The introduction of the European Union’s General Data Protection Regulations have been a controversial subject in some European countries and in certain industries and sectors. None more so than the charity sector in the UK which will see them unable to operate in much of the same way that they do now, leading to many charities to fear for their future. Much of this has come from the draft guidance issued by the UK’s Information Commissioner’s Office last week.
It has led to criticisms of the ICO’s draft guidance from leading charity consultant Ken Burnett, the Direct Marketing Association and the Institute of Fundraising. The Institute of Fundraising argues that the draft guidance from the Information Commissioner’s Office needs to be much clearer and that the draft guidance needed to be much specific for charities. The Direct Marketing Association went even further, saying that “The potential impact of the implied ban on opt-out consent could be significant for many businesses, but particularly those in the third sector.”
Now, the Fundraising Regulator has called for an urgent amendment to the ICO’s draft guidance on consent under the new European Union General Data Protection Regulation. It has also called for the guidance that is due to come into force in May 2018 to not just refer to the private sector in key points of the guidance but to the charity sector too.
Concerning the opt-in issue the Fundraising Regulator states in its response to the draft guidelines from the ICO:
“We note that the guidance emphasises that consent requires a “positive opt-in”, and that “there is no such thing as opt-out consent”. However, the ICO’s pre-GDPR Direct Marketing guidance from May 2016 talked about a “positive action” and explicitly provided some limited examples of where “opt out” consent could potentially be legitimate under pre-GDPR regulations. While we appreciate and support the need for stronger wording in the new guidance under the stricter GDPR, we would advocate that a statement is provided acknowledging a change in language used and contextualising this, to avoid the risk of being seen to contradict previous guidance. This could be as simple as adding that “there is no such thing as opt-out consent under GDPR”.
It also has an issue with the draft guidance where it states that “they can use the FPS to withdraw consent from all charities at once”. The Fundraising Regulator argues that “The new service will not allow individuals to use the FPS to ‘withdraw consent from all charities at once’. It will allow individuals to withdraw consent from specific charities that they name.”
To date, the Information Commissioner’s Office has not responded in any way to the criticisms from the Fundraising Regulator, the Direct Marketing Association or the Institute of Fundraising.