10 tips to stop your charity breaking the law
As featured in Third Force News
Here are 10 things you need to know about consent:
1. You will no longer be able to bundle consent requests within wider terms and conditions. A request for consent to receive marketing materials should be separate from terms and conditions and should not be a precondition of the provision of a service unless it is necessary for that service.
2. Pre-ticked opt in boxes or opt-out boxes will no longer be valid. You must now use an un-ticked opt-in box or similar opt-in method that allows choice.
3. Requests for consent should be broken down into different categories where possible to allow your supporters to consent separately.
4. Your charity must be named along with any third parties (e.g. fundraising partners or agents) who will rely on the consent.
5. You must keep good records allowing you to show: who has consented, to what they consented, when and how they consented.
6. You must tell supporters that they have a right to withdraw their consent at any time, and you must tell them how to do this. The process for withdrawing consent cannot be more difficult than it was to give the consent in the first place!
7. Supporters have the right to object to direct marketing and your charity must bring this right explicitly to the attention of supporters from the start.
8. There is no set time limit for how long a person’s consent lasts but the Information Commissioner’s Office recommends refreshing it every two years.
9. If you ignore the new law not only do you risk reputational issues but you could be fined up to €20m or up to 4% of your turnover.
10. You should have started to prepare by reviewing the data you currently hold; assessing the reliability of the consent; and think about whether you have told your supporters of the changes being forced.
Luckily for charities two pieces of recent guidance on the subject have been issued by key data protection players in the third sector:
The Fundraising Regulator issued guidance last month on fundraising which makes reference to upcoming changes expected by GDPR and the e-privacy regulation and earlier this month the ICO issued draft guidance on consent under the GDPR.