It is now more than two years since the Data Protection Act 2018 and GDPR came into force, significantly increasing the enforcement powers of the Information Commissioner’s Office (ICO). With the passing of the Act, the ICO gained the power to issue fines amounting to millions of pounds and increased powers to bring criminal prosecutions against organisations who fail to comply with the data protection regime.
In this piece, we look at how these enforcement powers have been used, and the ICO’s strategic goals, to understand priority areas for GDPR compliance in the charity sector. We also look at how enforcement action can be avoided and managed through good information governance and rapid responses to emerging data protection issues.
Enforcements trends – priority areas for charities
Fundraising - data sharing, marketing and transparency Prior to the commencement of the 2018 Act, the charity sector’s fundraising practices were investigated by the ICO, and 13 high profile charities were fined in 2016 and 2017 for the way they handled donors’ personal data. The ICO was particularly critical of how this information was collected and shared. The unlawful sharing of personal data continues to be a priority area for ICO enforcement. It is likely that any fines issued now for unlawfully handling donors’ personal data would be significantly higher than those issued as part of the previous investigations.
The ICO is actively pursuing organisations involved in unsolicited electronic marketing. Almost a quarter of all enforcement action recorded by the ICO has been enforcement action connected with marketing. It is important for all charities to think carefully about information governance when dealing with donors and ensure that any fundraising strategies are GDPR compliant. Any charity using electronic communications to contact donors and potential donors must ensure they have a lawful basis for doing so. The ICO has worked with the fundraising regulator to provide guidance to charities on fundraising and GDPR compliance.
Storing personal data and cyber-security The ICO has issued a number of eye watering fines to organisations that have failed to take appropriate organisational and technological measures to protect personal data. Fines have been issued to organisations when:
- Data breaches have occurred as a result of a cyber-attack;
- Sensitive data has been circulated via e-mail in an un-redacted form and a breach has subsequently occurred; and/or
- Hard copy data has been insecurely stored, even when there has been no evidence that the data has been unlawfully accessed.
The ICO’s focus has been on what precautions organisations have taken to protect data, not whether they were directly responsible for the breach. All charities need to have an understanding of what personal data they hold, both digitally and in hard copy, and how that information is appropriately secured. Policies need to be in place to ensure that volunteers and staff members understand how to handle personal data, particularly if it contains sensitive subject matter.
Dealing with Subject Access Requests Requests for personal data (often referred to as subject access requests) have been around for more than 20 years. The 2018 Act adjusted the regime and the introduction of GDPR brought about growing awareness of data rights. As a result, some organisations found themselves facing a significantly higher number of requests. The ICO has not been sympathetic to those who found themselves inundated with requests, nor to those who would not usually expect them. They have issued enforcement notices, and even brought criminal prosecutions, against organisations for failing to appropriately comply with subject access requests. It is important for all members of charitable organisations to understand the data rights of those whose personal data the organisation holds, and recognise when requests are being made. We have prepared a step by step guide for organisations having to respond to subject access requests, which can be accessed here.
Charity Commission action - regulatory collaboration A key pillar of ICO strategy since the introduction of GDPR has been collaboration with other regulators and recent enforcement action reflects this. As awareness about information rights and obligations grows, it is likely that a growing number of ICO investigations will stem from actions and investigations by regulators like the Charity Commission. Any charity that finds itself being scrutinised by the Charity Commission should be aware that ICO action may follow if problems with information governance are found, and prepare accordingly.
Data brokering Recent research by the digital privacy organisation Pro Privacy into the websites of UK charities found that 92% of the UK's top 100 charities did not fully comply with GDPR. The Pro Privacy research focussed on the issue of data brokering, the commercial use of data collected from website users, something that is already under the regulatory spotlight.
Preventing ICO enforcement action
The old adage “prevention is better than cure” is particularly true in the context of data protection. Strong information governance makes ICO investigations less likely to happen in the first place and less likely to result in enforcement action and fines. Robust organisational and technical measures, are the best way to avoid data breaches which may be reportable to the ICO. Eight charities took part in an ICO risk review immediately prior to the introduction of GDPR, and the review serves as a useful tool to help those looking to improve their own policies and procedures.
Dealing with data breaches and ICO enforcement action
Issues with GDPR compliance are likely to come to the ICO’s attention through three routes:
- A complaint from a member of the public
- A referral from another regulator
- A report of a data breach from the organisation itself
As soon as a charity is aware of any complaint, they should act rapidly to understand whether it should be upheld, engage with the regulator, and take appropriate remedial action at the earliest opportunity. As is mentioned above, if a charity finds itself subject to regulatory scrutiny, they should anticipate possible action in respect of information governance; and keep this in mind when working with other regulators. Charities need to understand the nature and extent of a data breach as soon as it comes to their attention. If a data breach is sufficiently serious to justify reporting it to the ICO, then charities need to move quickly to ensure that they minimise the impact of the breach, communicate with those affected, and engage with the regulator. We provide further information about dealing with data breaches here.
It is easy to feel “GDPR fatigue” when faced with endless opt-outs, cookie consents, and privacy notices but charities must remain alive to the issues that poor information governance can cause. The reputational, regulatory and financial impact of significant data protection breaches can be huge, particularly when organisations have not adequately prepared for enforcement action. The ICO has issued fines under the 2018 Act amounting to hundreds of thousands of pounds, and announced its intention to fine international businesses millions for data breaches. The importance for all data controllers of careful compliance planning, and swift remedial action in the event of breaches, cannot be underestimated.