GDPR and Cyber Security: Mailing List Consent

Maintaining services in a changing legal environment

(This article was written in collaboration with Piers Clayden of ClaydenLaw and cross-posted to Cyber Security Intelligence.)

What usually springs to mind when we think of charities are the fundraising drives for the grand challenges they support or research. We’re asked to help end poverty, cure cancer, or fight injustice. The thousands of micro charities, non-profits and private clubs that enrich people’s lives by building and maintaining communities are far less visible.

The problem is the same, whether they’re a charity, helping people build a support network, a non-profit helping people gain work experience, or a small club, whose members pay a subscription to share a hobby... GDPR and Cyber Security both make meeting members' expectations harder.

The risk of decisions made in business and as a trustee are different, despite the fact that many of these organisations' volunteers are also business owners, volunteering their skills in their spare time...

Is GDPR dividing opinions so much that charities feel they have to stop fulfilling their purpose?

As a committee people make extremely conservative decisions. The least scary, lowest risk decision a small charity or club can make is to withdraw a contentious service.

GDPR is scary, especially with the level of accountability charities' trustees have to take for their decisions. Member services, providing personal data in directories and to generate support networks, fall into the grey area where smaller organisations could really do with some professional support to make decisions. As you're reading this, millions of small community-led organisations are deciding whether to stop providing services because they’re unclear about how their responsibilities have changed.

The divisions inside a committee of volunteers caused by the prospect of fines can be damaging - resulting in a loss of the skills and knowledge needed to fulfil the organisation’s purpose. What's worse, is that the services that they're considering withdrawing are the things that help people connect with their communities.

What do they need to know?

Google and Facebook share far more information about us than micro charities will ever collect - GDPR isn’t intended to stop us generating and sharing information. What is changing is that organisations collecting data must identify the lawful basis to carry out this activity. If they collect personal data there should be a transparency in their actions, and decisions that protect the data increasingly need to be documented, including the processes and security measures they will use to manage the risk of a breach.

Not collecting data is a legitimate cyber security measure, but good security isn't intended to be obstructive. Where organisations have to collect personal data that is used for several purposes, withdrawing one service does not reduce the cyber security risk - they still have to collect the data for the other services it fulfils.

Keeping data subjects safe is either a question of protecting or of not collecting data. Cyber risk relates to the value of data to hackers – as you collect information you collect risk. Adding some more security to reduce the risk would probably let them continue their projects. Most of the security measures that very small organisations use are cheap or free and the skills required to choose and document these choices only require a small amount of training.

The choice not to use data is reducing an entirely different risk – the risk that their members disagree with how their data is being used, or that the charity hasn’t understood the regulation. Here’s what Piers Clayden had to say about the legal aspects of helping people stay in touch:

“Small charities face a number of challenges when trying to work out how to comply with GDPR. The problem being that compliance will require the 2 things that small charities don’t have in abundance – time to drive through the necessary changes in practice and policy and money to take external advice (because the available guidance may not provide the answers you are looking for).

“Organisations who handle (‘process’) personal data can only do so legally where they have ‘lawful grounds’ for that processing. For charities trying to stay in touch with members and potential donors, the lawful grounds will most likely either be on the basis of the member/donors’ ‘consent’ or that the processing is necessary for the charity’s ‘legitimate interests’.

“If a charity can mount an arguable case for using the ‘legitimate interests’ grounds (and it does require some analysis) then it may save the charity from having to seek new consents from its existing database.”

So, any charity or club might have to rethink what they're doing with their personal data. It's unlikely to be a legitimate interest if the data is collected purely for marketing or fundraising, but charities and clubs have a huge advantage over businesses... transparency is part of their purpose. They've had to register with the charities commission or they have constitutions. So if you're questioning whether you can even afford to send every member a letter asking for their consent, or responsible for making decisions about a charity’s data use... what did you already promise your donors and members that you would do?