This talk is the third talk in a series about "The impact of the GDPR in the Higher Education sector". You can view the other talks by following this link.
General Data Protection Regulation (GDPR) is an European Union (EU) regulation intended to strengthen and unify data protection for all individuals within the EU. The enforcement date is 25th May 2018, at which time organisations in non-compliance will face heavy fines.
What will that mean for Higher Education Institutes (HEI) and other public institutions that need to deal with students' and prospects' personal data on a daily basis?
These and other questions were the focus of an event organised by FULL FABRIC, where a series of subject matter experts explain the impacts and the opportunities created by this regulation.
This is the third video in a series of six, with Victoria Cetinkaya, senior policy officer at Information Comissioner's Office (ICO) and her talk focus on direct marketing and fundraising under the GDPR guidelines.
00:07 Victoria Cetinkaya: That's lovely, thanks very much. As said I'm Victoria Cetinkaya from the ICO. I know in the previous presentation, Elizabeth Denham, the Information Commissioner, was mentioned quite a few times. Obviously, I work in Elizabeth's office so she's my boss, effectively. And we are the national regulator for the Data Protection Act currently, and obviously, will be for the GDPR going forward. So that's a little bit about us. In terms of what I'm gonna talk to you about, it's gonna get quite specific in terms of one specific area of compliance. I've been asked to talk about direct marketing and fundraising under the GDPR, but obviously I'm happy to sort of broaden out a little bit if any other issues come up as we go along.
00:51 VC: I'm gonna give a little bit of context first. Obviously, we've just had a presentation saying that, "The GDPR is law. You are gonna have to comply with it from the 25th of May 2018." That's fine, we know that. And that it's gonna cover all the personal data processing that you do. Also fine. But obviously, I'm talking about direct marketing and fundraising, and we need a little bit of context from the current law, I think, before we actually make a start. So this is the contextual bit, if you like. It was mentioned, actually, in the previous presentation, that we at the ICO have, in the past few months, taken enforcement action against a number of charities for their fundraising activities. These are the reasons why we took that action, and they will still be relevant under GDPR. So they set a nice bit of context for us, but they allow you to look at how you're going to be able to process this sort of data going forward as well.
01:52 VC: So the first reason why we were taking this action against charities was around the use of publicly available data. And what we found the charities were doing was they were skimming lots of publicly available stuff from LinkedIn, from Companies House, from Facebook, all about people who were potential donors, whether they be alumni, whether they just be other individuals. And they were scraping an awful lot of information that was publicly available. And when they put that all together, they actually made quite a large, detailed picture of the individuals that they were processing personal data about. And the key thing that they weren't doing was telling anybody about that. So they were actually creating quite detailed pictures about individuals by collecting seemingly innocuous stuff, bit of stuff from Companies House, bit of stuff from LinkedIn. But actually, in doing so, creating quite a detailed picture. Key point, no fair processing. It wasn't in the privacy notice, they weren't telling people about it. So the fair and lawful principle is obviously one that doesn't appear to have been complied with from the start there.
03:03 VC: Similar issue was around wealth screening. And they were using some of this publicly available data, actually, but other data they collected too, to screen people to see who would be most likely to be able to give increased donations in the future, who might be likely to give a legacy in future, who might be able to go from not donating at all to actually donating now. And again, the key issue with the wealth screening that they were doing, some of which was fairly innocuous and some of which was highly intrusive, but the key point was, again, they weren't telling anybody. So people, perhaps you and I, as alumni of universities, were having pictures created about us and about our financial situation, and about our propensity to give, without our knowledge. So again, that meant that we didn't have the opportunity to think whether we were happy for that to happen, and/or indeed to object. So again, about the fair processing, it's about the privacy notice information that wasn't being given to individuals. Obviously, once you get to the more intrusive end of the scale, that is employing third-party organisations to really do a detailed job in terms of collecting lots of information about people and analysing their likelihood to give legacies when they die and things like that, some of that was verging on the unfair as well, but certainly the initial problem was about not giving the privacy notice information.
04:32 VC: And then a final issue that was one that we saw across a lot of charities was that they were data matching and tele-appending. And we had a problem with this because I think of my situation. For example, I went to university. My university has certain of my details. They have my email address, they have my postal address. They send me a magazine every now and again, they send me emails. I'm really happy for them to do that, that's great. What I don't want them to do is phone me up and ask me for money, because I don't like being phoned up and asked for money. And because of that, I didn't give them my phone number.
