GDPR

Virgin Money Giving: EU General Data Protection Regulation (GDPR)

Last updated 24 May 2018.

In preparation for the EU General Data Protection Regulation (GDPR) coming into effect on 25 May 2018, we will be making some important enhancements that will help you make the most of the information that we collect and share with you.

We rolled out all of our GDPR system updates on 20 May 2018 ahead of the regulation coming into effect, at which point we updated relevant parts of our online customer journey, and updated our systems behind the scenes and the charity reporting portal that you use.

Please click here and here to see our latest communications about the GDPR. We recommend that you familiarise yourself with the latest industry information and what this means for your charity.

GDPR questions and answers

To help explain the changes we’re making and what this means for you, we’ve created some Q&A’s below. If there’s anything that you’d still like to know that’s not covered in our Q&As, drop us a line at theteam@virginmoneygiving.com and we’ll do our best to help you.

What are my obligations if I want to use the data you share with me?

What are my obligations if I want to use the data you share with me?

When we provide you with personal data about your supporters, you will be Data Controllers in respect of that information and therefore responsible for ensuring that you handle it in compliance with the GDPR.

We recommend that you seek further advice on processing an individual’s information and GDPR compliance. For starters, here’s the latest industry information.

What changes are you making and when will these happen?

What changes are you making and when will these happen?

Please click here and here to see our latest communications about the GDPR that will explain the changes we are making and the next steps you should consider.

We rolled out all of our GDPR system updates on 20 May 2018 ahead of the regulation coming into effect, at which point we updated relevant parts of our online customer journey, and updated our systems behind the scenes and the charity reporting portal that you use.

We have also updated our charity Terms and Conditions.

Will you collect marketing consent from my supporters using your site?

Will you collect marketing consent from my supporters using your site?

Yes, we will ask them if they would like to receive emails from you about your news, appeals and promotions. This consent will be collected using an opt-in tick box. We will ask for consent when:

• A user creates a fundraising page for you
• A user donates to your charity

Here are examples of the changes we are making to our user journey:

Example of marketing consent collected when individuals create a fundraising page:

GDPR - keeping in touch when fundraising

 

Example of marketing consent collected when individuals donate:

GDPR - keeping in touch when donating

Do you have any plans to collect marketing consent for channels other than email in the future?

Do you have any plans to collect marketing consent for channels other than email in the future?

We are exploring options for future enhancements so that we can collect consent for you to send marketing via multiple channels of communication. Watch this space.

Can someone under the age of 18 use Virgin Money Giving?

Can someone under the age of 18 use Virgin Money Giving?

We will be allowing anyone who is 13 or over to use Virgin Money Giving. Users younger than this will be told to seek help from their parent(s) or guardian(s) who can register with us to help them fundraise. We will ask upfront if users are under 18 and provide 13-17 year olds with guidance about staying safe online and also restrict some features. We will tell you in the charity reporting portal if someone fundraising for you is under 18 but we will never collect marketing consent from them.

Example of how we will identify users under 18 in our customer journey:

GDPR - 18 or over

Will you be asking for consent to marketing from under 18s?

Will you be asking for consent to marketing from under 18s?

No, we will only collect marketing consent from adults. 

What will I see in reporting if an individual has consented to marketing?

What will I see in reporting if an individual has consented to marketing?

We have redesigned the way we are collecting consent for you.

We are replacing the data item in your charity reports called ‘charity marketing permissions’ and replacing this with six new columns to give you all the information you need around the new way we are collecting consent.

Here are the six new data items we are adding, so you can see who has consented to marketing from you:

• Fundraiser charity marketing consent
• Fundraiser charity marketing consent date
• Fundraiser 18 or over
• Donor charity marketing consent
• Donor charity marketing consent date
• Donor 18 or over

We are making these changes across our standard and flexible reports. If you have created and saved a custom report, you will need to recreate any custom reports to include these new data items. Data will no longer be in ‘charity marketing permissions’.

As we are recommending that you only rely on consent collected through our site after our changes, the changes we are making from the 20 May 2018 mean you will no longer have access to previously collected consent. This will help you avoid making mistakes using old and newly collected marketing consent data.

If in the future you are required to provide evidence of any marketing consent you relied on for past marketing campaigns (for example to respond to the ICO), please call us and we can provide you with any historical information you might need. However, we will not be able to provide you with historical data to use for future campaigns.

Here are what our specific data items mean:

For donors
• Donor 18 or over (displaying as ‘yes’, ‘no’, or ‘unknown’). Where the status is set to ‘no’ this means the donor is between the ages of 13 to 17. Where the status is set to ‘unknown’, this means we have not previously gathered this information, or not asked it (e.g. currently this is not asked through our APIs).
• Donor charity marketing consent (displaying as ‘charity marketing allowed’, ‘charity marketing not allowed’, or ‘not held’). Where the status is set to ‘not held’ this means we have not previously gathered this information, or not asked it (e.g. currently this is not asked through our APIs).
• Donor charity marketing consent date (displaying as the date, or blank). This new field gives you the exact date when the consent was collected. Where the date is blank, this means the marketing consent status is not held.

