1) There is no significant charity exemption to data protection or marketing law.
Maybe there should be. There isn’t.
2) The ends never legalise the means.
3) If a donor or other individual does not understand what you are doing with
their personal data, the practical effect is that you can’t do it, whatever it is.
The same is true for consent – if a person doesn’t understand what you’re
doing, you can’t argue that they have consented to it.
4) You don’t need consent for every use of personal data, but if you don’t have
consent, you need to know what other justification you have that allows you
to use the data. The other reasons are specifically set out in the Data
Protection Act and the GDPR.
5) You cannot assume consent. Failure to opt-out is not consent. Silence is not
consent. Previous support is not consent. A donation I give you today is not
consent for something tomorrow.
6) Volunteers are no different to employees; they must be trained and
equipped to protect data. There is no volunteer exemption. Using volunteers
is a choice you have made, and you are responsible for ensuring that you
manage the risks adequately.
7) If you contract out any work to an agency or contractor, you are wholly
responsible for what they do, unless they steal your personal data or
otherwise use it for their own purposes.
8) Personal data available in the public domain is still personal data and Data
Protection still applies to it.
9) There are specific rules for consent over the method of communicating
fundraising and other direct marketing communications. Beyond that, you
have to decide whether you need consent or whether some other condition