|Guest blog by: Paul Dawson-Hart, Member360|
Now that the GDPR bandwagon is at warp speed it’s refreshing that Elizabeth Denham, Information Commissioner, came out fighting last month, with her blog countering the GDPR myths that snake oil vendors are spouting around fines, data protection officers, breach reporting and the subject of this blog – consent; or rather legitimate interests, ours that is; as a membership sector.
With all the noise around the end of opt outs, the demise of pre-ticked boxes and the future of soft opt-ins; it would be easy to be distracted from the fact that consent is just one of six grounds for lawful processing and there is no hierarchy: all are equally valid!
Here are the three most relevant to the membership sector:
We’ll focus on the legitimate interests of membership organisations and simplify matters further by concentrating solely on the postal channel; side-stepping the Privacy & Electronic Communication Regulation (more on this at our dedicated GDPR stream at the annual Digital Excellence conference). For those wedded to the digitisation of all communications, this blog mightn’t be for you. However, for many organisations and indeed our reference, The Woodland Trust, “post remains king”.
When considering using ‘legitimate interests’ the following questions should be asked:
1) Do I really have one? A simple indication would be your organisation’s mission statement, objectives and aims. It is these that your members signed up to and is the basis of your relationship.
2) Would the member reasonably expect you to process their personal data to send relevant postal marketing, necessary to fulfil and support these aims and their interest in them, based upon the relationship he or she has with you?
3) Does the processing impact on the member’s interests or fundamental rights and freedoms?
4) What are the risks to the member in regards to the type of processing taking place? Take into consideration all those technical, organisational and security measures that you’ve been putting or have put in place internally and via that audit of your 3rd party processors.
This balancing act is explained in more detail in the Data Protection Network & DMA’s guidance around legitimate interests. The document is thirty pages long but I would highly recommend you read (or just skirt) and appraise the concept of a 3 stage Legitimate Interests Assessments (LIA).
Transparency is required of course (Article 5 – Principles), once you’ve undertaken the LIA:
1) Inform your membership of the basis of your decision via signposting to the LIA contained in your online privacy statement or as part of the information disclosure for new joiners – perhaps a postal campaign aligned with renewals?
2) Ensure that message and statement is concise, transparent, intelligible and easily accessible – look to the BBC for good practice.
3) Be clear what this means and promote a simple mechanism for members to challenge the decision (effectively an ‘opt-out’ and into consent as the lawful basis of processing).
4) Remember that one of the rights you’ll have considered is the member’s clear right to object to direct marketing (Article 21 –Right to Object). There are no exemptions or grounds to refuse.
A great example of this approach in action is The Woodland Trust, an organisation of 750,000 members. The challenges of re-permissioning on this scale are significant. After consideration of the options they’ve decided not to re-permission members for post and rely instead on legitimate interests to communicate with, market and fundraise down this channel, aligning with their organisation’s values and objectives.
For your GDPR readiness project a risk based approach should be adopted. What’s the risk likelihood of a breach resulting in reputational or financial damage? How about the risk of the 100% consent route and only having a 20% return from members? What are you going to do now? Finally how many members will challenge your LIA assessment assuming you don’t stretch those interests too far?
The membership and indeed NFP sector have a unique relationship with our membership and this needs consideration. However, legal advice should be sought.
Good luck and for more information and guidance on GDPR contact me on Paul@member360.co.uk