For fundraisers
• Fundraiser 18 or over (displaying as ‘yes’, ‘no’, or ‘unknown’). Where the status is set to ‘no’, this means the fundraiser is between the ages of 13 to 17. Where the status is set to ‘unknown’, this means we have not previously gathered this information, or not asked it (e.g. currently this is not asked through our APIs).
• Fundraiser charity marketing consent (displaying as ‘charity marketing allowed’, ‘charity marketing not allowed’, or ‘not held’). Where the status is set to ‘not held’ this means we have not previously gathered this information, or not asked it (e.g. currently this is not asked through our APIs).
• Fundraiser charity marketing consent date (displaying as the date, or blank). This new field gives you the exact date when the consent was collected. Where the date is blank, this means the marketing consent status is not held.

Through our reporting portal, you will also have access to a separate record of exactly what the marketing consent wording was when we collected that consent for you, as well as the Privacy Policy that was in place.

Will I be able to see a consolidated view of an individual’s last express wish to consent to marketing from my charity?

Will I be able to see a consolidated view of an individual’s last express wish to consent to marketing from my charity?

No, you will not be able to see a consolidated view. We collect marketing consent each time a person donates or fundraises for you.  You will need to match up any records you have for the same person to ensure you are using their last express wish. This may also involve you matching against other data sources where you are collecting consent from individuals to send them marketing.

How long is consent you collect valid for?

How long is consent you collect valid for?

According to the ICO guidance on this:

‘There is no fixed time limit after which consent automatically expires. However, consent will not remain valid forever. How long consent remains valid will depend on the context – the question is whether it is still reasonable to treat it as an ongoing indication of the person’s current wishes.

As a general rule of thumb, if an organisation is making contact by phone, text or email for the first time, we recommend that it does not rely on any indirect consent given more than six months ago – even if the consent did clearly cover that organisation. However, we accept there may be some very specific cases where the circumstances clearly indicate that the person would expect to start receiving marketing at a certain later date.’

What about previously collected consent, is that still valid?

What about previously collected consent, is that still valid?

We are recommending that you no longer use marketing consent previously collected through our site before 20 May 2018 for future marketing activity, unless you reconfirm that consent is still valid.

A lot of organisations collecting marketing consent have been contacting their supporters to reconfirm if they are still happy to receive marketing. This is the safest way to ensure your records are accurate.

Please click here to see the history of our marketing consent wording that will have been live prior to our updates in May, which was collected via an ‘unticked’ opt-in box. However, please note you were not specifically named at the point of collection. This page also includes the history of our privacy policies.

Will your Privacy Notices change?

Will your Privacy Notices change?

We have updated our privacy notices. These will cover the sharing of information with you. You will also need to make your own privacy notices available to individuals.

Please click here to see our privacy policy for charities and here to see our privacy policy for fundraisers and donors.

Will your Terms and Conditions change?

Will your Terms and Conditions change?

We have updated our T&Cs. Please click here to see our new T&Cs.

What other personal information can we access in reporting about fundraisers and donors?

What other personal information can we access in reporting about fundraisers and donors?

You will continue to have access to the information we collect about users who create a fundraising page.

You will see the donations you have received but you will no longer see the personal information of the person who made a donation, unless they have consented to receive marketing from you. We will start removing this data from May.

We will not be collecting marketing consent or the age of a user through our APIs. We are working on future enhancements that will allow us to do this. This won’t be ready for May.

Can I still talk to fundraisers about their event or fundraising if they don’t consent to marketing?

Can I still talk to fundraisers about their event or fundraising if they don’t consent to marketing?

Our privacy notices make it clear to fundraisers that we will share their data with you and that you might contact them about their event or fundraising. Please note though, that we are not obtaining a specific consent for you for this, so you will need to establish a lawful basis for using this data, for example legitimate interest.

What happens if an individual contacts Virgin Money Giving to withdraw their consent to marketing from my charity?

What happens if an individual contacts Virgin Money Giving to withdraw their consent to marketing from my charity?

We will collect marketing consent for you when someone donates or creates a fundraising page, but users will no longer be able to manage their marketing consent on an ongoing basis through our website. We will direct individuals to contact you if they no longer want marketing from your charity.

How will you handle Data Subject Rights and do we need to do anything?

How will you handle Data Subject Rights and do we need to do anything?

The GDPR enhances existing data subject rights and also introduces new rights. As Data Controllers, both of us must respond to individual GDPR related requests. We will let you know in good time if an individual whose information we have shared with you has exercised their rights, so that you can meet your GDPR obligations.

What is your data retention policy?

What is your data retention policy?

We’ll retain information for no longer than is necessary and this will mean that we’ll continue to hold some information for a period of time after our relationship has ended with our users and charity partners. This is to comply with our legal and regulatory obligations to keep records of our relationship, to resolve disputes or where it may be needed for future legal proceedings. 

What next steps should I take?

What next steps should I take?

We are recommending that you no longer use marketing consent previously collected through our site for future marketing activity, unless you reconfirm that consent is still valid.

A lot of organisations collecting marketing consent have been contacting their supporters to reconfirm if they are still happy to receive marketing. This is the safest way to ensure your records are accurate.

You should also make sure you have everything in place to comply with the GDPR prior to using any of the personal information we share with you. We recommend speaking with your trustees, Data Protection Officer (if you have one) or legal advisers if you are unsure whether or not to use any of the data we share with you.

Where can I go for further help on complying with GDPR?

Where can I go for further help on complying with GDPR?