Elizabeth Denham, the UK Information Commissioner, has told the charity sector to accept data rulings and to commit to “positive change”.
Denham, who was speaking at the Fundraising and Regulatory Compliance Conference in February, issued a strong warning to charities. “You can cling to the belief that we’ve got the law wrong or that it doesn’t apply to your sector or that the regulatory burden is too great,” she said. “Or you can commit to positive change. Change that, in my view, is not only achievable but will reap its own rewards.”
Investigation into charities
Last December, the Information Commissioner’s Office (ICO) fined the RSPCA and the British Heart Foundation a combined £42,000 after they were found to have “secretly screened millions of their donors so they could target them for more money”. Then, in January, the ICO informed 11 other charities, which haven’t yet been named, that they would also receive fines.
The speech appeared to represent a close to the inquiry, with Denham stating her wish to “draw a line” under the investigation.
“By now, charities and other fundraising organisations should be under no illusion that the activities we investigated – data-sharing, data and tele-matching, and wealth screening – breached data protection rules.”
Charities were getting around the law
Wealth screening – profiling and ranking donors based on income – is indicative of Denham’s concerns that charities are trying to “get around” the Data Protection Act. In her own words:
The Data Protection Act is a principles based law. It doesn’t address the legality of particular activities. You won’t find a clause that says wealth screening is against the law, for example. But you will find principles that say data must be processed fairly and legally.
She emphasised that it wasn’t necessarily the fact that wealth screenings or other activities were against the law, but that many charities were failing to properly and clearly tell donors what they were going to do with their data.
“How can people object to their data being processed if they don’t know it is?” she asked. “How can people submit a Subject Access Request for the information a wealth screening company holds about them if they don’t know their information was sent to a wealth screening company?”
Demonstrate compliance with the GDPR
The stakes for non-compliance with data protection laws are soon to be much higher. The ICO can currently issue data controllers with fines of up to £500,000 for breaches of the Data Protection Act. Under the General Data Protection Regulation (GDPR), which will be enforced from 25 May 2018, the ICO will be able to impose fines for non-compliance of up to €20 million or 4% of annual global turnover – whichever is greater.
The GDPR applies to all organisations that process EU residents’ personal data, whether or not they are based in the EU.
For those looking to implement the GDPR, IT Governance’s GDPR Expertise Bundle contains essential resources, including a pocket guide to the Regulation, an implementation and compliance guide, and an introduction to the legal and practical data protection risks involved in using Cloud services.