5.3 Data protection, privacy and electronic communications
Any society planning a share offer must pay careful attention to the regulations governing data protection, privacy and electronic communications. On 25 May 2018 the General Data Protection Regulation 2016 (GDPR) came into effect, replacing the Data Protection Act 1998, and sits alongside the Privacy and Electronic Communications Regulations 2003 (PECR). Societies that plan to collect and use personal data must be registered with the Information Commissioner’s Office (ICO), which is responsible for enforcing these regulations.
The GDPR requires that personal data must be:
- Collected only for specified, explicit and legitimate purposes
- Used lawfully, fairly and in a transparent manner
- Adequate, relevant and limited to what is necessary for the specified purposes
- Kept for no longer than is necessary for the specified purposes
- Accurate and up to date
- Processed in a manner which ensures security and protects against unlawful processing, accidental loss, destruction or damage.
PECR provides rules about direct marketing or advertising by electronic means such as automated phone, email, fax, text and picture messaging. It also has rules about website cookies, traffic data, location data and security breaches.
Societies need to establish the lawful basis on which they are collecting and using personal data. The GDPR sets on six legal grounds for doing so, of which the following three may be particularly relevant to societies making community share offers:
- Compliance with a legal obligation: this covers applications for membership where the society has a legal obligation to maintain registers of members and directors, inform members of general meetings, and participate in elections and special resolutions.
- Performance of a contract with the data subject: a society has a contract with members as shareholders in the society, and matters associated with that shareholding
- Consent: this is where the data subject has given their positive consent for their personal data to be used for a specified purpose. It could be used to cover non-statutory communications with members, such as newsletters, marketing campaigns, members’ events and activities. Consent could also be used for gathering and using personal data of supporters who have expressed an interest in a forthcoming share offer, or pledged their support in some other way.
Most community share offers collect personal data on the legal grounds associated with membership and the contractual obligations associated with share capital. If a society intends to use the personal data it collects through the share offer for any other purpose, it must obtain the active consent of the applicant. This could include using personal data for direct marketing, member campaigns and events, or volunteer activities. Consent must be freely given, specific, informed and unambiguous. This means that the person must opt-in to providing their personal data for the given purpose and it must be as easy to withdraw consent as to give consent.
Societies collecting personal data, including via share offer application forms, must issue a privacy notice to applicants, which identifies the society, the legal grounds and purposes for collecting and using this data, the length of time the data will be stored, the individual’s rights over this data and their right of complaint to the ICO. A privacy notice can be included in the share offer document, application form or by reference to a document on the society’s website.
GDPR draws a distinction between personal data and sensitive personal data, which is subject to stricter controls. Sensitive personal data includes information such as a person’s health, ethnicity, sexual orientation, opinions or beliefs. Financial information, such as a member’s shareholding, or bank account details, is not considered to be sensitive personal data.
GDPR also provides special protection for children’s personal data, deeming 16 as the minimum age for consent in this context. Any society offering membership to under 16s needs to obtain parental consent for the collection and use of the child’s personal data.
Any society working with a digital platform to promote its community share offer needs to understand how its contract with the digital platform is GDPR compliant. The starting point is to determine which party is the data controller. In some cases, the digital platform will start out as the data controller and will only hand over responsibility as data controller to the society when the share offer is complete. In such instances it is important for a society to determine how it intends to use the personal data it will be given, and the lawful basis on which it may use such data. If the intended personal data use requires active consent, then it is important that the digital platform obtains this consent on behalf of the society. In other cases, the society will be the data controller at all times and is employing the digital platform as a third party contractor and data processor. It is important that the society has a written contract in place with the digital platform, which specifies the roles of each party, how personal data can be used, and the responsibilities for keeping the data secure. Digital platforms will usually be able to supply model contracts that are GDPR compliant.
Societies should have procedures in place to detect, report and investigate personal data breaches. GDPR makes it a duty of organisations to report certain types of data breach to the ICO, and in some cases, to individual, where the data breach is likely to result in risks to the rights and freedoms of individuals, including financial loss.
Some organisations may be required to formally designate a data protection officer, but this is unlikely to apply to societies only dealing with matters relating to membership and community shares that does not involve the processing of sensitive personal data, or regular and systematic monitoring, on a large scale.
The ICO is responsible for enforcing the law and regulations and has the power under GDPR to impose fines of up to €20m or 4% of global turnover, whichever is the greater, for serious breaches. Among the more serious breaches is the use of personal contact details for a different purpose from that for which they were obtained, or security breaches, where personal data stolen, lost or transferred to a third party not on a lawful basis. This includes using the membership lists of a community organisation that supports the aims and objects of the society, but where the members have not consented for their details to be used or passed on to other related organisations.
There is no restriction on sending marketing materials to people who have specifically requested such materials. So, if a person completes an on-line form requesting the organisation to send them a newsletter, offer document or some other form of community shares marketing materials, then it is free to do so.
The principle of consent is central to good practice in direct marketing communications. If a person has freely given their prior consent to a specific method of communication on a specific topic or matter, then it is usually lawful and acceptable. Prior consent to specific methods of communication is especially important if the society plans to make phone calls, because this will allow the society to call numbers registered with the Telephone Preference Service without committing a breach of the rules.
The clearest way of obtaining consent is to include an unticked opt-in box on marketing materials, including websites. The use of indirect, third-party consent, where a person has consented to their personal details being passed on to third parties, is not allowed under the privacy regulations for electronic communications in the form of emails, texts or automated calls.
Consent to direct marketing communications does not last forever. In the case of a community shares offer, consent is linked to a particular offer and does not automatically extend to new offers made by the same society at a later date. Direct marketing materials should always include information on how to cancel or unsubscribe from the communications. The burden of proof that consent has been given is borne by the organisation not the individual, so it is important that societies keep records of all consents it obtains.
If you have any questions or suggestions for new information you would like to find in the Handbook, contact the team by email at firstname.lastname@example.org