Regulators remind charities of the need to ensure compliance with data protection legislation

The Charity Commission and the Fundraising Regulator have issued a joint alert reminding trustees that they must adhere to any data protection laws and regulations applying to their activities.

Crucially, this means having appropriate systems in place to identify where they apply and to ensure compliance.

The alert follows the recent news about the fines issued by the Information Commissioner’s Office (ICO) to the RSPCA and the British Heart Foundation for breaching data protection law (see our previous article).

In their alert the regulators have set out helpful information about key steps that trustees are expected to take without delay. Full details can be found in the alert, but in summary the steps are:

• ceasing any activity described in the ICO notices of 5 December 2016 unless explicit consent is obtained
• reviewing and assessing the ways in which data is collected, stored and used
• reviewing and assessing data governance systems and processes
• ensuring there is a review of the requirements for reporting to the ICO when breaches are identified
• where there are breaches, considering the risk to those whose data has been breached and what action should be taken to mitigate the risks
• notifying the Charity Commission when there is an investigation by the ICO.

David Holdsworth, the Chief Operating Officer and Registrar for England and Wales, has commented: “practices that some charities consider ‘common practice’ are in breach of the data protection requirements and should be ceased immediately”.

Stephen Dunmore, Chief Executive of the Fundraising Regulator said: “The ICO’s monetary penalty notices for these two charities should be a wake-up call for the whole sector” and “achieving compliance with data protection law is now an urgent priority, if charities are to avoid further reputational risk and re-establish public and donor confidence in fundraising”.

It has been announced that further charities are under investigation and immediate action is required to restore public confidence. The Charity Commission, ICO and Fundraising Regulator are planning educational events for early next year, and there are also plans to launch some new practical guidance for the charity sector on data protection and consent issues (following the recommendations on putting donors in control issued by the NCVO in September 2016).

It is also important to remember that in addition to ensuring compliance with current law and regulations relevant to any fundraising activities, charities need to ensure that they take necessary steps to prepare for compliance with the new data protection laws coming into force in 2018. These new laws will replace our current data protection laws in their entirety and organisations breaching the new laws will face fines up to €20m. The new laws will (among other things) be much more prescriptive about information that must be provided to individuals about how their data will be used, and will also include more onerous consent requirements.

We offer a range of training services for charities under our Shaping Excellence Programme, including training on compliance with data protection law and other topics on governance and best practice for charity trustees. If you are interested in any of our training services for charities, please contact Liz Brownsell.

The content of this article is for general information only. If you require advice on any aspect of your data protection obligations or on the new data protection laws coming into force in 2018, please get in touch with a member of Birketts’ Charities Team.