SSAFA Volunteer Knowledgebase / SSAFA Policies & Guidance / SSAFA Policies

Fundraising and Marketing Data Processing Policy

Updated on Jun 08, 2023

This paper sets out how we have assessed our fundraising and marketing data processes in line with the UK-General Data Protection Regulation (UK-GDPR), and the Data Protection Act 2018.

We have evaluated the basis upon which we lawfully collect, hold and process personal data for fundraising and marketing. The “balance test” we carried out concludes that the lawful basis to communicate with supporters and volunteers is ‘legitimate interest’ see Annex 1. To demonstrate compliance with data protection legislation we keep hard copy and electronic records (whichever is applicable) of all communication we receive from supporters. Hard copy records are stored in SSAFA archives until the assigned destruction date; electronic communication is stored in emails, on the individual’s record in our database, SAVI¹, and on IT network, S:Drive (whichever is applicable).

The retention of supporter data complies with SSAFA’s Retention and Information Management Policy.

¹ SAVI is acronym for our database (Supporter and Volunteer Information) and is hosted by Blackbaud.

Who are SSAFA’s supporters?

Our supporters carry out or take part in a wide range of activities to help raise our Charity’s profile and help to ensure we have ability to meet the needs of our beneficiaries. They are individuals and organisations who donate, administrators of gifts/funds, individuals who fundraise through a wide range of events, and people who volunteer their time to support fundraising.

We have volunteers (caseworkers, mentors, helpers, trustees) whose relationship with the Charity is dual in nature (they give their time for free to meet needs of beneficiaries as well as financially support the charity’s work).

What do we send SSAFA supporters?

Supporters are sent appeals, newsletters, store catalogues, surveys, and information on events, lotteries and raffles, and other activities to promote giving and fundraising in support of the Charity. This information is sent via post and/or email.
Some supporters will also receive tailored communication (regular updates) with fundraising and training tips; and the Annual/Impact Report
Representatives of organisations, including Trusts/Foundations, are sent applications to consider giving grants to fund projects, and are sent tailored reports.
Supporters who send a donation/gift are sent acknowledgments (via post or email).
We also communicate with some of our supporters via telephone or SMS², where consent is given, and it is appropriate to reach out through this channel.

² Email, Phone, SMS observes the ICO’s Privacy and Electronic Communication Regulations (PECR).

How do we obtain new supporters’ personal information?

Information of potential supporters is obtained from third parties such as commercial list brokers for the purpose of supporter/donor acquisition via direct mail.
We also appoint professional fundraising organisations to undertake face to face fundraising services on private and public sites to acquire new supporters.
Individuals who donate or make payments directly via our corporate website.
Individuals who make purchases via SSAFA’s online store (ssafastore.org.uk).
Individuals who sign up or donate via third party fundraising platforms and service providers (e.g., Enthuse, JustGiving, Facebook, etc). Their information is downloaded from these platforms and imported into our database, SAVI.
We also obtain stories from beneficiaries, supporters and volunteers and these are shared via our communication channels (newsletters, social media, press) to help demonstrate the impact our charity has on the Armed Forces community. Some information obtained may be sensitive, such as relating to their health and family life in addition to their biographical, contact information and their image. Note: no sensitive information is stored in our supporter and volunteer database, SAVI.

In obtaining this information, we check that the data protection statements used by the data owners are compliant with UK-GDPR, that proper due diligence has been conducted and that an existing contract (containing data protection obligations) or a data sharing agreement is in place.

The Data Governance Team holds the master list of third parties we share and collect data from. The department are the custodians of Fundraising and Marketing data sharing agreements. Annex 2 contains details how data is collected and the evidence we have, and Annex 3 has additional information on we process data and share with service providers as applicable.

Postal communication to supporters

When communicating by post, we offer supporters and volunteers the opportunity to ‘opt out’ of receiving marketing communication from us in future. Individuals can update their communication preferences at any time using reply forms enclosed with their mailing, calling us or sending an email. The details of who they should contact are stated on the materials they receive. Individuals can also opt out of receiving communications from SSAFA by registering their name and contact details on the Fundraising Preference Service (FPS) website. FPS is provided free of charge to the public by the Fundraising Regulator. The fundraising team receives weekly alerts from FPS and update individual’s communication preferences as requested. The database, SAVI, is updated to reflect the changes requested by an individual.

