GDPR and prospect research: Our top ten tips for compliant fundraising research

26 May 2021
Digital Integration
Standard Content
Data and graphs

Three years since GDPR took effect in law, the Researchers in Fundraising Group look at what the impact has been on prospect research and development, and share their top ten tips for compliant fundraising research.

More than five years ago, the four-letter acronym that comes up daily in conversation between fundraisers began to surface – GDPR. Many of us spent the next couple of years reviewing our data protection and privacy processes and policies ahead of D-Day, 25 May 2018, when the general data protection regulation took effect in law.

What has become clear is, three years on, we are still navigating daily the muddy waters of GDPR, particularly in relation to prospect research; from writing Data Protection Impact Assessments (DPIAs) and undertaking Legitimate Impact Assessments (LIAs), to informing prospects of research and painstakingly reviewing research processes, and from managing all of this in practice to playing mediator between compliance and fundraising colleagues.

Together with Suzie Stephens of The Prospect Development Company, the Researchers in Fundraising (RiF) Group recently gathered together a group of individuals straddling the worlds of prospect research, data protection and high value fundraising, to discuss the impact GDPR continues to have, three years on, on the evolution of prospect research and development. Panelists included:

So, what did we learn? Read on to for our top ten tips for data protection compliance for prospect research.

1. Apply Article 14.5(b) (with caution)

If you’ve spent any time in prospect research forums in the last couple of years, or attended the annual RiF Conference, you’ve probably heard people talking about Article 14.5(b).

Article 14 of GPDR states that if you are processing the personal data of an individual obtained from any source other than the individual, themselves, you must inform the individual within one month of that data processing or at the point of first communication with the individual – whichever is sooner.

However, prospect researchers are provided with a useful exception to this rule in Article 14.5(b), which states that you do not need to comply with the one month rule if it is impossible, would involve ‘disproportionate effort’ or ‘render impossible or seriously impair’ the achievement of the objectives of that processing.

With this in mind, some prospect researchers apply Article 14.5(b) to extend the deadline by which prospects must be informed of data processing. In fact, a poll of attendees at the event showed that a majority of attendees were taking longer than one month to inform prospects of data processing.

Poll question
A question asked of attendees at the event

That said, Hannah Lyons from Bates Wells cautioned researchers not to rely on the exception provided by Article 14.5(b) as a matter of course, as the ICO is likely to interpret its application narrowly. If you are considering applying Article 14.5(b) to your organisation’s research operation, you must therefore give it careful consideration, record your thinking in a DPIA, and be sure to develop a clear justification and paper trail for that decision in the event that you are challenged on it in the future.

Likewise, if you begin to research a cold prospect but decide during research or soon thereafter not to pursue the prospect further, deleting any information about them from all locations, including your database, is likely to be more appropriate (and not impact their privacy rights too much) than informing the prospect that you have processed their data... but will not be approaching them further.

2. Take a layered approach when informing prospects of data processing

A positive way to inform prospects that you have processed their data is to take a layered approach by sending an innocuous initial mailing to data subjects within the one month period, which contains your organisation’s privacy statement along with a link to the full privacy policy should they want further information. Then, at a later, more appropriate opportunity, you can follow up with a more detailed privacy communication.

Also remember, wherever possible, to time research on cold prospects so that it falls within a one month window of a suitable opportunity for making contact (or within the applicable window if using the exemption under article 14.5(b)), such as the distribution of invitations to an event, within which you can link to an appropriate privacy statement or policy.

3. Don’t forget your DPIAs and LIAs

DPIAs and LIAs enable you to think about the privacy implications of your research and to document your thinking, ask the right questions, and set out your strategy for minimising risk to the individuals whose data you’re processing.

But that’s not all they do – good DPIAs and LIAs also help you to make the case for types of prospect research to internal senior management and other stakeholders, because they show that you are taking an approach which minimises risk while clearly demonstrating the benefits of your research to the organisation.

Don’t forget to support your DPIAs and LIAs with statistics, reports and other information which support the case for the research you would like to carry out. For instance, there are a number of great resources which set out the ’reasonable expectations’ of major donors, which you can cite in your DPIAs and LIAs including research by Dr. Beth Breeze, and this episode of the podcast ’What Donors Want’ featuring Nick Jenkins, founder of Moonpig and former Dragons’ Den judge. There’s also the option of asking your own donors about their reasonable expectations related to prospect research – chances are they’ll say they expect fundraisers to have ’done their homework’ before making an ask.

