The Data (Use and Access) Bill: What is the impact on charities?

The UK Government has introduced an amendment to the Data (Use and Access) Bill, which will have a significant impact on the way that charities advertise fundraisers and activities.

The amendment proposes that charities will be allowed to take advantage of the soft opt-in exemption for email and SMS marketing. Soft opt-in is the idea that if an individual has used one of your services recently and has given you their contact information, they are probably happy to receive marketing from you about services that haven’t specifically consented to. This is something that was previously reserved for profit-making organisations.

The amendment comes following an effort by nineteen large UK-based charities and the Data and Marketing Association (DMA) to bring attention to the need for the amendment. It is estimated that this could boost annual donations by £290 million.

The proposed rules for charities to take advantage of this are as follows:

• The main purpose of the marketing activity must be to achieve the charity’s charitable goals, such as direct fundraising or promoting fundraising events.
• The contact details were obtained from the data subject during an expression of interest to offer support to the charity, such as during a donation.
• The data subject is provided with a simple means to refuse the use of their personal data for marketing purposes in the future, whether that be during initial or subsequent communication. The best way to achieve this is to provide an opt-out option in every communication.

While these changes mean that charities will be able to rely on soft opt-in for fundraising purposes under PECR, in line with UK GDPR, a lawful basis for the processing of personal data is still required. Consent cannot be relied upon for this, as consent requires clear action, such as signing a form or ticking a box on a website, and by nature, soft opt-in does not have this. In cases like this, charities will most likely be able to rely on legitimate interest as the lawful basis for processing, though this will require the completion of a legitimate interest assessment.

If you’re a charity, what should you do to be prepared for these changes?

It’s important to remember that the Data (Use and Access) Bill hasn’t passed or gone into effect yet. This means that charities must continue to follow existing PECR guidelines, which allow marketing to businesses, but not individuals. While you wait, there are a few steps that can be taken to ensure that you’re well prepared for when these changes take effect:

• Stay informed and monitor updates: Track the Data (Use and Access) Bill as it moves through Parliament and stay aware of any changes or potential implementation dates that could impact your organisation. The best way to do it is to subscribe to updates from sources such as the ICO or DMA
• Conduct a review of existing systems and policies: Charities should conduct a full review of their existing systems and policies to ensure the activities they plan on conducting after these changes come into effect are detailed. For example, it would be a good idea to update your privacy policies to detail the use of data for fundraising efforts and soft opt-in.
• Complete a Legitimate Interest Assessment: Since consent can’t be relied on for soft opt-in, charities should identify the legitimate interest for the activity (such as raising funds for the charity) and demonstrate that the processing is necessary for that interest. The LIA should be documented and reviewed regularly.
• Review data collection processes: Make sure that you only collect contact information during an explicit expression of interest to offer support to the charity. A clear opt-out mechanism will be required too.
• Audit existing data: Identify which contacts were collected in a way that would quality under the new soft opt-in provisions.
• Complete staff training and awareness schemes: Staff and volunteers must be aware of the new rules around the soft opt-in exemption and the importance of maintaining opt-out mechanisms. Creating internal guidance and documentation for this is also an important step.
• Plan for the transition period: In addition to continuing to comply with existing PECR regulations, you should put the systems in place ready for the transition so you can move over quickly when the new rules come into effect.