Download - Fundraising Abroad and Data Protection – How to protect your reputation and reap the benefits
Fundraising Abroad and Data ProtectionHow to protect your reputation and reap the benefits
Gary Shipsey
Managing Director - ProtectureWebinar15 July 2015
“the communication (by whatever means) of anyadvertising or marketing material* which isdirected to particular individuals”.
* Includes promotional material - promoting charity aims / ideals / fundraising
Directmarketing
Data ProtectionAct 1998
Unsoliciteddirect
marketing
Privacy andElectronicCommunicationRegulation 2003
• Complements the DPA; more detailed privacyrules in relation to “electronic” communications*
• Must still comply with the DPA if using personaldata.
* Includes telephone calls (both live and automated) | faxes | emails | SMS
UK Institution
Reasonableexpectations
Fair Processing Notice(Privacy notice)
definedby
UK-based Alumni
Non-EEAInstitution
US / Non-EEA based Alumni
P1 - Fairness
Proof?Given to / seenby the person?
P8 – Transfers outside EEA
“…shall not betransferred to acountry or territoryoutside theEuropeanEconomic Areaunless [it] ensuresan adequate levelof protection…”
EU Commission’s list of countries or territories providingadequate protection (a ‘positive finding of adequacy’)
The US recipient is signed up to the US Department of Commerce Safe Harbor Scheme
Own assessment…that protections ‘adequate in all the circumstances of the case’
AndorraArgentinaCanadaFaroe Islands
GuernseyIsle of ManIsraelJersey
New ZealandSwitzerlandUruguay
‘general adequacy’ criteria:
1. Sensitivity / volume of personal data beingtransferred?
2. Where has in come from…?
3. …and where will it end up?
4. How will the data be used and for how long?
5. What security measures will be taken in respect of thepersonal data in the country where the data will bereceived?
‘Legal adequacy’ criteria:
6. To what extent has the country adopted dataprotection standards in its law?
7. Can you enforce the standards / ensure theyare achieved in practice?
8. Is there an effective procedure for individualsto enforce their rights if things go wrong?
a
b
c
P8 – Transfersoutside EEA
AustriaBelgiumBulgariaCroatiaCyprusCzechRepublicDenmarkEstoniaFinlandFrance
GermanyGreeceHungaryIcelandIrelandItalyLatviaLiechtensteinLithuaniaLuxembourg
MaltaNetherlandsNorwayPolandPortugalRomaniaSlovakiaSloveniaSpainSweden
Contract clauses• EC Model Contract Clauses – approved by the European Commission;
• Binding Corporate Rules (BCRs) – approved by the ICO, or• Other contractual arrangements
Rely on an exemptione.g. the alumni / charity supporters has given their consent (the DPA does not sayexplicit consent).
e
d
“…shall not betransferred to acountry or territoryoutside theEuropeanEconomic Areaunless [it] ensuresan adequate levelof protection…”
P8 – Transfersoutside EEA
UK Institution
Reasonableexpectations
Fair Processing Notice(Privacy notice)
definedby
UK-based Alumni
Non-EEAInstitution
US / Non-EEA based Alumni
P1 - Fairness
Proof?Given to / seenby the person?
P8 – Transfers outside EEAManagement of data
Clearly defined use(s) (purpose(s))P2 - Purpose
P3-P5 – Data quality Nature & extent of data
What will the Body be doingwith the data? e.g.• Analytics / searching• Only “sticking data on a
labels / sending emails”
How much data exchanged(minimum required toachieve stated purpose(s))?
Quality of data (accuracy)?
• Left under a cloud?• Did a sensitive subject
(association with it is stillsensitive)?
• In a sensitive job (wherepast is not known)?
UK Institution
Reasonableexpectations
Fair Processing Notice(Privacy notice)
definedby
UK-based Alumni
Non-EEAInstitution
US / Non-EEA based Alumni
P1 - Fairness
Proof?Given to / seenby the person?
P8 – Transfers outside EEAManagement of data
Clearly defined use(s) (purpose(s))P2 - Purpose
P3-P5 – Data quality Nature & extent of data
What will the Body be doingwith the data? e.g.• Analytics / searching• Only “sticking data on a
labels / sending emails”
How much data exchanged(minimum required toachieve stated purpose(s))?
Quality of data (accuracy)?
• Left under a cloud?• Did a sensitive subject
(association with it is stillsensitive)?
• In a sensitive job (wherepast is not known)?
Controlled & limited accessSecure exchange
End of process(return of data?)
P7 – Security
• Controlled and limited access to the data
• How deliver a secure exchange of data
• Clear purpose(s)
• Define the end of the process (return of data / secure disposal)
If starting now…
Fair processing notices/ privacy notices
Contract / agreementwith the other Body
• Who you are – and who else will access the data
• Clarity on purpose(s)
• A process for keeping data up to date and individuals informed
1
2
• Consent…or another meansLegitimise transfer ifoutside EEA
3
• Moredonations(!)
