Profiling' provision - submission to the Data Protection Commission

Profiling' provision - submission to the Data Protection Commission

30th March 2017

Dear Sir/Madam,

Charities Institute Ireland would like to thank you for the opportunity to make a submission regarding ‘Profiling’ under the upcoming General Data Protection Regulation (GDPR).

The GDPR contains several Recitals on profiling.  The criteria of ‘legal effects and ‘significant effects’ does pose problems of interpretation. The data subject has the right not to be the subject of a decision based exclusively on automated processing.  The definition of profiling provided for in the regulation raises questions about the cases involved in profiling. To determine whether it is profiling, two criteria must be taken into account:

  • Automated processing
  • A purpose for assessing certain aspects relating to a natural person.

Firstly, it is necessary to understand that if the decision is not fully automated, and if a person intervenes in the processing of the data, notably to make the decision, that this is not profiling?  The legislation appears to go in this direction since it states that the person has the right not to be subjected to fully automated processing based solely on profiling and is not applicable where the interest of the recipient does not constitute a decision for ‘legal consequences’ or ‘not significantly’ affecting the person concerned, such as an automatically declined loan, mortgage, increase in an insurance policy etc.

Any classification of individuals according to specific segmentation criteria can be considered as profiling, assuming that it is actually performed by machines e.g., students ranked by grades to assess their performance, sales professionals in an organisation evaluated on the basis of ranking of sales figures etc. From our interpretation, we understand that none of these examples fall within the scope of the ‘profiling’ provision.

In our opinion, the main problem is not necessarily profiling but rather the way in which the profiling is actually used, its impact on the individual and the lack of human intervention. 

Attention should first be paid to profiling activities:

  • Based solely on automated processing
  • May cause unfair, detrimental and significant effects to the persons concerned in relation to access to essential services (mortgages, loan Insurance) or to their dignity and freedoms.

Furthermore, the GDPR definition of profiling appropriately includes basic online business activities such as consumer segmentation to provide appropriate advice or advertising.  This type of profiling is often referred to as ‘current’ profiling and is at the origin of a free internet for all.  The GDPR distinguishes ‘current’ profiling from profiling associated with fully automated data processing that has ‘legal effects’ or ‘significantly affect’s the data subjects.  ‘Current’ profiling is legitimate business interests and the data subjects have the right to object.

The right to object to profiling which is based on legitimate business interests of the controller is a reflection of the previous directives and an equitable way of offering individuals the ability to choose and control.   GDPR rightly recognises that companies cannot offer users the main services on which they rely without ‘current’ profiling such as preference based advertising.  Should it be considered that targeted advertising has legal effects or affects the person concerned significantly?  If this is the case we would like to draw your attention to the fact that such a qualification could have serious economic consequences, since all sectors of activity today use targeted advertising.

Charities Institute Ireland calls on the Data Protection Commissioner to interpret these provisions in line with the original spirit of the GDPR – that is, by limiting decisions considered to have ‘legal effects’ or ‘significant effects’ to situations where these effects would have a real negative impact on the persons concerned e.g., the ability to obtain credit etc.

Charities Institute Ireland further calls on the Data Protection Commissioner to accept and confirm, with respect to the charitable, not-for-profit and the voluntary sector and their funding model that:

  • Detailing profiling/development purposes within the Privacy Statement and Data Usage Statements of a charitable organisation is sufficient to adhere to this element of the GDPR.
  • That the right of donors to oppose profiling is satisfied by allowing the person concerned to delete their information without any other conditions.

Charities Institute Ireland considers that donor profiling does not deprive the person concerned of a right but on the contrary fosters true engagement and giving as it is adopted to the donors values and interests and thus seen as an opportunity to express their support for a charity and not an intrusion on privacy.

Sincerely yours.


Caroline Lafferty.

Membership and Communications Manager.



A survey commissioned by Charities Institute Ireland (Cii), published today, Monday 27th March, shows that there is a rise in the number of people who feel that Irish charities are doing a good job of restoring trust in the sector.


Of those who expressed an opinion, 27 per cent feel that the Irish charity sector is “doing enough to build trust with their donors” - an increase of 14 per cent from 2016’s survey, when the same question was asked.

The survey, undertaken by Amárach Research, also shows that while just 24 per cent feel that they can trust Irish charities nowadays, this figure remains unchanged from last year, showing that the decline as halted.

