The UK government has set out its plan to take forward a new approach to data protection legislation, responding to the submissions and views it received on proposals set out in a recent consultation. The changes it proposed would mean that the UK will move away in some areas from the current regime in place which is the incorporation of EU data protection legislation (GDPR and PECR) into domestic law.
One key aspect for charities, and one that the Chartered Institute strongly supported and has called for in past years, is the decision to extend the ‘soft opt-in‘ to charities:
Currently, businesses can contact individuals with whom they have previously been in touch during a sale or transaction with further marketing material about similar or related products, provided that the individuals were given the opportunity to opt-out of such contact at the time they provided their details. This is known as the ‘soft opt-in’, as it does not require the customer’s explicit consent.
To put into practice, when I go to a website and buy another version of Tunnel of Love by Dire Straits, it means that the company I’ve bought it from can market a ‘similar or related product’ to me without my consent (most commonly through email, but also applies to other forms of communication).
Immediate questions spring to mind, particularly what is ‘similar or related product’? Another Dire Straits track or album would of course count. But would a Dire Straits t-shirt, or a poster? What about a song also called Tunnel of Love, but this time by Bruce Springsteen? There’s been a few discussions about this in relation to the soft opt-in, but because charities have never had the opportunity to use it, we’re probably not up to speed with the latest practice on it. We’ll have to make sure we’re aware of what counts as ‘similar or related product’ by the time the change comes in if we want to use it.
The other key thing is the phrase ‘sale or transaction’. Charitable donations don’t normally count as a sale or transaction in law as it’s a one way transfer of money with nothing bought or expected in return. So, if what we get is a narrow application of this, then making a donation on a charity website wouldn’t count for the soft opt-in. But a supporter buying something (a ticket for a concert, a product bought through an online charity shop, or someone buying a charitable service, etc) would be able contactable via soft opt-in to offer them that similar product in the future. Perhaps though, if a wide application is applied then donations could be counted for the soft opt-in to work. This would of course be a bit more of a game-changer and is one of the areas that we’ll have to see the wording of the legislation and accompanying guidance to see where it lands.
But even if it is a narrow application (just the pure sales/transactions) it does open up a bit of an opportunity that we haven’t had before in charity fundraising. We definitely shouldn’t be assuming it’s going to be a silver bullet, and any use of this new way of being able to contact supporters will have to be done with due consideration and only in an appropriate way.
The position set out by the government is:
“Our new Data Reform Bill will make it easier for businesses and researchers to unlock the power of data to grow the economy and improve society, but retains our global gold standard for data protection.”
There’s a lot in the plan – it covers AI, fines for nuisance calls, cookie consent, reforming the ICO, changing the requirements to undertake a data impact risk assessments and to have a data protection officer in place.
The direction of travel, as set out by the government, is that GDPR requirements put in some overly restrictive requirements that caused some headaches and burden for organisations’ data governance, and that there should be more flexibility. It wants to focus more on outcomes rather than process, and to allow organisations to do more with data to drive creativity and opportunity. That’s where the removal of some processes comes in. But there’ll also need to be the continued protection of data rights, and the government have highlighted the need to continue to have high standards in protecting privacy.
So there’s likely to be more changes, or opportunities for change, in how charities as whole organisations manage their data processing and data governance than there will be changes to fundraising specifically. And that’s another reminder that this is going to be something that will have to be looked at across the board – for service users, campaigning, volunteering, HR, and so on. We’re not there yet - for any of this to happen it has to become law. This means a Bill has to go before Parliament and the law has to be changed (some of you, if it’s not going to bring back PTSD, will remember that we had two years of getting to grips with GDPR before the law actually changed). But its worth being aware of what’s down the road. And at the end of it all, if you want to continue to manage your data protection almost exactly as you’re doing now, and not fussed about the soft opt-in, you probably won’t have to change anything anyway – i.e, the change in a legal requirement to have a data protection officer doesn’t mean you will choose not to have one.
As the legislation goes through we’ll be engaging with the government to make sure that the changes brought in can be as positive as possible for charity fundraising, and be working to provide you with guidance and updates all through the way too, so keep an eye out for more information in the months ahead.