05:09 VC: Now, what some charities were doing was they were looking around, again, perhaps that publicly available information, and picking people's phone numbers, picking other parts... Other details from other areas online. So for example, if somebody had left their Facebook account open and they'd got their phone number on there, they were taking that, they were putting it in the database, and if that person hadn't said... Hadn't registered to TPS, for example, the Telephone Preference Service, they were saying, "It's fine, it's publicly available. They haven't registered on TPS, they haven't told us not to call. We'll use it. We'll call them." And again, we thought that that was unfair, because perhaps that person actually didn't want them to have their phone number. And okay, even though that person had left their phone number online inadvertently, there's a lot of inadvertent stuff that ends up online but that doesn't mean it's fair game for absolutely anybody to use it for whatever they like.
06:03 VC: So that was the emphasis of the enforcement action that we took and we did all that under the Data Protection Act, the current law. But all of that is still relevant under GDPR. So with that as a context, and moving forward into how GDPR is going to affect what we do for fundraising and marketing purposes, I think we've probably covered a lot of this in the previous presentation, in terms of what the GDPR is and what its highlights are really all about. So I won't labour on any of these at all. I think we probably know now that there are the same basic principles as in the current Data Protection Act. The fair and lawful and transparent principle is there, although transparent is explicitly mentioned within the principle, which it wasn't under the Data Protection Act. So again, that's an emphasis of, or rather it's an indication as to where the emphasis is moving to, I.e., that increased transparency.
07:00 VC: Accountability is the new principle and, again, as the previous speaker very rightly said, Elizabeth Denham, our office is very keen on this one. We think this is gonna be quite a big piece of work for a lot of organisations because you're going to have to go from complying with the Data Protection Act and registering with the ICO once a year and paying your £35 or your £250 if you're a bigger organisation. You're gonna have to go from that to actually being able to, making sure that you keep proper records to demonstrate how you comply with the law, as opposed to just saying, "Yeah, we comply," and asking us to prove you wrong if such an incident happens that we investigate it. It's about actively, proactively proving that you comply.
07:54 VC: New rights for individuals and strengthening of existing rights, we've talked about that already in the previous session. There are new rights and there are existing rights that are made stronger. Breach reporting has also been talked about, that within 72 hours saying that's new. Data protection impact assessments; this could be something that will come up in fundraising and marketing. There are certain requirements in certain situations to do data protection impact assessments. At the ICO, as a regulator, we've been recommending that organisations do these things, for years. So if you're doing anything that creates a risk to someone's personal data, we would say as a regulator, consider whether a privacy impact assessment, as we call them at the moment, or a data protection impact assessment, as they're called in GDPR, consider whether one of those would be appropriate to do. And of course, there are higher penalties for non-compliance. We've also spoken about that too in the previous session. For a rundown of the law itself and, also, for links to the guidance that Europe has written so far, and that we at the ICO have written so far, there's a link at the bottom there on our website. The Data Protection Reform micro site has got all the links that you'll need in there.
09:09 VC: So, GDPR and fundraising is what we're here to talk about today. Obviously, based on everything you've heard already, it's abundantly clear that everything you do with people's personal data is going to have to comply with GDPR. Therefore, alumni relations and fundraising activities are going to have to comply with GDPR. Now, a really important part of that and an increasingly important part of compliance with the law is around which lawful basis you're using to process the data that you process about people. Now, under the Data Protection Act, you needed to have a lawful basis. It was just framed slightly differently. You had to be able to point to one of what was called a scheduled condition in the back of the Data Protection Act to say, "This is what I... I'm processing people's personal data because," for example, "I have their consent." Or, "Because," for example, "I have a legal obligation that means I have to collect information about people and give it to HESA," for example. And there were a number of those and you could basically pick which one fitted your situation most appropriately.
10:15 VC: And this is what is the same under GDPR. There are lawful bases for processing people's personal data. So for the obtaining people's personal data that you do, for using it, whether that's to contact people or whether it's to analyse, to screen them in some way, you will need a lawful basis for doing that. Basically, you need a general lawful basis for the fundraising activities that you do. And there has been an awful lot of debate and discussion in the university sector, around, well, which lawful basis is appropriate. Because there was a very big worry that the only one that might be appropriate would be consent. And everyone was a little bit concerned about that, that actually what you don't want wanna be doing is actively asking every single person in the university, or every single donor, "Is it okay for us to continue to hold your data and for us to contact you in whatever way, in any way, about fundraising?"
