We spoke to the Fundraising Regulator and the Information Commission's Office (ICO) to find out what GDPR means for PTAs

The General Data Protection Regulation (GDPR) is an EU law governing data privacy. We asked how it affects your day-to-day PTA fundraising.

What does the law say?

The regulations mean stringent rules for how you collect and store supporters data. This includes everyone from parents and families to businesses and sponsors, and applies to all processing of personal details, meaning it covers fundraising, online campaigns and volunteering. Every time you contact supporters youll need to explain why youre contacting them and how you will use their data. GDPR affects:

  • how you collect personal details
  • how you contact your supporters
  • how you store personal details

How do PTAs work within the GDPR?

Within a school context, the school itself is classed as a data controller, which means it is the party that decides how personal data is processed. The PTA sits under that as a data processor, where they process data on behalf of the school (or data controller). The act of processing data covers collecting and recording information as well as holding and storing it.

A quick survey of PTAs found that the most popular form of communication is social media, with a huge 89% of people using it to contact their supporters. 79% of PTAs use letters in book bags, and 78% have the school send communications on their behalf.

PTAs are fluid organisations that can change dramatically from year to year, meaning there isnt always one person overseeing areas such as data protection. While everyones main focus is organising and running fundraising activities, data protection can be easily overlooked. Risks may not always be obvious, but 22% of the PTAs we surveyed send emails from private email accounts, and many also have parents data stored on personal computers with no measures in place to ensure this is deleted when they leave the PTA. So what needs to change?

When do GDPR rules apply?

The first important thing to note is that the new GDPR rules only apply when you use personal data. So you can send indirect communications, such as a promotional flyer or a letter to parents in book bags. This isnt using personal data because you arent addressing a specific individual with your flyer or letter. Even if parents opt out of receiving communications from the PTA, a flyer in a book bag is still permissible because it isnt specifically targeted.

However, if you use supporters contact details to keep in touch with them about your PTA, that is direct marketing and the new rules apply. Direct marketing is defined in the Data Protection Act as: ‘the communication (by whatever means) of an advertising or marketing material which is directed at particular individuals. In these circumstances, you need to establish a legal way to use supporters data. For most PTAs, the two most applicable ways to do this are ‘consent and ‘legitimate interest. You need to choose the most appropriate way based on what you want to do.

Obtaining consent

A significant change under GDPR is the need for your supporters to actively consent to receiving communications. This means that individuals need to agree to being contacted by the PTA. This could be by simply ticking an opt-in box on a form. The individual must fully understand that they are giving consent for you to contact them, as well as what theyre agreeing to be contacted about, why their personal information is being collected, what you will do with their information, and to which form of communication it applies, ie email and/or SMS.

Obtaining initial consent may be tricky, as you cannot send texts or emails without prior permission, including messages asking for permission! The safest way to get consent is through paper form, which can be distributed without using personal data through book bags (see ‘when do GDPR rules apply?) or by mail (see ‘legitimate interest). This form should tell your supporters what kind of communications you would like to send and ask supporters to tick an opt-in box confirming that they are happy to be contacted. You should include a tick box for each channel (eg emails, texts, post) and they should tick all that they are happy with. Other acceptable forms of consent include:

  • A tick box or yes/no option on a donation form
  • An individual supplying their contact details on a form or online, where it has been made clear they are doing so in order to receive direct marketing from the PTA
  • Orally or by a clear action, eg an individual handing over a business card and making it plain they want to hear more from you
  • Whatever the case, the opt-in needs to be separate from any other action, and individuals need to have consciously given consent based on explicit information. Silence or pre-ticked boxes are not valid, nor is the assumption that people are happy to be contacted unless they have opted out.

Withdrawing consent

Peoples preferences change over time, so it needs to be easy for your supporters to withdraw their consent or change communication choices whenever they wish. Let your supporters know how they can do this – for example, they may need to email a certain phrase to your PTAs email address. Be realistic about the amount of paperwork you can cope with versus compliance with GDPR. As schools usually send out data information sheets once per year, it is perfectly viable that your PTA does the same. Bear in mind that you will also need to manage and maintain a ‘suppressed contacts list of people who have opted out of receiving PTA communications.

