – Transfers outside EEA

“…shall not betransferred to acountry or territoryoutside theEuropeanEconomic Areaunless [it] ensuresan adequate levelof protection…”

EU Commission’s list of countries or territories providingadequate protection (a ‘positive finding of adequacy’)

The US recipient is signed up to the US Department of Commerce Safe Harbor Scheme

Own assessment…that protections ‘adequate in all the circumstances of the case’

AndorraArgentinaCanadaFaroe Islands

GuernseyIsle of ManIsraelJersey

New ZealandSwitzerlandUruguay

‘general adequacy’ criteria:

1. Sensitivity / volume of personal data beingtransferred?

2. Where has in come from…?

3. …and where will it end up?

4. How will the data be used and for how long?

5. What security measures will be taken in respect of thepersonal data in the country where the data will bereceived?

‘Legal adequacy’ criteria:

6. To what extent has the country adopted dataprotection standards in its law?

7. Can you enforce the standards / ensure theyare achieved in practice?

8. Is there an effective procedure for individualsto enforce their rights if things go wrong?

a

b

c

P8 – Transfersoutside EEA

AustriaBelgiumBulgariaCroatiaCyprusCzechRepublicDenmarkEstoniaFinlandFrance

GermanyGreeceHungaryIcelandIrelandItalyLatviaLiechtensteinLithuaniaLuxembourg

MaltaNetherlandsNorwayPolandPortugalRomaniaSlovakiaSloveniaSpainSweden

Contract clauses• EC Model Contract Clauses – approved by the European Commission;

• Binding Corporate Rules (BCRs) – approved by the ICO, or• Other contractual arrangements

Rely on an exemptione.g. the alumni / charity supporters has given their consent (the DPA does not sayexplicit consent).

e

d

“…shall not betransferred to acountry or territoryoutside theEuropeanEconomic Areaunless [it] ensuresan adequate levelof protection…”

P8 – Transfersoutside EEA

UK Institution

Reasonableexpectations

Fair Processing Notice(Privacy notice)

definedby

UK-based Alumni

Non-EEAInstitution

US / Non-EEA based Alumni

P1 - Fairness

Proof?Given to / seenby the person?

P8 – Transfers outside EEAManagement of data

Clearly defined use(s) (purpose(s))P2 - Purpose

P3-P5 – Data quality Nature & extent of data

What will the Body be doingwith the data? e.g.• Analytics / searching• Only “sticking data on a

labels / sending emails”

How much data exchanged(minimum required toachieve stated purpose(s))?

Quality of data (accuracy)?

• Left under a cloud?• Did a sensitive subject

(association with it is stillsensitive)?

• In a sensitive job (wherepast is not known)?

UK Institution

Reasonableexpectations

Fair Processing Notice(Privacy notice)

definedby

UK-based Alumni

Non-EEAInstitution

US / Non-EEA based Alumni

P1 - Fairness

Proof?Given to / seenby the person?

P8 – Transfers outside EEAManagement of data

Clearly defined use(s) (purpose(s))P2 - Purpose

P3-P5 – Data quality Nature & extent of data

What will the Body be doingwith the data? e.g.• Analytics / searching• Only “sticking data on a

labels / sending emails”

How much data exchanged(minimum required toachieve stated purpose(s))?

Quality of data (accuracy)?

• Left under a cloud?• Did a sensitive subject

(association with it is stillsensitive)?

• In a sensitive job (wherepast is not known)?

Controlled & limited accessSecure exchange

End of process(return of data?)

P7 – Security

• Controlled and limited access to the data

• How deliver a secure exchange of data

• Clear purpose(s)

• Define the end of the process (return of data / secure disposal)

If starting now…

Fair processing notices/ privacy notices

Contract / agreementwith the other Body

• Who you are – and who else will access the data

• Clarity on purpose(s)

• A process for keeping data up to date and individuals informed

1

2

• Consent…or another meansLegitimise transfer ifoutside EEA

3

• Moredonations(!)

To reduce risks with current sharing…

“Parklife did not initially take the

complaints made seriously, sending

the following tweet:

“So this is what if feels like to be a

jar of Marmite #LoveItOrHateIt””

Regularise your transfer…by whatevermeans necessary…

Weigh up the risks…and benefits

Be ready to handle complaints seriouslyand swiftly

• Complaints?