11:14 VC: But there's this other condition called legitimate interest, which kind of crops up quite a lot in conversations about which lawful basis is the appropriate one. I'm gonna go into that in a moment, but just suffice to say that whichever lawful basis you choose to use, or whichever one applies, or you are able to rely on, you must ensure you give appropriate privacy notice information. That's already been mentioned before. That's really key. Transparency is really, really important. One really important part of processing of people's personal data that you do, under the GDPR, is that you need to know what personal data you've got about people, know why you process it, know where it is, what you do with it, who you share it with, how long you keep it for. So you have to know all that as an institution and then you have to put all that in a very nice, easy to read way for people to read, understand so they know exactly what you're doing with their personal data. And that's essentially what the privacy notice is all about.
12:13 VC: So whatever lawful basis you do rely on, you will need to have a privacy notice in place explaining to people what you do with their personal data for fundraising purposes, or indeed for any other. But back to this lawful basis thing, the list of lawful bases for processing people's personal data, are pretty similar to the old ones in the Data Protection Act, actually. And that's the list. The key thing to remember for fundraising, and indeed for anything else, is that consent is only one of the lawful bases that you can choose to point to. Which means that you don't need consent for everything that you do with people's personal data.
12:53 VC: In fact, in some situations, it's absurd to think that you would need someone's consent. Say you're collecting information from students because you need it to be able to process their admission... Their admissions application. So for example, you need to know what A Level results they received. They don't get a choice about that, they can't say, "Do you know, I'd rather not tell you, I'd just rather you give me a place." That's absurd, so you're not doing that on the basis of consent, you are doing that on another lawful basis and your lawful basis could be a task carried out in the public interest, actually, because education as a whole is your task that you carry out in the public interest. And therefore you are doing that and you need that information to be able to carry out your task of admitting students. Or it could be a contractual basis, maybe your contract between you and the student. It's up to the institution to work out which ones actually apply in which situations. But suffice to say that in a situation like that, consent is not the one.
13:57 VC: Now, from a fundraising and marketing purpose situation, you can see that a few of them are clearly not applicable. You have no legal obligation to fundraise and market, so that one's out. You have vital interest, that's to do with life and death situations. That's the one where sharing information with ambulance services and things like that. So again, clearly out. There are a few, though, that might just work. Consent is obviously one of them and some of the things that you do to fundraise and market people absolutely have to be done on the basis of consent, because maybe there are other laws that say, you have to do it on the basis of consent. EPrivacy laws, the PECR at the moment, which is becoming the ePrivacy regulation in a few months time, next year, requires that if you are to e-mail somebody for the purposes of marketing, and fundraising is a type of marketing as far as the law is concerned, if you are e-mailing someone for those purposes, you must have their consent. And because that other law specifies that, then obviously you're gonna have to do that on the basis of consent under GDPR as well.
15:10 VC: But there are other things, maybe just collecting people's information in the first place, from the point of view of fundraising or marketing, or perhaps things you might do, like writing to people using good old-fashioned paper, that may be the other lawful bases might work. You don't always have to use consent for absolutely everything. The big question that came up in the higher education sector, though, was all around... Well, hang on, the GDPR has this thing that says, "Legitimate interest condition cannot be used by public authorities." And then the big question was, "Well, are universities public authorities?" Because they are for freedom of information. From a freedom of information point of view, you're a public authority. You have to respond to FOI requests.
16:03 VC: Much debate was heard about this. We have, as a regulator, been having a bit of thought about this, and we think the way that we're going to approach it is, at the moment we don't know 100% for sure whether a university is going to be a public authority under the GDPR. Probably are, but at the moment it's not 100% clear. And that's because, first of all, these derogation things that were mentioned in the previous... In the previous session, that actually, DCMS, the Department for Culture, Media and Sport, if they want to, could make another piece of law underneath the GDPR to say, "These organisations are public authorities," and make a big, long list of them, perhaps in another data protection law. Whether they were gonna do that or not, we don't know. I suspect they've probably got other things to think about in terms of legislating.
