GDPR preparation for charities

Andrew Guy | 27 October 2017

GDPR preparation for charities

Please note this blog was originally posted on LinkedIn on 26 September 2017.

There has been an overwhelming amount of research and surveys undertaken that are all reaching the same conclusion - the vast majority of organisations have not started to put the necessary steps and procedures in place in preparation for the launch of the General Data Protection Regulation (GDPR). With under a year to go, organisations should be thinking now about implementing the appropriate compliance updates to their current data protection and acquisition strategies to ensure they are 100% ready in time for when the 25th May 2018 rolls around.

According to the Information Commissioners Office (ICO), failure to comply will result in fines up to £17million or 4% of the annual turnover - whichever the organisation would consider most severe. In direct comparison, under the current Data Protection Act which GDPR is replacing, the absolute maximum fine is £500,000. This alone is clear indication that GDPR will involve a stricter approach in regards to data protection. 

It is also important to note that charities are not exempt from historical or future data legislation, with equally heavy fines in place for those who seriously breach this new piece of legislation.

In the last year alone, we saw 13 charities identified by ICO with £181,000 worth of fines being amassed for breaching the current Data Protection Act. Household names such as Cancer Research UK, Macmillan Cancer Support and Oxfam were amongst those charged:

  • Both Cancer Research UK and Macmillan Cancer Support were found guilty of profiling their donors based on wealth without their consent. For instance, between 2010-2016, Cancer Research UK managed to capture the wealth data of 3,523,566 individual donors. And in 2014 Macmillan Cancer Support wealth screened 2,188,508 individuals. The most obvious reason for practicing this would be to source the most valuable donors to target for their respective causes. According to the ICO, another motivator for this practice would to seek out those who would be likely to leave donations in their will. 
  • Beyond that, all 3 of the charities also sourced additional data on their donors that they did not provide themselves to strengthen their donor databases. This is categorised as a breach as the donor did not have the opportunity to select what exact data they wanted to give away. This data could be used as another direct contact avenue to ask for more donations.

The key takeaway here is that charities remain accountable under the new legislation. In light of these offences and the sheer number of investigations conducted, it can be assumed that ICO will be keeping a watchful eye over charities and scrutinising their future data protection competencies.

Back in February of this year, the Fundraising Regulator and the Charity Commission released a consent guidance document which stated that:

Charities must have a clear understanding of the basis on which they will justify their collection and use of personal information for their direct marketing purposes…communications should include a mechanism to withdraw consent easily at any time."

ICO does advocate that an ‘opt-in’ feature is the best and safest way forward for both charities and businesses alike. Many charities and private sector organisations are relying on ‘legitimate interests’ clauses, however this does not prove that the data itself was gathered in a lawful way. If consent is not actively received then charitable organisations cannot assume it has been given, noting that a previous donation is not considered consent. Ultimately, changing the ways in which charities collect and use a donor’s personal information, including in any direct marketing approaches.

To avoid a repeat of the ICO charity investigations and subsequent fines, we recommend that all businesses start auditing their current data protection and acquisition procedures and consider seeking out expert assistance to guarantee GDPR compliance.

We can help simplify and strengthen your knowledge surrounding the changes in legislation - please visit our IT Services page to find out more or to book your free consultation.

Click here to see Andrew's profile and contact details.




Get in