We recently ran a booked out webinar on data protection for major gift fundraising, we promise to run it again as soon as we can. In the meantime, here are some key principles for getting data protection for major gifts right.
How data protection fits into best practice fundraising
Data protection is at the heart of best practice major gift fundraising. By having a privacy by design approach your supporters will feel secure when it comes to trusting you with their data. Data protection law applies to all processing of personal data. Before processing personal data you need to ensure you have lawful grounds for doing so and inform your supporters that you will be doing it.
Grounds for processing data under GDPR
There are six lawful grounds for processing data under GDPR, these are:
- Consent
- Contract
- Legal obligation
- Vital interests
- Public task
- Legitimate interest
The ones we use most frequently when processing data for fundraising are consent, legitimate interest and occasionally contract. One is not better than the other and all may be appropriate for use at different times. Most organisations use legitimate interest for their prospect research.
Prospect research and data protection
Before undertaking prospect research we recommend you carry out a data protection impact assessment (DPIA) and you will also need to undertake a legitimate interest assessment (LIA).
A DPIA is an assessment of the ways an organisation uses personal data for specific activities. It should describe the purpose for which you collect the data and look at information flows e.g how data will be obtained, used and retained. Your DPIA should also identify the privacy risks and evaluate solutions to those risks. Once recommended actions are agreed they should be incorporated into the overall project plan.
Your LIA enables you to verify that you have a legitimate interest. You need to be able to demonstrate that and the data processing you are undertaking is necessary. It takes into account the reasonable expectations of data subjects, the impact of the processing on individuals’ interests and rights and freedoms and weighs this against your legitimate interests. You should document the outcome of this balancing test (and any mitigating steps).
The purpose of the balancing exercise is not to prevent any negative impact on the data subject. Rather, its purpose is to prevent disproportionate impact. (CASE 2019)
Key principles for your privacy notice
Your privacy notice should clearly describe all the ways you use personal data and the safeguards in place. It must also show your supporters how they can exercise their rights over your processing of their personal data. When you update it, you need to inform all of your supporters about this.
Your privacy notice should contain the following information.
- Details of the data controller (and data protection officer)
- Purposes for which the data will be processed and the legal basis
- Explanation of the organisation’s legitimate interest
- Categories of personal data
- Who it will be shared with
- Countries where it may be transferred
- How long will it be kept
- Data subjects rights including to withdraw consent to processing and right to opt out
- Sources of personal data – using publically accessible sources
- Use of third parties
- Any automated decision making or profiling (different to prospect research)
Our top tip for ensuring your privacy notice is fit for purpose is to get someone outside of your organisation to read it and explain it back to you. If they can’t explain it, take another look and simplify it.
With over 25 years’ experience working with the not-for-profit sector our team provides research, wealth screening, consultancy, regulatory compliance and training support to charities of all sizes, making fundraising more effective and successful.
We’ll help you learn more about the people who support your cause, give you detailed insight into your best prospects and identify new ones, whether they be wealthy individuals, grant-makers or institutional funders. To book your free half-day of (virtual) consultancy with our team get in touch with us by email at info@prospectingforgold.co.uk or call us on 01491 577311.