16:58 VC: But if they were to put that into legislation and define who is a public authority then obviously that would make it 100% clear. That's the first tier, if you like. If they do that, then we'll know 100% for sure whether you're a public authority or not. Or it may just be that we'll decide at a governmental level or even at the regulator level that we'll take a view and we'll put it in guidance that actually the FOI definition of public authorities should apply to GDPR as well. So that could be the approach that's taken, which is why I'm saying it's not cast iron, it's not concrete, but at the moment, I would work on the basis that you're probably going to be public authorities for the purposes of the GDPR.
17:38 VC: So that means, can we use legitimate interest? Well, all is not lost because the way the law's written, the law says it's not just that public authorities can't use legitimate interest full stop, the law doesn't say that. What the GDPR does say is that public authorities cannot use legitimate interests when they are carrying out their public tasks. Now, the way we are probably going to interpret that is saying that actually there are some organisations that have public tasks. If you're a public authority, your sort of educational functions probably are part of your public task. Fundraising and marketing, though, probably isn't part of your public task. Fundraising and marketing is probably just something else on the periphery that you do, more towards the commercial side of your organisation, if you like. And we recognize that there are some public authorities who are kind of hybrid authorities. You've got some public functions but you've also got some stuff that you do that is less public, a less public task, a little bit more just stuff that you do as part of your commercial side. So that's probably the approach we're gonna take, and we've touched on that in our draft consent guidance, if anybody's read that, which will be finalised very shortly, but certainly in the draft version.
19:03 VC: So that means then that there's a possibility that the legitimate interest condition could be used for purposes of fundraising and marketing. Massive, massive reminder, though, some things you do for fundraising and marketing will always need consent. But for other things there is a possibility that legitimate interest could still work for you.
19:24 VC: Why is that all really important? Well, that's all really important because you need to know which lawful basis you're working to for the processing that you do, because actually that can determine what rights are available to the individuals whose data you're processing. So if you're processing for the purposes, for example, of a legal obligation, so you have to collect certain data from students because you have to give it to HESA or you have to... Have another legal obligation, maybe equalities legislation or something, if you have to collect the information 'cause the law tells you to, then they're not going to be able to object to that. You can just tell them in your privacy notice, "We have to collect certain information about you, and we have to give it to certain organisations, and you haven't got a choice."
20:11 VC: However, if you're processing on the basis of consent, as I'll tell you in a minute, consent has a very, very high bar, it's a very high standard. So obviously it has to be withdraw-able, obviously all rights apply when we're talking about processing on the basis of consent. So whichever lawful basis you use will determine which rights are available to the individuals whose data you're processing. So as I say, probably what we think is that fundraising and marketing for the purposes of GDPR, some might be able to go in legitimate interest and some will have to go in consent. It's not all doom and gloom, not all is dead. And again we've got guidance at the moment on consent, we will be drafting guidance on legitimate interest and public task and some of the other bases in the next few months. So hopefully all this stuff will go into guidance soon.
21:07 VC: Ooh, that went a bit quick! Right, so I've mentioned legitimate interest and that it's not necessarily ruled out for all of the activities that you might do as a university, and for fundraising as well. So you might think, "Great. Some stuff don't need to get consent for, legitimate interest just means, 'Yeah, I can do it. It's in our interest to do it so we'll just go and do it.'" It's not an easy option, it's not a catch-all, by any means. The key thing to remember is that pink bit in the middle about your interests being overridden by the interests, and rights, and freedoms of the data subject. The idea of legitimate interest is that you can say, "Okay. Well, fundraising is a legitimate interest of the university. We get some money from some areas, but we actually do need to make some money of our own. We need to fundraise. So it's a legitimate interest of our university to raise some money. Okay, we'll go with that." However, that legitimate interest of yours to fundraise can be overridden by the privacy rights of the people whose personal data you are processing in order to fundraise. So that basically means that anything does not go. You have to do a balancing act essentially as to which weighs more, your interest in fundraising or the privacy rights of the individual that you're doing... Whose data you're processing in order to fundraise. And so actually it can be quite difficult doing that weighting exercise.