• Social media (storm)?

• Damage to reputationand trust?

Document the decisions made / risk(s)accepted

1

2

3

4

“Who are you?How did you getmy (very)personal data?”

From: UniAbraod.comTo: Gary Shipsey

Hello Gary

We know you had a great time a uni on your way to gettingthat 2:1 BA (hons)…

Your record of attendance was only matched by your varsityrecord of W20-D3-L1…

We trust you’re over that illness…and might want to help…

If you’re still the sporty type, we are looking for runners in theNew York marathon in aid of Sheffhield Uni…

“We won’t share your details with companies outside theVirgin Group for marketing purposes. If that’s not OK,please tick the box.”

“Who are you?How did you getmy personaldata?”

Marketresearch

Newslettersand inserts

No advertising or marketing material = rules will not apply.

• Label marketing as “survey”

• ‘Sugging’ - selling under the guise of research.

Include some marketing elements (even if this not their main aim)?

• 10% news with 90% marketing content?

• 1 newsletter with 10 marketing inserts?

Automated callsSpecific opt-ins (i.e. stricter)

CallsOpt-outs…IF screen numbers against TPS

Direct mailOpt-outs + (good practice) screen against MPS

Specific opt-in Pre-ticked box = consent?

Not opting-out = consent?

Rely on

• interesting content?

• innovative content?

• active engagement?

Rely on• absence of action?• misunderstanding?• apparent unconcern?• them not seeing the box?

@ SMS Reg 22. Use of electronic mail for direct marketing purposes

1. Who compiled the list? When? Has it been amended or updatedsince then?

2. When was consent obtained?

3. Did it list organisations by name, by description, or was theconsent for disclosure to any third party?

4. What method was used – e.g. was it opt-in or opt-out?

5. Was the information provided clear and intelligible? How was itprovided – e.g. behind a link, in a footnote, in a pop-up box, in aclear statement next to the opt-in box?

Reasonable due diligence might include checking:• What someone has consented to

• Date of consent

• Method of consent

• Who obtained consent

• Exactly what information wasprovided to the person consenting.

Buying a Marketing ListBe careful when relying on consent given indirectly toanother organisation (third party)

Maintain proofRecords of consent

Complaints Report 2014:“The public are most concerned about

• direct mail [waste of money]• telephone [intrusion / disruption / genuine distress]

and• doorstep face-to-face fundraising”

Ultimate test = do people complain?

If starting now… To reduce risks with current sharing…

2 December 2014Promote after-show parties for the ParklifeWeekender music festival

70,000 marketing text messages

Message appeared on mobiles as having beensent from "Mum."

£70,000 fine

6 April 2015

“…will help us to make more fines stick, andmore fines should prove a real deterrent…

“Previously, we’ve had to prove a companyhad caused ‘substantial damage orsubstantial distress’

Now “…we just have to prove that thecompany was committing a serious breach ofthe regulations.”

Expert advice | Audit | Contracts | Training | Template documents

@protectureDPO 020 3691 5731protecture.org.uk

Subscription-based dataprotection support

service

24/7 – external experts oryour Data Protection

Officer

Free policy review – help@Protecture.org.uk 20% discount

@protectureDPO 020 3691 5731protecture.org.uk

“Protecture have the skills, knowledge and ability to make sense of the complex regulations and guidancearound data protection and to give clear concise and timely advice to real life situations in a way that the ‘lay’person can understand. In this way Protecture help charities de-risk data protection and focus on the businessof delivering the charitable objectives.” Andy Goldsmith, CEO

“Working with Protecture has lifted a weight from my shoulders as the area of data protection really needs depth ofknowledge…Protecture’s information for the organisation has been in plain English and appropriate for the audience.Protecture delivered an interesting and stimulating 20 minute presentation on Data Protection to our national team – around120 people. I’d expected groans from the audience as the topic sounds so dry, but the team were completely engaged.”Jan van Zyl, Operations Director

“Protecture is an efficient and reliable source of expertise for our Charity. They have been able to provide us with advice andguidance on all our Data Compliance needs while always remaining flexible, cost effective, and most importantly lightningfast with a response. Keep up the good work!” Jeff Thomas, Remuneration and Benefits Manager