Finally, don’t forget that DPIAS and LIAs are life documents and should be reviewed at regular intervals.

4. But don’t leave it all to DPIAs and LIAs

While DPIAs and LIAs are a fundamental part of the process of planning research, it can also be useful to establish internal policy documents on profiling, wealth screening and other types of research. These policies bring your DPIAs to life and can be especially useful in translating the contents of a DPIA into something which is more easily digested and understood by a range of internal stakeholders, including trustees and senior management.

5. And don’t overlook the importance of training

It’s one thing to follow a template in the completion of a DPIA, LIA, or other research policy but, for those of us carrying out prospect research, we need to be clear about the legal bases behind the documents that we’re creating, and the best way to do this is through training.

If you are confident in your understanding of GDPR, the Data Protection Act, and PECR for prospect research, specifically, consider how you can support the delivery of training for your colleagues, so everyone carrying out prospect research understands the ‘why’ of the processes they’re following and documents they’re completing. Developing specific training on this could also provide you with a good opportunity to build relationships with your legal and data protection colleagues, if you work for a larger organisation.

6. Put it in your privacy policy

Your organisation’s privacy policy is the best place for you to set out to your existing and prospective supporters exactly what research you undertake and why you do it (to support your organisation’s mission, of course!).

Don’t be afraid of ‘giving too much away’ in your privacy policy – to the contrary, you should be as explicit as possible about what you’re doing when you carry out prospect research and the types of research that you do, from cold prospecting to wealth screening to network mapping. After all, when you inform readers of your privacy policy about the research that you are doing, you are helping to fulfil the legal basis – Legitimate Interest – needed for you to compliantly carry out prospect research.

If you are not sure where to start with privacy policies, it can be useful to look up the privacy notices of peer organisations and then tailor it to your own organisation. The ICO also has a privacy policy template available on its website.

7. Don’t get carried away

As prospect researchers, we are information detectives, and it can be tempting to continue research into a prospect where there is still relevant information to be found. But it's important to apply the principle of data minimisation and only capture in your research the minimum amount of personal data you and your fundraising colleagues need to fulfil the primary purpose of the prospect research (eg understanding a prospect’s interests in order to cultivate them towards the right project or understanding a prospect’s wealth in order to make an ask at an appropriate value). Would a prospect reasonably expect you to know that they made a very small gift to an unrelated organisation 10 years ago? Probably not.

8. Just ask

With all the emphasis on desk-based research methods, it can be easy to overlook the value (and the ease of compliance!) in asking a potential donor directly for information about themselves. If information about a prospect is particularly tricky to uncover, or involves more intensive research methods, consider whether getting a fundraiser to ask the prospect for this information directly would be the more appropriate and compliant approach.

9. Stay compliant

Even when you’ve reached a point where prospect research compliance is embedded in your fundraising operation, there is still work to be done to ensure that you remain compliant. Keep your privacy policy up to date. Make sure to follow data protection stories in the fundraising trade news and give the ICO a follow on Twitter. If you work for an organisation with a dedicated Data Protection Officer, build a relationship with them and lean on them to keep you up to date with the latest developments in data protection.

10. Subscribe to the Researchers in Fundraising: Best Practice Guide and Handbook (launching later in 2021)

Researchers in Fundraising: Best Practice Guide and Handbook is an exciting new project that aims to provide a comprehensive, up-to-date and relevant guide to the diverse range of skills and knowledge required for successful, professional and ethical prospect research in the UK and internationally in an accessible user-friendly format, at an affordable price. It will include a full chapter specifically about applying data protection considerations to your prospect research.

Curated by Researchers in Fundraising, the content of the Handbook will enhance understanding of the role of ethics in prospect research and the practical implications of ethical good practice, increase knowledge of the data skills and technical skills essential to the role of prospect researcher and ability to implement them, and develop greater awareness of career pathways in prospect research and the professional standards associated with good practice as individuals and as team members.

The Handbook is being written collaboratively by a team of international volunteers from across the prospect research sector; the content is by prospect researchers and for prospect researchers. It will be published digitally and made available for purchase by anyone interested in prospect and fundraising research.

Follow Researchers in Fundraising on Twitter @CIOFResearchers

Members Only Content