22:43 VC: So that's all about making sure that you're being fair to them, making sure you're letting them know what you're doing, making sure you're giving them the opportunity to know what they're doing so they can object if they have a problem. So it's not as... It's absolutely not a perfect get-out clause, but it can work in some situations.
23:05 VC: Consent, on the other hand, and some of the stuff you do you will have to get consent for, email marketing, always consent, telephone marketing, if the person you're phoning is on the TPS, the Telephone Preference Service, you always need explicit consent in that situation as well. And anything that tips the balance when you do your legitimate interest test, anything that, "Actually, we'd really like to do this but it's probably... It does interfere a bit with the privacy rights of the people and so probably we should ask them whether it's okay to do it, rather than just telling them that we're gonna do it." So in those situations you'll be obtaining consent, and this is what the GDPR says about consent. Some of it is, you'll recognise it from the old Data Protection Directive, if you're a data protection legislation avid reader.
24:00 VC: So freely given, that was there before, still very important, though. Specific, same again, that was there before, very important. Informed. And unambiguous, that's new. Indication of the data subjects wishes, by which he or she by a statement or by a clear affirmative action, that's new, signifies agreement to the processing of personal data relating to him or her. Now we say that that is tighter than consent was under the Data Protection Directive. So the standard of consent is higher than it was under the old law. So when you're obtaining someone's consent, you have to be really clear about informing them what they're consenting to. And then you have to be really very clear in making sure that they give you a statement or a clear affirmative action that they are agreeing to what you're asking them to agree to. That means no more opt out tick boxes. No more, "We're gonna do this if you don't tick this little box just here," or any other confusing combination of those things. That is no longer going to be okay from a consent point of view.
25:13 VC: The GDPR specifically says also that pre-ticked opt-in boxes are not okay either. "So I consent to you processing my personal data, for this, that, and the other, if you don't agree with this, untick this box." Again, it's confusing, and people don't know whether they've agreed or not agreed, whether they should be ticking or un-ticking. So again, to remove all of that confusion the GDPR says, "No pre-ticked opt-in boxes," they're not allowed. And we as the regulator have taken the view that actually that basically means opt-out ain't gonna work from a point of consent for GDPR. Consent is going to have to be opt-in. So that is a clear statement with tick box and people actively tick it or they actively agree to something over the telephone, or in a conversation, or sign a statement, or something. So it has to be clear, it has to be affirmative, and it has to be an opt-in situation when we're talking about fundraising and marketing. So that probably means you'll have to review what you do on consent. Wider stuff about what we think about consent under GDPR is available in our draft GDPR Consent Guidance, so do have a look at that.
26:32 VC: So you have a to do list, I suspect, if fundraising and marketing is your area. If it's not, if general data protection is your area, you need to make sure that you're talking to your Alumni Development Office or anyone else who deals with that sort of stuff to make sure that you are aligned with what's required. So in terms of fundraising and marketing you need to review your fundraising and marketing activities, review what data you hold at the moment for fundraising and marketing, review the basis on which you hold it. Any consents that you have, would the consent that you have at the moment hit the bar for GDPR consent, and if it doesn't then you need to consider, "Do we need consent for this stuff? And if we do, then we're gonna have to think about how we go about getting consent for it." So that could be quite a big job for some organisations. And of course, all of this is linked to, which lawful basis are you actually going to be using for processing the personal data that you do?
27:35 VC: So are you going to be going down a consent route? Are you going to be saying that some of this stuff is your public task? Are you going to be saying that you're going to go with legitimate interest because you're quite clear that this is not part of your public task? So again, that's about working out which lawful basis you're working on, and that will inform what rights you have to... What rights you have to comply with in terms of the individuals and whether you need consent, and so on. And then underpinning all of that, you're going to have to review your privacy notices to make sure that they're up to scratch as well, not just around adding the lawful basis to it, but there's quite a few things that you'll need to add, not just for fundraising and marketing, but in general, things about retention, things about all people or all the rights that are available to individuals.
28:25 VC: As I've said, we've got plenty of guidance on our website, ico.org.uk, and obviously that guidance is being added to on a regular basis. If you want to know when new guidance is coming out, you can sign up to our e-newsletter via our website, and that gives you a monthly run down of all sorts of things, data protection and freedom of information, but it will also tell you what new guidance has been published that month. We also have a helpline. So you can actually phone us at our office in Wilmslow and you will speak to people who really have a good understanding about the law and will be able to give you advice or at least point you in the direction of the right piece of guidance that will help you. So, yes, you do have a to do list, not just for fundraising and marketing, of course, but fundraising and marketing specifically these things, I think. And yeah, there we go! So I think we've probably got time for some questions.
