Data Protection Weather Warnings (GDPR)

07 June 2017

It has been heavy data protection weather for charities for some time. It was December last year when the ICO fined the RSPCA £25,000 and the British Heart Foundation £18,000 and there were further fines for 11 more big charities in April this year for a number of misdemeanours including wealth screening* donors without their consent, swapping donor’s data with other organisations without donor’s express consent (and in some cases, contrary to donor’s wishes), data-matching* and tele-matching.

Storm Doris buffeted the UK at the end of February with winds of 94mph and in the same week, storm warnings of a kind were also issued to charities and their fundraisers at a joint conference held by the Information Commissioner’s Office (“the ICO”), the Fundraising Regulator and the Charity Commission in Manchester.

Audible gasps from the audience punctuated proceedings, not least during Elizabeth’s Denham, the Information Commissioner’s, speech:



The ICO has come under criticism from some quarters for not adequately guiding and policing charities and Elizabeth Denham was in combative mood:

“We’ve always done it this way.” It’s a phrase I’ve heard a lot over the last few months… it’s a particularly perilous phrase if what you’ve “always done this way” is not follow the law.


By now, charities and other fundraising organisations should be under no illusion that the activities we investigated – data sharing, data- and tele-matching, and wealth screening – breached data protection rules.


So has the sector been breaking the law?

Put simply, yes. Many charities appear to have been systematically breaching data protection rules for years – probably without realising it.

Much of the sector believed the ICO planned a soft-touch regime for charities following guidance issued by the sector membership body, the Institute of Fundraising (“IoF”), in 2010. The IoF’s guidance was relaxed on the back of a conversation with an ICO official and the ICO reviewed the IoF’s new guidance without comment.

The ICO issued their own, much stricter, guidance in 2012 but by this time it seems fundraisers were following the IoF guidance and took little notice of the ICO’s new guidance. Fundraisers thought that given what they perceived to be the indifference of the ICO, if they could raise more money for beneficiaries they should do so – whatever the means.

“…many charity boards had little interest in understanding about data protection regulation providing the fundraisers were following the IoF’s Code of Practice…”

Further compounding the confusion, tens of thousands of complaints from the public about fundraising reported by the Fundraising Standards Board (“FRSB”) were not registered with the ICO by the FRSB.. The ICO assumed that because the complains weren’t registered with them, there was no need to worry . Fundraisers were following incorrect guidance and many charity boards had little interest in understanding about data protection regulation providing their fundraisers were following the IoF’s Code of Practice and raising lots of money.

Then the Daily Mail reported poppy seller Olive Cooke’s sad suicide in May 2015 was caused by an avalanche of direct mail from charities and the whole sector has felt the consequences – whether or not their charity was implicated. Everyone has been tainted. But the winds are due to change again.


What is the GDPR and how does this change data protection compliance?

The General Data Protection Regulation (GDPR) was finally adopted in 2016 by the European Union institutions and becomes law with direct effect on 25 May 2018.

The GDPR is the most far-reaching reform of data protection law in over three decades and will replace the Data Protection Act 1998 in its entirety. It is the great data protection compliance storm which many fear will greatly increase administrative burdens for charities.

In practice, for those charities who are already compliant under the existing regime, GDPR will not pose too great a challenge but there is no doubt that the compliance burden is increasing.


Key reforms included
  • the need to consider the data protection aspects of everything you do “by design” and “by default” based on privacy impact assessments,
  • compulsory notification of data security breaches to the ICO;
  • powerful new rights to access, rectify, erase, restrict, move, object to and be informed about the processing of data;
  • tighter rules relating to data subject consent;
  • increased risks and liabilities if you contract out any data processing activities to other parties;
  • significantly greater powers for the ICO to impose financial and other penalties for not complying with the GDPR.

We will be covering the key changes and providing guidance on how to comply with the GDPR in our autumn seminar so do let us know if you would like to receive an invitation to that event.


Will the sector be ready to weather the storm?

They key for all charities will be to make the most of the next year. There is no transitional period for the implementation of the GDPR so your charity will be in breach of its duties and responsibilities if it is not complying on 25 May 2018.

Some charities will be required to appoint a ‘data protection officer’ to lead their compliance with the GDPR. Whether you are required to or not, the ICO expects all charities to ensure that their organisations have sufficient staff and skills to discharge their GDPR obligations. |. Therefore, even if your charity is not required to appoint a data protection officer, it would well worth all charities requiring a member of staff or a trustee to apply their mind to the changes that their charity needs to make to be compliant come May 2018.

We offer a data protection workshop for trustees and governors of charities who would like some assistance in ensuring they are ready for GDPR – if this would be of interest please do get in touch!


Key Data Protection Events Timeline

* Glossary:
Wealth screening: using an individual’s data (usually shared with a wealth management company) to analyse their financial status. This data can then be analysed to give an indication of the probability of individuals providing different types of financial support.

Data-matching and tele-matching:
Data-matching is the use of donor’s data (for example, their name and address) to find and ‘match’ other data about the donor which has not been provided, such as their email address or date of birth. Tele-matching is the same, but in order to obtain an individual’s telephone number.

By Kenji Batchelor

For further advice on the above topics, please call us on 01483 543210 or alternatively email

Related Articles