For our latest Third Sector Digital Breakfast on the 25th October, we were joined by representatives from several charities. These included marketing professionals from Farm Africa, Jo’s Cervical Cancer Trust and The Army Cadet Force.
On this occasion we discussed data collection in the context of the third sector. More specifically, we looked at how it would be affected by the EU General Data Protection Regulation, commonly known as GDPR. This regulation replaces the Data Protection Directive 95/46/EC, with the intention of refreshing data privacy laws throughout Europe. The ultimate aim is “to protect and empower all EU citizens’ data privacy and to reshape the ways organisations across the region approach data privacy”.
The General Data Protection Regulation is the new EU Framework that defines how data must be handled within the EU. It comes into force on the 25th May 2018, and will apply to any organisation that collects and processes data on behalf of individuals and companies. To ensure compliance, fines of up to €10 million or 4% of turnover can apply (whatever is greater) for organisations that fail to comply.
A question was raised early in the breakfast: “Will Brexit affect GDPR?”
The simple answer is “no”. Whilst the UK’s exit from the EU will affect several areas of public and private life, it will not affect the need for businesses to comply with the legislation. It affects any organisation that collects and processes the data of an EU citizen. In reality, there will be very few charities that will never have to comply with it.
Matt Stannard, Head of Innovation at 4Ps Marketing, explained to those present that personal data could be any information related to a natural person or ‘data subject’, that can be used to directly or indirectly identify the person. It could be anything from a name, a photo, an email address, bank details, posts on social networking websites, medical information or a computer IP address.
When considering people under 16, parental consent will be required to process their personal data for online services. EU member states may legislate for a lower age of consent but this will not be below the age of 13.
A question was raised as to whether charities need to appoint a Data Protection Officer (DPO). Matt advised that DPOs must be appointed in the case of any of the following:
- Public authorities
- Organisations that engage in large scale systematic monitoring
- Organisations that engage in large scale processing of sensitive personal data (Art. 37).
If your charity doesn’t fall into one of these categories, then you do not need to appoint a DPO.
Following this question, Matt took the opportunity to explain a little more about additional data-related roles.
A Data Controller is a person who (either alone, jointly or in common with other persons) determines the purposes for which and the way any personal data are processed. A controller is a natural or legal person or organisation that determines the purposes and means of processing personal data.
A Data Processor, in relation to personal data, means any person (other than an employee of the data controller) who processes the data on behalf of the data controller. A processor is a natural or legal person or organisation that processes personal data on behalf of a controller.
Whenever a Data Controller uses a Data Processor (a third party who processes personal data on behalf of the controller) there needs to be a written contract in place. The contract covers how the data is used, for what purposes and how it is protected. There are requirements on the processor, as well as the controller.
Nick Shread, Head of Third Sector at 4Ps Marketing, then discussed the key areas of GDPR that affect marketing. These can be summarised as follows:
- Communications Consent: Opt-ins and Opt-outs.
GDPR states that consent must be ‘freely given, specific, informed, unambiguous’ and articulated by a ‘clear affirmative action’. Whilst in the past you could assume consent based upon ‘inactivity’, this is not the case now. Customers must consent to their data being used and to you contacting them.
- The Right To Be Forgotten.
The new legislation is designed to confer more control to individuals over how their data is collected and used. You must now provide some way of accessing and removing data. Individuals are able to do this when there is no legitimate reason to process their information, when they withdraw consent for it to be used on the original terms, and when it has been unlawfully processed.
- The Legal Basis For Processing Personal Data.
The GDPR will mean the need for better data housekeeping from marketers and less collecting data for unnecessary or frivolous reasons.
You should consider how you will react appropriately to requests to view, amend or destroy customer data. Whilst you don’t have to provide online access to do this, you do need to be able to facilitate access for customers. It will be a legal right and although many will probably choose not to exercise it, it is good practice to make it easy for those who wish to do so.
Types of Consent
Matt discussed different types of consent, starting with Unbundled Consent. This relates to consent requests needing to be separate from other terms and conditions. Consent should not be a precondition of signing up to a service, unless it is necessary for that service.