29:23 Speaker 2: Okay. I had a few questions before I put the questions up from HESA. The first one was, I have a friend who's the head of fundraising at UNHCR, and your description there got me thinking if they've identified an individual they thought, "Great. This person is really well aligned with our fundraising objectives," and they have a publicly available telephone number on their website, what's the kind of guidance around if they can... Will that person have a conversation and if they decide not to go along with that conversation, that stops. Can you have that initial conversation in the first place?
30:03 VC: Well, I think it's probably fair to say that that conversation, even the initial one, would be for the purposes of fundraising and marketing. That's the first question you need to ask yourself as an organisation. Is what I'm doing for the purposes of fundraising or marketing? And even those early conversations probably are because you're trying to find new prospects, essentially. So you would still have to comply with all the law around that. So I guess, technically speaking, it would be from a telephone number point of view, are they on TPS. So you should able to screen... You should screen the Telephone Preference Service, because if you were to phone them in an unsolicited way, then that would be... That wouldn't be complying with their TPS registration. So that would be a key technical thing, I think, to remember. If they weren't on TPS, then I guess it would be about making sure that when you did speak to them, you were very clear about why you were doing it, and that you made sure that they understood what you'd be doing with any information that you're gaining from them. So transparency is the key. Unless there's any particular requirements within the law about not doing something or about getting explicit consent for something, then really it's just about transparency and being fair to people.
31:19 S2: Okay, and then my second one was, for the people in the room, if they've got data previously acquired through opt-ins or whether it's WiFi forms, or competitions and things like that, is that data still valid, or does it have to be reconfirmed in light of GDPR?
31:34 VC: Yeah, the way GDPR approaches this is that any consent that you have prior to GDPR, will have to hit the standard of GDPR consent come 25th of May 2018. So that's why it's really important to review what you've got, and if it doesn't hit that bar of GDPR consent, then you have to be thinking now, "What shall we do about it?" I know what some institutions are doing, have done, is they've chosen to write to people on paper, the ones that they clearly don't have consent for. Again, perhaps the telephone number if you have it and if they're not on TPS. So again, it's about working out what your options are. But they will absolutely have to be reviewed, because if you use an old consent that's not GDPR standard, post 25th of May 2018, then you'll be breaking the law.
32:28 Speaker 3: Can I ask why [32:30] ____.
32:33 VC: Yeah, that's because of the Privacy and Electronic Communications Regulations, which come from a European ePrivacy Directive, and that specifically gives extra protections to electronic data processed from electronic marketing. So emails, SMS texts, and the telephone... Telephone if someone's on TPS, have a higher level of protection at the moment than paper-based, or telephones that are not TPS registered. Again, the ePrivacy regulation is in draft at the moment, and may change that, actually. But if it does, it'll probably just put everything at the same level. Obviously, it can't affect written, but it can affect telephone numbers who are not on the TPS at the moment. So it's worth keeping an eye out to see what happens with that too.
33:27 S2: This is quite a budgetary consideration as well, sending out huge volumes of paper-based...
33:33 VC: It is, it is. There's lots of good practice out there, and there's lots of organisations who have been doing some work and can share what they're doing. I know we've spoken to organisations like Universities UK and CASE about it, who are doing work at the moment on guidance and trying to assist the sector in complying in a way that isn't going to ruin your fundraising and development activities.
34:01 S2: Okay, so I think we'll kick off with my favourite question so far. Will GDPR data requests become the new PPI?
34:12 VC: Yeah, who knows, it could be. Certainly, at the moment organisations do have obligations to give people their personal data if they ask for it. GDPR does strengthen those rights to some extent, but only to the extent of protecting the individuals whose data it is. So it's about just being as clear about what data you've got, where you've got it, what you're doing with it, and being as transparent as possible to people, so that you don't find yourself getting the reputational damage that might result in being inundated by lots of requests, I guess.
34:49 S2: Okay, next up. What happens if we buy third-party data for marketing purposes?
