5 Steps to More Compliant Wealth Screening

Privacy Engine
Jan 19, 2023
Wealth Screening

    Need world class privacy tools?

    Schedule a Call >

    Bonus Material: Wealth Screening Checklist

    Wealth screening services have hit the headlines for all the wrong reasons over previous years.

    • In the UK, the impact of the Daily Mail’s investigations and the subsequent enforcement action by the Information Commissioner’s Office (ICO) in 2017 against a number of well-known charities was seismic.
    • The fines – for the misuse of donor data, including wealth screening – led in part to the formation of a new regulator and an ICO-led conference.
    • This conference led to the key guidance on the topic – Fundraising and Regulatory Compliance – which addressed the topics of Wealth Screening, Data Matching, Re-using publicly available information, transparency and legitimate interests.

    Organisations should therefore approach wealth screening with the key aspects of data protection compliance in mind so that risk-based decisions can be made.

    See our five steps for getting wealth screening right:

    Step 1: Be clear about what you are (and are not) planning

    Often, the term Wealth Screening covers a number of different activities.

    Simply segmenting a database is one thing – and this is very often relatively unintrusive and does not significantly impact individual privacy.

    Researching a known high-net-worth individual – someone who has a reasonably high expectation that you will try and find out about them and may even expect you to do such research before approaching them – this is quite another thing.

    At the other end of the spectrum is detailed wealth screening: passing your personal data (e.g. donor data) to another organisation for them to assess it against 20+ other sources of personal data (often sourced from the public domain, but not always) and then making a valued judgement about that person – which you will then use to shape and inform your subsequent actions.

    This is far more intrusive, and can lead to decisions that directly affect people (e.g. asking for a higher donation; or selecting them for a certain campaign).

    It is therefore essential that you are clear from the outset about what you are planning, and what you are not… and to check this remains the case if you engage with a company that provides a number of different services.

    Step 2: Know what the wealth screening company will be doing in your name

    You are accountable for selecting the third party. They are only acting on your instructions. You must undertake due diligence before signing with them – and this includes not only assessing security but also understanding how they will process your data and what sources of data they will use.

    For example, if they were to use non-private Facebook information to inform their assessment of someone, would you be happy with this? Or if they used Zoopla, Companies House, or LinkedIn?

    Step 3: Have your decision-making in place (DPIA, LIAs, and re-use)

    You must be accountable for your decisions.

    A Data Protection Impact Assessment will demonstrate that you have considered the potential data protection and privacy impact of what you are planning.

    It will enable you to consider the issues and implement measures to mitigate the risks – for example, it might identify a lack of transparency, and recommend informing people before you use their data for wealth screening.

    Or it might recommend only screening certain data– e.g. of those donors who have donated a higher amount compared to other, less frequent / lower level donors who might have different expectations.

    To undertake wealth screening you will have to process personal data, e.g. send personal data to a wealth screening company; analyse existing data; append new data to a record; draw inference from data.

    You therefore need a lawful basis.

    It is unlikely that you will rely on consent – would people, given the choice, agree to be “wealth screened” before you did the screening?

    Legitimate interests are likely to be the most appropriate, so you will need to have a Legitimate Interest Assessment in place to support your reliance on this condition for processing.

    And as you will be re-using data you have for one purpose (processing donations / being a supporter) for another purpose or purposes (e.g. assessing the propensity to donate) you should complete an assessment of this proposed re-use of data.

    Step 4: Be open and honest

    Ensuring that people know what you are doing with their data can often be the easiest way to reduce the risk of complaints. After all, if you cannot be open and upfront about what you have planned and are doing with someone’s data, should you really be doing it?

    The ICO’s guidance makes clear that simply putting information into your privacy policy is unlikely to be enough:

    “If individuals would not reasonably expect what you’ll do with their information, then you need to actively provide privacy information rather than simply making it available for them…on your website.”

    “…if you intend to process personal information for wealth screening, you should actively communicate this to individuals. Often the easiest way will be to tell them at the point when you first collect their details.”

    Ensuring that your privacy statements – the information you provide when you collect personal data – as well as your privacy policy are clearly written, in plain language, is key.

    And taking proactive steps – especially if you did not inform people (or were unclear or vague) when you first collected their data – now you want to use it is also very important

    Step 5: The Daily Mail test – would your Trustees or Board happily explain what was done?

    Ultimately, your organisation is accountable for its use of data. And something with such a controversial and misunderstood history as wealth screening may result in questions being asked.

    Ensuring that senior executives understand what you are proposing, the benefits, and the risks is essential. They might have to answer questions – be that from the media, regulators, or those who have been wealth screened – as to why they believed their organisation was acting in a compliant way.

    Bonus!


    Wealth screening services have hit the headlines for all the wrong reasons over previous years. Organisations should therefore approach wealth screening with the key aspects of data protection compliance in mind so that risk-based decisions can be made. Use this Checklist to ensure you a wealth screening in a more compliant way.

    Share this

    YOU MIGHT ALSO BE INTERESTED IN

    Check out these PrivacyEngine posts that are related to Cyber Security

    Ireland's Data Protection Software Solutions
    8 Minute Read

    Ireland's Data Protection Software Solutions
    Do I Need Data Protection Software?
    8 Minute Read

    Do I Need Data Protection Software?
    What is Network Information Security Directive (NIS1)?
    8 Minute Read

    What is Network Information Security Directive (NIS1)?

    Try PrivacyEngine
    For Free

    Learn the platform in less than an hour
    Become a power user in less than a day

    Get Started For Free
    Schedule Demo
    PrivacyEngine Onboarding Screen