Legitimate interest and ePrivacy: Non-profit GDPR advice
A new eBook from Blackbaud Europe has pulled together various elements of charity-specific GDPR guidance.
The below is an abridged excerpt, written by Cameron Stoll, DPO for Blackbaud and accredited by the IAPP as a Certified Information Privacy Professional with respect to both US and EU laws (CIPP/US and CIPP/E).
The discourse about the General Data Protection Regulation (GDPR) has been dominated by the topic of consent: “When do you need it?”, “How do you collect it?”, “How do you prove you have it?”
There are good reasons why consent has dominated the discussion but it’s easy to forget that GDPR also sets out five other legal bases that organisations can use to process personal data, depending on the type of processing.
Below are some examples of how the legal bases may be used to justify some common processing activities:
- Consent: sending e-mail newsletters and appeals
- Contract Performance: processing payment information when a person buys concert tickets online
- Legal Obligation: using donor information to file Gift Aid
- Protecting Vital Interests: processing health information to provide emergency health care treatment
- Public Interest Task/Authority: universities mailing out student reports at the end of the term
- Legitimate Interests: conducting wealth scoring analysis on potential donors
Many non-profits are relying on the legitimate interest basis for some of their uses of constituents’ personal data, like performing analytics. Using legitimate interest requires that you:
- Conduct a balancing test
- Tell constituents that you’re relying on legitimate
- Allow constituents to opt out of the processing.
Here comes the legal bit…
The legitimate interest basis makes processing lawful if it is necessary for the legitimate interests of the controller (i.e. the non-profit) and requires the successful outcome of a balancing test between the data subject’s right to privacy and the organisation’s interests.
GDPR does add two requirements to processing for legitimate interests:
First, the controller must explicitly inform data subjects at the time of collection the purposes of the processing and the legitimate interest it is relying on to process the data. In other words, it is not enough for a controller to internally decide to rely on legitimate interests as a basis for processing, it must also outwardly state such determination in its privacy notice or other communication to the data subject.
Secondly, the controller must document and retain its analysis under the legitimate interest balancing test.
PECR / ePrivacy
Before you mothball all your plans to collect consent to send direct marketing in favour of relying on legitimate interests, keep in mind that to send unsolicited marketing by e-mail, fax, text, or phone, an organisation must comply with both GDPR and the UK’s Privacy and Electronic Communication Regulations (“PECR”).
Under PECR, to send direct marketing to ‘natural persons’, you either:
- need consent, or
- need to be marketing to an existing customer in the context of the sale of a product or service. This is referred to as the “soft opt-in.” Only organisations selling goods or services can take advantage of the soft opt-in, which is why non-profits are so focused on obtaining consent; because fundraising organisations largely can’t use the soft opt-in to send marketing emails.
Your choice of legal bases impacts how much control constituents must stop your use of their data.
When you process data based on consent, public tasks or legitimate interests, constituents have the right to withdraw consent (for the first) or object to the processing (for the latter two).
The eBook this is taken from, produced by non-profit technologist Blackbaud Europe, features chapters by Dan Fluskey (Institute of Fundraising), Zoe Amar (Zoe Amar Communications), and Howard Lake (UK Fundraising) among others.
It covers the impact of GDPR on topics ranging from fundraising, donor stewardship and grant-making, to charity governance, digital marketing and data analytics.