Lawrence Simanowitz and Hannah Lyons from Bates Wells discuss what GDPR has meant for major donor fundraising from a legal and compliance position.
Gradually, major donor fundraising is getting back onto its feet. Some wondered whether it would ever recover after first being hit by the 2015/16 media stories and subsequent aggressive ICO fines and then having to adjust to the arrival of GDPR in May 2018.
However, major donors are a critical building block in the architecture of many charities’ funding models. Indeed the very origins of today’s concept of charity goes back to the philanthropists of the middle ages, and the legislation that Queen Elizabeth I put in place to facilitate their benevolent aims. So of course major donor giving (together with the prospecting that is intrinsic to this form of fundraising) was going to survive the downturn, and today the legal and compliance position does not look as gloomy as it did just a couple of years ago.
The introduction of GDPR did of course mean that charities and their major donor fundraising teams needed to review their data practices and consider whether they were compliant with the new regime. But GDPR merely built on what had existed before – it was not an enormous shakeup, despite the worries that existed at the time (and which remain in some quarters). In addition, the highwater mark of the ICO’s restrictive views on prospect research have now receded somewhat. New guidance , developed by and for the sector, including the ‘Connecting People to Causes: A Practical Guide to Fundraising’ produced by the IoF and Bates Wells takes a balanced approach to prospect research. Helpfully it was reviewed by the ICO and reflects their more recent views on this area.
So where does this leave us in terms of what major donor fundraisers can and can’t do with personal data?
Well firstly, it is important to remember that consent is not always needed in order to gather information about a potential major donor. It may be possible to rely on legitimate interests to undertake these forms of processing. This will very much depend on the nature of the data/research and how intrusive this may be (the more intrusive the more likely consent will be required). A legitimate interest assessment (LIA) must therefore be carried out to balance the interests of the charity in conducting the research against the privacy rights of the individual. In some cases it may also be prudent to conduct a fuller Data Privacy Impact Assessment (DPIA), particularly if the exercise involves a large amount of data and/or new or potentially controversial forms of processing.
It is also important to remember that consent will be needed it any of the research includes special category (sensitive) data such as information about a person’s religion, ethnicity and health (amongst other things).
It is also essential to inform individuals that their data will be used in this way – for example within the charity’s privacy notice. This can be challenging when you are researching new prospects as they will not have previously been provided with the charity’s privacy notice, especially as GDPR requires you to inform them within 30 days.
So, once you have completed your research and have identified a major donor how can you contact them?
If you contact them by post, consent is not needed – but a LIA will need to be completed. Consent is also not required when calling people on the phone (unless that person is registered on the Telephone Preference Service). Consent is needed for direct marketing by e-mail and text. The definition of direct marketing is wide and is likely to catch most fundraising approaches including, for example, invitations to events as wells as direct asks.
Our top tips for compliant fundraising research are:
For more detailed information about the cookies we use, see our cookies page.
Necessary cookies enable core functionality such as security, network management, and accessibility. You may disable these by changing your browser settings, but this may affect how the website functions.
We'd like to set Google Analytics cookies to help us to improve our website by collecting and reporting information on how you use it. The cookies collect information in a way that does not directly identify anyone. We’d also like to set Dotdigital website behaviour cookies to improve the email communications you receive from us by collecting information on the content you view on our website.