Lucy Masterson, CEO of Charities Institute Ireland, commented on the findings today. “While trust in the sector is still much lower than we would like it to be - largely due to the malpractice that was brought to light in the last two years - these new findings are encouraging. They show that the declining trend in trust has halted, and that the public are beginning to have confidence that the sector, as a whole, is working hard to restore that trust,” she said.  


46 per cent of those surveyed feel that wages in the charity sector are too high. This is unchanged since last year, but is down from 51 per cent in 2015.

43 per cent agree that senior management in the charity sector should be paid less than their private sector counterparts.

However, 55 per cent agree that charities should get the best professionals possible to work for them. This is down from 68 per cent in 2015, but it is still a high percentage. In addition, 37 per cent of those surveyed agree that charities need to pay competitive wages to get the best people to work for them.

Gerard O’Neill, Chairman of Amárach Research, says: “This research points to a positive shift in Irish attitudes towards the charity sector. It seems that a lot of the anger that was there just a few years ago is giving way to a more pragmatic recognition that charities have an important job to do and they need the right people to do it.”


Overall, people are more likely to sign up to a regular direct debit payment to a charity. Direct mail is the most likely form of communication to lead a sign-up.

The survey shows that people’s preferred method of communication is email or direct mail, with those under 45 more likely to opt for email.

This survey is the 3rd annual tracker developed for the charity sector by Amárach Research and supported by An Post.

Fiona Heffernan. Head of Post Media, An Post says: “An Post is proud to support Charities Institute Ireland, and the broader charity sector, in producing this benchmark annual research.”

General Data Protection Regulation (GDPR) - Survey

General Data Protection Regulation (GDPR) - Survey

The upcoming General Data Protection Regulation (GDPR) signals a new generation of data privacy laws that commands a major shift for many charities, religious orders and not-for-profits.  This new legislation will impact how these organisations use data.  Charities Institute Ireland believes that this legislation will enable religious orders, charities and not-for-profits to appropriately balance collaboration and transparency with data protection and privacy, supporting them in their work with donors and beneficiaries to bring about a culture of engagement and giving that is progressively seen as a welcome opportunity to express one’s values and support for these organisations and not an intrusion on privacy.

Charities Institute Ireland has devised a survey to examine the readiness of Irish charities, religious orders and not-for-profits towards GDPR, to benchmark key operational impacts and assess the difficulty in complying to the new regulations.  Your feedback will enable Charities Institute Ireland to plan on how best to assist you in your preparation for and compliance with GDPR.

Please complete our survey at:

An issue of TRUST

An issue of TRUST

According to the latest NFPSynergy report the recognised vulnerability for Irish charities is the issue of trust.  With continuous and intense media and government scrutiny, it is imperative to ensure that proper levels of governance, accountability and transparency are established and nurtured. The significance, and crucially the ubiquity of this requirement cannot be emphasised enough as it plays a fundamental role in maintaining the trust of partners, patrons, the general public and all those that rely on the vital services of charities.

Charities Institute Ireland's 'Triple Lock' mechanism is in place to explicitly rebuild trust. It is important to reflect on the benefits for charities that actively engage with this process. Such a benefit will be the trust of their donors. In an age of high and pervasive levels of cynicism, for charities trust is their most valuable economic asset.

The Naked Truth - Trust and Transparency - The Leadership Challenge

In the run up to the Brexit referendum Michael Gove commented that the people were fed-up with experts.  Donald Trump might as well have said the same thing. In all areas of society, from the political establishment to the mainstream media, people are turning away from the traditional sources of authority and leadership.

For CEOs and Departmental Heads within the not-for-profit sector, this disconnection has serious implications. It is not an option to, in the words of Bertold Bercht, "dissolve the people and elect a new one".  Instead the current models of leadership must undergo a crucial evolution. 

Our upcoming conference on Thursday January 19th  The Naked Truth - Trust and Transparency - The Leadership Challenge, will map out the nature of this necessary evolution, showing leaders within the charitable sector how they can reconnect with a largely disillusioned populace and the new ways in which they can actively earn and build on the vital trust of the people.  It will deal with the roles of leadership in the phenomena of the ever changing market situations which are compelling charities to incessantly reassess and re-evaluate how they work and to help those working within the sector to understand, adopt and implement changes in their business model in response to changing trends.

Full details on this conference are available here on our Events page

Cii's Response to the Irish Times Article

Letter to Editor, the Irish Times.

 Dear Sir,

Oliver Callan’s article ‘The Season of charity guilt-tripping’ in the Irish Times (Dec 15th) conflates facts with one-liners and replaces analysis with misinformed opinion.

His allegation that charities are ‘out of control’ and ‘in urgent need of regulation’ is simply false. Strict accounting requirements, from Revenue to HSE, apply to all charity fundraising and spending. Charities actively sought the additional monitoring and regulation now provided through the Charity Regulator.

His claim that there are 24,000 charities is wrong by a multiple of three. Revenue have granted charitable tax exemption in 8,150 cases.

Charities are appalled at the rare occurrence of fraud, as alleged in the case of Console, and I have publicly and strongly condemned this type of behaviour.

His conversation with ‘one lady’ who claimed that only five cent in every euro raised ‘was used for the actual cause’ bears no link to the reality. The average is 70 cent in every euro going to the cause.

Charities do not ‘fumble in greasy tills, free from proper oversight.’ Only a fraction of charities engage in any significant fundraising and this is undertaken to maintain essential services under increasing pressure as an outcome of recession.

He complains that ‘so many services for the most vulnerable fall to charities’ and that ‘the vast majority are probablypointless’ Health charities, for example, provide expertise, understanding and support to individuals and families that matches and regularly surpasses the state in competence and efficiency. Charities continue to be contracted by the state and its agencies to deliver vital services in health and other areas for this precise reason.

Like any other sector of society, charities are not perfect. But the vast majority of the thousands of people who work or give their time to charities day in, day out, do so out of genuine commitment and belief in a cause. The general public understand the role and contribution of the sector. 

In a brief lapse into factual reality, Oliver Callan acknowledges this and that Ireland is consistently ‘in the Top 10 in the World Giving Index.’ But he has otherwise abused his considerable talents in taking a cheap shot at the very concept of giving and working for social impact and justice.

Yours sincerely,

Lucy Masterson,


General Data Protection Regulation

Following four years of intense negotiation the General Data Protection Regulation (GDPR) is now due to come into effect May 25th 2018. For charities, as for all other businesses, this updated data protection framework represents both an opportunity and a challenge. The GDPR has been designed to give the public a greater amount of control over their personal data and the manner in which it is collected and used by companies. As such, charities need to be aware that when it comes to fundraising, all data collection and processing activities will soon require more rigorous controls than at present, while potential penalties for non-compliance will be far more onerous. Naturally charities will now have to audit their processes from top to bottom to ensure that they are fully prepared and in compliance pre-2018. No mean feat, yet it is important to remember that the GDPR is, at least in part, a regulator’s answer to an issue that sooner or later all companies, including charities, must face up to: namely, the substantial erosion of public trust.

This lack of trust manifests itself in several ways. In a broader context, it fuels the anti-establishment upheavals that have characterised 2016: Brexit, Trump, and most recently Italy’s rejection of Matteo Renzi’s proposed reforms. In terms of personal data, a raft of data breaches coupled with revelations of mass surveillance programs have left the public extremely wary of the interface between technology and their private information. While in the context of Ireland’s charity sector, a number of well-publicised scandals, though confined to specific bodies, have unfortunately placed the sector as a whole in a critical light, inevitably impacting on public trust.

This is an issue that must be tackled on many fronts, but perhaps the safeguarding of personal data is a good place to begin. Under the GDPR, charities will need to build sustainable measures for ensuring data privacy into all aspects of their operations. They must  gain explicit consent from donors before processing their personal data. They will need to clearly inform them of the complaints channel open to anybody unhappy with how their data has been processed. They will need to be responsive: donor requests concerning access to their data must be actioned in a timely fashion, and where a data breach occurs and a donor’s data is clearly at risk, the charity must notify them with all due haste. In addition, they must respect their donor’s right to be forgotten and, upon request, delete any personal data that is not necessary for contractual purposes.

These are only some of the obligations that Ireland’s charities must attend to between now and May 2018. As we said before, no mean feat. However, a positive and energetic engagement with the incoming regulations will greatly benefit the charities in question, sending a clear message to prospective donors that their personal data is highly valued and will be rigorously protected. In the vital effort to rebuild public trust post 2016, this will count for a lot.

To ensure that charities are fully prepared for the GDPR, Charities Institute Ireland will be hosting a professional certificate in Data Protection on February 22nd 2017.