In recent years, we’ve seen a shift towards major gift fundraising and that means rigorous research and usually handling some personal data. If you’re not sure how to do it and stay GDPR compliant, this article is for you. Our CEO, Kerry Rock, looks at lawful ways of processing data for major gift fundraising.
The law sets out a number of grounds for lawfully processing personal data. These are:
- Legitimate Interest
- Consent
- Contract
- Legal Obligation
- Vital Interests
- Public Task
The various bases for processing personal data are not ranked and one is not better than the other. They can apply at different times. For most fundraising organisations, there are two grounds that you can use for fairly and lawfully processing personal data for prospect research. These are legitimate interest and consent – almost all the organisations we work with rely on legitimate interest for all or most of their prospect research.
Read your privacy notice
Most fundraisers know there’s a privacy notice on their organisation’s website but very few can tell you what’s in it. Read your organisation’s privacy notice and familiarise yourself with what you’re telling people you’re going to do with their data. Then you can start to think about what needs to change to enable you to do what you need to do for major gift fundraising.
Assess your current processes
Undertaking a data protection impact assessment (DPIA) for your major gifts programme will ensure you understand the impact of your data processing on your supporters. This means you can develop and implement research processes which are compliant with data protection requirements. Completed thoroughly your DPIA will identify any areas that are high risk so you can mitigate these and amend your practices.
Legitimate interest is a lawful basis for processing personal data as long as it does not override the fundamental interests, rights and freedoms of the individuals. However, for legitimate interest to be valid, processing must be necessary and your organisation’s interest must be balanced with the impact on the individual whose data you’re processing. Clearly document your assessment of this balance and include reasonable expectations of the subject of data processing based on their relationship with your organisation. You cannot cause them unwarranted harm or disproportionate impact. This is recorded in a Legitimate Interest Assessment (LIA).
It is advisable to undertake both a DPIA and a LIA before undertaking research for your major gifts programme.
Update your privacy notice and let people know
Your privacy notice should clearly describe all the ways you use personal data and the safeguards in place. It’s an opportunity to show your supporters how they can exercise their rights over your processing of their personal data. When you update it, you need to inform all of your supporters about it.
Your privacy notice should contain the following information:
- Details of the data controller (and data protection officer)
- Purposes for which the data will be processed and the legal basis
- Explanation of the organisation’s legitimate interest
- Categories of personal data
- Who it will be shared with
- Countries where it may be transferred
- How long will their data be kept
- Data subjects’ rights including to withdraw consent to processing and the right to opt-out
- Sources of personal data – using publically accessible sources
- Use of third parties
- Any automated decision-making or profiling (different to prospect research)
Our top tip for ensuring your privacy notice is fit for purpose is to get someone outside of your organisation to read it and explain it back to you. If they can’t explain it, take another look and simplify it.
We run free webinars on data protection – getting it right for major gift fundraising. This will look at:
- Major gifts, prospect research and regulation
- The legal basis for your activities – how you can do prospect research and still comply with GDPR
- Legitimate Interest – what does it mean and how to demonstrate it
- Data Protection Impact Assessments – why, how and when
- Fair processing information – getting it right
- Using publicly accessible data sources
- Applying this to wealth screening, desk research, due diligence
- Data retention and minimisation