Fundraising and Marketing GDPR Report 210922 - Read-Only - Compatibility Mode - Word

Donor Acquisition - Legitimate Interest Assessment

In line with the ICO guidance, we carried out a legitimate interest assessment which validated our decision to carry out direct mail activity by sourcing individuals’ names and addresses from third party lists. The legitimate interest assessment provides a justification for donor acquisition activity.

To ensure we aren’t communicating with individuals who do not wish to receive third party communication, i.e., receive direct mail from us when there has been no prior relationship, the prospective donor acquisition data list(s) will be screened against the Mailing Preference Service (MPS) and SSAFA’s own suppression file prior to sending any postal communication. Our database has a record of individuals who have signed up via FPS requesting that they no longer receive communication from us.

We may share supporters’ data for insight and research purposes with commercial list brokers, service providers and for research. Data shared is anonymised so that individuals cannot be identified. All supporters are informed of how they can opt-out of receiving future communication from us and provided a link to our privacy policy.

Our Fundraising Policy

We will send fundraising and marketing materials to our supporters whose data we hold on our database if they have not opted out of receiving communication by post. We will send fundraising and marketing materials to potential supporters whose data (names and postal addresses) who have not opted out of receiving communication by post from third parties.

We will send fundraising and marketing materials to our supporters if they have opted in to receive communication via email, telephone (landline and mobile) or/and SMS (text messaging). We will comply with the Data Protection and PECR legislation in every respect. As members of the Fundraising Regulator, we follow the Fundraising Codes of Practice and the Fundraising Promise.

We will respect the privacy and communication preferences of all supporters. We will respond promptly to requests to cease contacts or to complaints.

SSAFA’s full privacy policy is available on our corporate website ssafa.org.uk/privacy.

SSAFA’s online store has a privacy policy which covers how our service provider, Impress Publishing, process customers data - ssafastore.org.uk/privacy-policy

Annex 4 features our Fundraising Code of Practice.

Annex 1 – The Balance Test

The “balance test” evaluates the basis upon which we lawfully collect, hold and process personal data for fundraising and marketing.

CONCLUSION OF THE BALANCE TEST

Having carried out the above balance test to determine whether we should process data using the ‘Consent’ or ‘Legitimate Interest’, we concluded that Legitimate Interest is the most appropriate basis to process individuals’ data. This would ensure SSAFA can continue to achieve its strategic fundraising objectives. It will allow us to continue to communicate with individuals who currently donate or fundraise to support SSAFA’s work. These individuals include regular donors, one-off donors, fundraisers, event participants as well as executors of legacy estates acting on behalf of the deceased.

Legitimate Interest will allow us to raise vital voluntary income to help meet beneficiaries needs. Through direct marketing we will update our warm supporters telling them how they are continuing to help beneficiaries and why it is so important that they continue to do so. We’ll also inform them of other fundraising initiatives and events they may be interested in.

SSAFA’s fundraising data collection and processing principles are as follows:

Collect the minimum data necessary.
Understand our responsibility to protect the individual’s interests.
Having carried out the balance test, we are confident that the individual’s interests do not override our legitimate interests.
Only use individuals’ data in ways they would reasonably expect.
Do not use people’s data in ways they would find intrusive, or which could cause them harm.
Keep our Legitimate Interest assessment under review and repeat the Balance Test if circumstances change.
Include information about our Legitimate Interests in our Privacy Notice, available via our corporate website (ssafa.org.uk/privacy).

Annex 2 – Evidence of data collection consents

This evidence table relates to personal data. Evidence can be made available for an audit.

Annex 3 – Additional Information on data processing

How we collect data:

We collect information given to us by supporters. The personal information we collect is kept secure in our database, SAVI, or on hard copy documents and email.

Our email marketing provider is DotDigital. On their platform, we store e-mail addresses of individuals we communicate with via email. There is also a suppression file which is collated and built from our previous e-mail activity reflecting any unsubscribe preferences resulting from our fundraising and marketing communications to supporters and volunteers.

We also collect information via third parties working as data processors on our behalf.