Third parties

You may find that its sometimes necessary to input personal data into a third-party website, eg loading email addresses into Eventbrite. You cannot disclose data to a third party without consent, so you can only do this if the individuals were aware – at the point of collection – that their data would be used in this way.

Contacting supporters – legitimate interest

Aside from obtaining consent, another way you can legally send out direct marketing is via ‘legitimate interest. This only applies to an addressed letter (for example, to ‘Mrs Brown or ‘The parents of Jane Smith) or a phone call. This method relies on you being able to justify that the PTA has an evident legitimate interest in sending the communication, and that the individual you are contacting has a legitimate interest in hearing from the PTA.

This requires you to balance your own interests against the rights and interests of the individual – something that is particularly significant when it comes to children, as they are identified as a vulnerable group by GDPR. In cases where you plan to contact children directly using their personal data, it is likely to be much more difficult to prove a legitimate interest, as they are less likely to be in a position to object to the communication than an adult.

Legitimate interest should be considered on a case-by-case basis, taking into account the reasonable expectations of the recipient. In many cases, the fact that someone is a parent at the school may be justification enough. But if the individual would not reasonably expect you to use their personal details to contact them (for example, where they have previously objected to contact or where there is no prior relationship), this would not be legitimate interest and you must not contact them. The key question to ask is, ‘if I were in their shoes, would I be surprised to receive this?

Its vital that you document your justification for using legitimate interest. This will act as protection should you be challenged by the individual or regulator. You would need to show clearly documented evidence that the individuals rights and reasonable expectations were balanced against your legitimate interest before the decision to send the communication was made.

When sending communications via legitimate interest you must give individuals the chance to opt in to receive future direct marketing.

Should we rely on consent or legitimate interest?

Although GDPR doesnt require an opt-in for all communications, the ICO and Fundraising Regulator agree that ‘consent to contact is the most reliable basis for direct marketing. In the case of PTAs, however, it could be argued that as all parents at the school have a child who will benefit from the work of the PTA, all parents could be contacted through legitimate interest (as long as they havent opted out). It may, therefore, be practical to use a ‘legitimate interest enquiry to seek consent from individuals for them to receive communications via electronic channels and rely on flyers in book bags for general marketing purposes.

Electronic communication

Under the Privacy and Electronic Communications Regulations (PECR) – extra rules that sit alongside GDPR – further criteria applies to communication channels:

Digital messaging (text or email): You can only contact someone via these if they have given clear consent. This includes a message asking if an individual is happy to keep hearing from you. If you do not know if an individual has consented to being contacted via digital messaging, you must not contact them in this way. (Some providers have compliant systems – see Classlist information above).

Telephone: You may contact someone via telephone if it is a live person-to-person call and the individual has not opted out of telephone marketing. As PTAs dont have access to the Telephone Preference Service, contacting people via telephone can be risky and it is safer to use other forms of contact. Contacting businesses – with requests for sponsorship or donations – would be fine, as they are unlikely to have signed up to the Telephone Preference Service (TPS).

Social media: If a supporter has joined your PTA Facebook group, then you can message an individual, as the act of joining shows that they expect to hear from you. It isnt acceptable to message individuals personal profiles when they have shown no interest in the PTA. Messages are unsolicited if they havent been requested, but even though an opt-in doesnt make a message solicited, it does make it more likely that your marketing is compliant with PECR. Unsolicited or not, you must always say who you are, include appropriate contact details and ideally give people the option to actively opt-in to receive further communications.

As these rules may change the methods you currently use, its crucial to consider how you can seek consent from your supporters, how you might need to alter your communications, and how you manage any data you hold, including suppressed lists.

Social media

89% of PTAs use social media to communicate with parents. While this is a useful tool, it can pose a variety of data protection and security issues. You need to be fully aware of your pages privacy settings and who can access the information you post there. For example, some PTAs post a phone number through which parents can contact the PTA, but if your privacy settings are not restricted then anyone who visits your page could see it. Think about how you’ve authenticated members of social media groups: are they real parents – or even real people?