34:56 VC: You see, that is now becoming a problem, because if you think about it, not only... It depends what the data is, obviously. If it's a load of emails, then you've got to think, "Have those people consented to receive email marketing from my organisation?" And probably they haven't. Because what we're say... What say is that you know those old-fashioned disclaimers that used to be on forms saying, "We may share your data with selected third parties and tick here if you don't want this to happen." That's an absolute no-no under GDPR, because that's not consent. It's not clear as to who your data might be shared with. Selected third parties does not hit that bar, and again it's not proper opt-in either. So if you're buying a list that's been collected on that basis, it's not gonna hit the bar. You're not gonna be able to use it to email people.
35:53 S2: Okay, another one here. Can consent be given verbally, for example, a prospect that walks in on campus or calls for [36:00] ____?
36:01 VC: Yeah, it can. Consent, I think it mentions about a statement or a clear affirmative action. And a statement can be verbal or written. So yes, you can collect consent verbally. That's fine. The only thing you'll have to consider from your compliance point of view is recording that. Because if you go back to what I said about the accountability principle and how that's quite important, accountability requires that you demonstrate compliance. And that means that you record the consents that you've obtained. So it's about making sure you've got a good way, a good policy of how you would record that.
36:38 S2: Do we have any further questions from the audience?
36:42 Speaker 4: Just when you talk about universities being public authorities, would you differentiate between universities and alternative providers and [36:49] ____ private?
36:52 VC: So a completely private university. Well, I guess from the point of view of if we were to take the FOI definition... And again, it's all subject to what definition ends up being taken, whether that's from a legislation basis, or whether it's from a guidance basis. Universities that are entirely independent at the moment don't fall under the FOI public authorities definition. So if we were to go with that, then it would be the same. They could just use legitimate interests across the board.
37:24 Speaker 5: Hi. Just a quick question, alumni is one of the big hot topics that we keep on picking up. So my understanding from what you said, you sort of quite clearly showed your thoughts at the moment, but your recommendation at the moment is in a few months time, there will be some guidance. My only push back on that is you're not giving people a lot of time to get this sorted.
37:50 VC: Agreed, agreed. We're all under pressure to try and get this done as soon as we possibly can. And that's why we are trying to give a little bit as to what our current thinking is, so you've got a steer in what direction you can go in. Obviously, until such time as we get the absolute from DCMS to say, "Yes, we're gonna legislate," or, "No, we're not gonna legislate on this particular point," then we can't write any concrete guidance. But at the moment, we're trying our very best to give a steer, at least where there is not guidance.
38:25 S5: That whole thing around processing and consent is something that within my company, I just don't have the answers to deliver to our marketing teams. And that's quite difficult 'cause they're trying to do their bit, trying to make sure they're gonna be compliant. We've got lots of work to do. So yeah, as soon as possible is my plea.
38:45 VC: Absolutely, yeah.
38:49 S5: Next May, if it doesn't come out.
38:50 VC: Absolutely. Technically speaking, from next May... From the 25th of May, you all have to comply. And if we get complaints, we're gonna have to deal with them under GDPR. And obviously, the increased fines are obviously going to be available to us, as the regulator. However we are, at the moment, a proportionate regulator. We do take everything into account in terms of the efforts that an organisation has made, and whether it's intentional or not, and that sort of thing. And that's what we're pushing for in the guidance at the moment, that in terms of the approach that is taken, re-administrative fines, that the same proportionate approach is going to be the one that we're going to follow.
39:31 S2: Time for one more at the back.
39:34 Speaker 6: Obviously we give those at the point of collection to the individual. And what happens when we are collecting third party data, where they aren't aware that we've collected the data, say we've received them from an organisation? Will we get around those notices by having like an online or generic?
39:54 VC: Yeah. Actually, there is a different article. There's two articles in the law. One is for information that you've obtained directly from the data subject, and the other one is for information that you've obtained indirectly, albeit, as you say, legitimately. And the requirements are slightly different, bearing in mind the fact that the situations are slightly different. So yes, it's about making sure that you do have a clear privacy notice online. One thing we would say as a regulator, though, is that you consider whether there's anything in there that you need to actively make people aware of. Sharing, for example. If you obtain someone's data indirectly and then you share it with somebody else, again, legitimately, that's the time when we'd say you probably need to be thinking about actively making people aware that you've got the data and that you're gonna share it with them.