The personal information we collect includes names, addresses, email address, telephone number (landline and/or mobile) and date of birth. We will additionally collect and keep a record of financial transactions and bank details of supporters giving by direct debit.

We also collect stories of beneficiaries and volunteers that may include sensitive personal information. Every beneficiary or volunteer who shares their story with us for use in fundraising and marketing materials has to sign a consent form. The consent forms cover the use of individual’s stories, what the information will be used for across both fundraising and marketing channels, across social media, broadcast, print, digital and other channels, as well as any photography, video and imagery usage rights. These consents are collected, stored securely, password protected and a record kept by SSAFA’s PR team.

Data processing:

We process personal data of our supporters and donors for internal reporting and analysis because we believe it is necessary for our legitimate organisational interests to create better fundraising and marketing. We aim to ensure that how we use people’s data is proportionate and has a minimal privacy impact. Individuals can opt out of data processing by contacting us.

We carry out research on individuals such as trustees of a charitable foundation to identify those whose objects and policies match the need for a funding requirement. We keep records, on SAVI and S:Drive, of the trustees and/or employees where relevant to an application.

We will also use the data we have to build profiles of supporters to help develop our fundraising and marketing materials. To do this we may analyse geographic, demographic, and other information on our database. We may also use desk research using the data we have along with publicly available data. This could include researching individuals at potential corporate supporters prior to meetings or creating short biographies of major donor event attendees to a high-profile event so that we can better prepare prior to meeting with them.

We may disclose supporters’ (and volunteers’) name, email and postal address and or transactional data to third parties who deliver services on our behalf, all of whom are contractually obligated to act only on our instructions and in accordance with data protection legislation. We will also share data when required to do so by law, such as reclaiming of Gift Aid from HMRC or to enforce our legal rights

Third parties we share data with to provide services sign our Non-Disclosure Agreement (NDA) or Data Sharing Agreement prior to commencing the partnership or providing a service to SSAFA.

Annex 4 – Fundraising Code of Practice

We will commit to high standards

We will adhere to the Fundraising Code of Practice. https://www.fundraisingregulator.org.uk/code
We will monitor fundraisers, volunteers and third parties working with us to raise funds, to ensure that they comply with the Code of Fundraising Practice and with this Promise.
We will comply with the law as it applies to charities and fundraising.
We will display the Fundraising Regulator badge on our fundraising material to show we are committed to good practice.

We will be clear, honest and open

We will tell the truth and we will not exaggerate.
We will do what we say we are going to do with donations we receive.
We will be clear about who we are and what we do.
We will give a clear explanation of how you can make a gift and change a regular donation.
Where we ask a third party to fundraise on our behalf, we will make this relationship and the financial arrangement transparent.
We will be able to explain our fundraising costs and show how they are in the best interests of our cause if challenged.
We will ensure our complaints process is clear and easily accessible.
We will provide clear and evidence-based reasons for our decisions on complaints.

We will be respectful

We will respect your rights and privacy.
We will not put undue pressure on you to make a gift. If you do not want to give or wish to cease giving, we will respect your decision.
We will have a procedure for dealing with people in vulnerable circumstances and it will be available on request.
Where the law requires, we will get your consent before we contact you to fundraise.
If you tell us that you don’t want us to contact you in a particular way we will not do so. We will work with the Telephone, Mail and Fundraising Preference Services to ensure that those who choose not to receive specific types of communication don’t have to.

We will be fair and reasonable

We will treat donors and the public fairly, showing sensitivity and adapting our approach depending on your needs.
We will take care not to use any images or words that intentionally cause distress or anxiety.
We will take care not to cause nuisance or disruption to the public.

We will be accountable and responsible

We will manage our resources responsibly and consider the impact of our fundraising on our donors, supporters and the wider public.
If you are unhappy with anything we’ve done whilst fundraising, you can contact us to make a complaint. We will listen to feedback and respond appropriately to compliments and criticism we receive.
We will have a complaints procedure, a copy of which will be available on our website or available on request.
Our complaints procedure will let you know how to contact the Fundraising Regulator in the event that you feel our response is unsatisfactory.
We will monitor and record the number of complaints we receive each year and share this data with the Fundraising Regulator on request.

Previous Article Employee Safety Handbook

Next Article Email policy