Public social media pages can be a brilliant way of promoting your fundraising to a wider audience, so dont feel that you cant have a page. It may be safer, however, to have a secure, closed group for your committee and/or parents, as well as a page where only general information is posted.

The changeable nature of a PTA committee means that you may have a dedicated moderator one year, and then the page, or group, may go unmanaged the next. Try to overcome this by creating a dedicated social media officer role.

Storing data – databases

Under GDPR its important to keep clear records of what a person has consented to and when they did so. This means procedures for using and protecting personal data need to be documented. If you are unable to show that you have ongoing consent and when you got it (or up-to-date information to justify legitimate interest) then you cannot use personal data for direct marketing. The best way to do this is to set up a secure and well-maintained database of all personal data you possess.

Collins Dictionary describes a database as ‘a collection of data that is stored in a computer and that can be easily used and added to. This covers spreadsheets, Google Docs and Word documents – but lists on bits of paper still count! Of the 80% of schools who handle their own data, 56% use an Excel spreadsheet and 36% use Google Docs to keep information safe.

To comply with GDPR you should be able to demonstrate that:

  • All personal data is stored securely in one place
  • Data is regularly reviewed and updated
  • Your database is password protected and the password is not handed out too freely
  • You keep track of who has access to the data and remove access/update the password once members leave the committee
  • You have a written policy and keep a record of how you handle data

If you already have a database, start as you mean to go on by updating it as best you can. If you have individuals on your database where you dont know when you last interacted with them or whether they gave consent, then you cannot safely contact them and need permission before doing so. You also need to keep the data of any business or sponsorship associates safe – all data needs to be treated and protected equally.

Finding out who does and doesnt want to be contacted is one thing, but keeping this information safe within itself is also crucial. The easiest way to do this is by splitting your database between those who have opted in to receive PTA communications and those who havent, as well as those who have actively said they do not want to be contacted. Keeping all data in one place means it can be easily passed over when the committee changes, and theres no risk of the new committee emailing those who have opted out.

Keeping data contained is a practice that should be extended to emails too. Its hard to keep track of emails sent from numerous personal accounts – one PTA email account that various people can access means everything is in the same place and there are no concerns over personal data on private accounts.

What else do you need to know?

Data breach: All organisations have a duty to report certain types of data breach to a relevant supervisory authority. A data breach is defined as, ‘a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This means that a breach is more than just losing personal data. You only have to notify the relevant supervisory authority of a breach where it is likely to result in a risk to the rights and freedoms of individuals – this would need to be assessed on a case-by-case basis. A notifiable breach has to be reported to the relevant supervisory authority within 72 hours of the organisation becoming aware of it. For more information, visit Check that your PTA insurance policy specifically covers data protection and the cost of seeking legal advice in the event of a data breach.

Deletion policy: There is no stipulation for the length of time data is kept and some personal data will need to be retained for longer in certain cases. How long you retain different categories of personal data should be based on individual needs. A judgement must be made about: the current and future value of the information; the costs, risks and liabilities associated with retaining the information; and the ease or difficulty of making sure it remains accurate and up-to-date. For example, one to two years would seem reasonable for parent data (though if you are asking parents for consent annually, it might be easier to start your parent contact database afresh each year).That said, you may wish to securely archive the previous years data in case of repeated activity, such as a Christmas pudding scheme in which parents have previously participated. Contact details for businesses who have provided sponsorship or donated raffle prizes in the past could reasonably be kept for longer. Make sure you agree a process and, if you can, attribute responsibility for data management to someone on your committee.

How can you work with the school to ensure that youre compliant?

Schools have received guidance and training on GDPR, and as the holder of highly sensitive data have to be on top of compliance. Make use of this knowledge if you are unsure of what measures to put in place. They should also be able to give you specific advice – with opt-in wording on letters, for example.

Alternatively, merging communications with the school is a good way to ensure you are supported. Having the school provide an additional option to accept communications from the PTA when gathering their own opt-ins is a practical way to gather initial consent. If the school were to include a PTA section within their regular newsletters, this would be covered by the consent given to the school as it is their communication. If youre unsure about storing data for yourselves, see if its possible for the school to store data for you through their system.


If in doubt, seek expert advice. For more guidance: