Bursars Review | Spring 2018 | Sample

Feature This article is intended as a general guide to the area and an update on key developments in current guidance and thinking. Neither this article nor any guidance referenced within it is a substitute either for specific legal advice, or full internal assessments to be carried out within your school. @the_isba Spring 2018 13 Author Owen O’Rorke associate at Farrer & Co 020 3375 7348 Fundraising The Direct Marketing Association and the Fundraising Regulator have each published guidance on areas such as: ■ legitimate interests, at: https://dma.org.uk/ uploads/misc/59ca0f2e17ef3-dpn-li-guidance- publication_59ca0f2e17e5a.pdf and ■ consent, at https://www.fundraisingregulator . org.uk/information-registration-for-fundraisers/ guidance/personal-information-fundraising-consent- purpose-transparency/ Although beyond these two specific issues, the rules around direct marketing are not materially affected by GDPR. Instead, a new ePrivacy Regulation will replace the Privacy and Electronic Communications Regulations (PECR) rules, probably from some time in 2019, and it is unlikely new guidance will arrive before then. However, the ISBA is also publishing its own fundraising toolkit of materials this spring. What to look out for As mentioned above, the new ePrivacy Regulation will have a particular impact on telephone and email direct marketing (including fundraising), use of social media, and website cookies. It is still being negotiated in Brussels. Finalisation of the new law is lagging some way behind GDPR – but the schools (or alumni organisations, as applicable) are likely to have at least a year to digest the new rules, once agreed, before they take effect. Finally, a new UK-only Data Protection Act will sit alongside GDPR and, broadly speaking, plug the gaps left by the EU for member states to fill in on a domestic basis (including the age of children to consent to online services – which will almost certainly be 13, but please be aware that this is not a universal rule for all types of consent given by children). The bad news is that the first draft of this (September's Data Protection Bill 2017) ran to 194 clauses; and even at the time of publication it is some way off being agreed in parliament, even though it must come into force in May 2018. The better news is that, very broadly, the Government is looking to plug those GDPR gaps by mirroring existing data protection law quite closely. Take positive action now We trust that this article will serve as a run-through of what official resources are available to schools, alongside those provided by ISBA. The key message to those who are not as far along as they might have hoped remains not to panic, but to take positive action rather than let GDPR creep up on you. The ICO will not be rushing to use its enforcement powers but it is likely to pick out the easiest targets in each sector – often those in respect of whom it receives the most complaints. The best advice is to ensure your school is not one of those easy targets, and that – in the event that any complaints are made – you are able to show good, informed understanding of the law and good record-keeping of its compliance project. The above guidance is part of that, but it is no more than a tool to achieve a better corporate, cultural understanding of the issues as they relate to your school. Ultimately, to be successful and sustainable, compliance must be led by knowledge from within.