To reduce risks with current sharing…
“Parklife did not initially take the
complaints made seriously, sending
the following tweet:
“So this is what if feels like to be a
jar of Marmite #LoveItOrHateIt””
Regularise your transfer…by whatevermeans necessary…
Weigh up the risks…and benefits
Be ready to handle complaints seriouslyand swiftly
• Complaints?
• Social media (storm)?
• Damage to reputationand trust?
Document the decisions made / risk(s)accepted
1
2
3
4
“Who are you?How did you getmy (very)personal data?”
From: UniAbraod.comTo: Gary Shipsey
Hello Gary
We know you had a great time a uni on your way to gettingthat 2:1 BA (hons)…
Your record of attendance was only matched by your varsityrecord of W20-D3-L1…
We trust you’re over that illness…and might want to help…
If you’re still the sporty type, we are looking for runners in theNew York marathon in aid of Sheffhield Uni…
“We won’t share your details with companies outside theVirgin Group for marketing purposes. If that’s not OK,please tick the box.”
“Who are you?How did you getmy personaldata?”
Marketresearch
Newslettersand inserts
No advertising or marketing material = rules will not apply.
• Label marketing as “survey”
• ‘Sugging’ - selling under the guise of research.
Include some marketing elements (even if this not their main aim)?
• 10% news with 90% marketing content?
• 1 newsletter with 10 marketing inserts?
Automated callsSpecific opt-ins (i.e. stricter)
CallsOpt-outs…IF screen numbers against TPS
Direct mailOpt-outs + (good practice) screen against MPS
Specific opt-in Pre-ticked box = consent?
Not opting-out = consent?
Rely on
• interesting content?
• innovative content?
• active engagement?
Rely on• absence of action?• misunderstanding?• apparent unconcern?• them not seeing the box?
@ SMS Reg 22. Use of electronic mail for direct marketing purposes
1. Who compiled the list? When? Has it been amended or updatedsince then?
2. When was consent obtained?
3. Did it list organisations by name, by description, or was theconsent for disclosure to any third party?
4. What method was used – e.g. was it opt-in or opt-out?
5. Was the information provided clear and intelligible? How was itprovided – e.g. behind a link, in a footnote, in a pop-up box, in aclear statement next to the opt-in box?
Reasonable due diligence might include checking:• What someone has consented to
• Date of consent
• Method of consent
• Who obtained consent
• Exactly what information wasprovided to the person consenting.
Buying a Marketing ListBe careful when relying on consent given indirectly toanother organisation (third party)
Maintain proofRecords of consent
Complaints Report 2014:“The public are most concerned about
• direct mail [waste of money]• telephone [intrusion / disruption / genuine distress]
and• doorstep face-to-face fundraising”
Ultimate test = do people complain?
If starting now… To reduce risks with current sharing…
2 December 2014Promote after-show parties for the ParklifeWeekender music festival
70,000 marketing text messages
Message appeared on mobiles as having beensent from "Mum."
£70,000 fine
6 April 2015
“…will help us to make more fines stick, andmore fines should prove a real deterrent…
“Previously, we’ve had to prove a companyhad caused ‘substantial damage orsubstantial distress’
Now “…we just have to prove that thecompany was committing a serious breach ofthe regulations.”
Expert advice | Audit | Contracts | Training | Template documents
@protectureDPO 020 3691 5731protecture.org.uk
Subscription-based dataprotection support
service
24/7 – external experts oryour Data Protection
Officer
Free policy review – [email protected] 20% discount
@protectureDPO 020 3691 5731protecture.org.uk
“Protecture have the skills, knowledge and ability to make sense of the complex regulations and guidancearound data protection and to give clear concise and timely advice to real life situations in a way that the ‘lay’person can understand. In this way Protecture help charities de-risk data protection and focus on the businessof delivering the charitable objectives.” Andy Goldsmith, CEO
“Working with Protecture has lifted a weight from my shoulders as the area of data protection really needs depth ofknowledge…Protecture’s information for the organisation has been in plain English and appropriate for the audience.Protecture delivered an interesting and stimulating 20 minute presentation on Data Protection to our national team – around120 people. I’d expected groans from the audience as the topic sounds so dry, but the team were completely engaged.”Jan van Zyl, Operations Director
“Protecture is an efficient and reliable source of expertise for our Charity. They have been able to provide us with advice andguidance on all our Data Compliance needs while always remaining flexible, cost effective, and most importantly lightningfast with a response. Keep up the good work!” Jeff Thomas, Remuneration and Benefits Manager