Regarding Active Opt-In, Matt advised that pre-ticked opt-in boxes will be invalid. You must use unticked opt-in boxes or similar active opt-in methods. For example, a binary choice given equal prominence.
You will need to give granular options to provide consent separately to different types of processing wherever appropriate.
You should name your organisation and any third parties who will be relying on consent. Even precisely defined categories of third-party organisations will not be acceptable under the GDPR. For example, separate out consent to use data for Facebook marketing, Twitter etc.
You will need to keep records to demonstrate what the individual has consented to, including what they were told and when and how they consented.
Customers should be told they have the right to withdraw their consent at any time and be given clear instructions on how to do this. It must be as easy to withdraw as it was to give consent. This means you will need to have simple and effective withdrawal mechanisms in place.
There shouldn’t be any imbalance in the relationship. Consent will not be freely given if there is imbalance in the relationship between the individual and the controller – this will make consent particularly difficult for public authorities and for employers, who should look for an alternative lawful basis.
There are some areas where consent is not needed, namely:
- A Contract With The Individual
For example to supply goods or services they have requested or to fulfil your obligations under an employment contract. This also includes steps taken at their request before entering into a contract.
- Vital Interests
You can process personal data if it’s necessary to protect someone’s life. This could be the life of the data subject or someone else.
- Legitimate Interests
If you are a private sector organisation, you can process personal data without consent if you have a genuine and legitimate reason (including commercial benefit), unless this is outweighed by harm to the individual’s rights and interests.
- Compliance With A Legal Obligation
If you are required by UK or EU law to process the data for a particular purpose, you can.
- A Public Task
If you need to process personal data to carry out your official functions or a task in the public interest – and you have a legal basis for the processing under UK law – you can. If you are a UK public authority, our view is that this is likely to give you a lawful basis for many if not all of your activities.
The conversation moved on to storing analytical data, specifically within Google Analytics (GA). Matt advised the attendees that you are not allowed to store any publicly identifiable information (PII) in Google Analytics, as it is against their terms of service.
If using Client ID or User ID in GA, these are anonymous by design. However, they can be used to indirectly identify a user. If you did this, then you would need consent to do so.
An IP Address can be made anonymous in GA; for more information visit the Google Developers guide.
Steps To Take
To finish the breakfast session, Nick summarised the steps that charity marketers should look to take now, in readiness for GDPR:
- Assign someone or a team to assess your data, technology and process readiness for data protection.
- Review your database management plan and make the necessary amendments. If you don’t have a plan – create one now!
- Start to add the appropriate language to all your data agreements, especially covering to need to opt-in for communications.
As the charity breakfast session came to an end questions were taken from the floor and all attendees suggested that they would be taking immediate steps to ensure compliance with GDPR.
We hold our Third Sector Digital Breakfast bi-monthly and new attendees are most welcome. If you work in a marketing role for a charity and have an interest in helping take them forward digitally, please do get in touch with Nick Shread to reserve your place at our next breakfast.
If your organisation could benefit from discussing data collection in light of GDPR, then the third sector team at 4Ps would be very happy to meet for a coffee. Contact us now to find out more.
To produce this session, we used the following sources of information:
Disclaimer: This blog post is not legal advice for your company or charity to use in complying with EU data privacy laws like the GDPR. Instead, you should use this as background information to help you better understand the GDPR. This legal information is not the same as legal advice, where a licenced legal adviser applies the law to your specific circumstances. We highly recommend that you consult with your legal adviser for advice on your interpretation of this information or its accuracy.
In summary, do not rely on this as legal advice or as a recommendation of any particular legal understanding.
4Ps isn’t just another SEO agency. To discuss how analytics and tracking technology are evolving together in order to keep pace with new developments in user interaction and cross-platform advertising, give us a call on +44 (0)207 607 5650 for a no-obligation coffee and chat about marketing and behaviour across all inbound channels. How could web analytics consulting benefit your business?