There have been some recent developments around data protection law. What are they and what do you need to do?

Marketing and Fundraising

The ICO (the data protection and privacy regulator) is taking a very robust line as evidenced by its recent enforcement action and guidance. Most readers will be aware that the ICO fined the British Heart Foundation and the RSPCA late last year for breaches concerning their fundraising practices. In addition to this, the ICO has recently announced an intention to fine a further 11 charities.

You should ensure that your marketing and fundraising practices comply with data protection law. It is also worth keeping in mind that the definition of marketing is very broad. It goes beyond selling products or asking for donations. As such, an email telling alumni about your plans for the next five years is likely to count as marketing.

When carrying out marketing and fundraising, you should keep the following in mind:

  • Transparency You should ensure that individuals are told how their personal data is used for fundraising and marketing purposes. This should be done via the appropriate privacy notice. Transparency is particularly important for the more privacy intrusive practices such as wealth screening (which in some cases, according to the ICO at least, will also require consent).
  • Consent Some fundraising practices require consent. For example, it is usually unlawful to send a marketing email unless the recipient has consented. Consent must be freely given, specific and informed. It must also be accompanied by a positive action. As such a statement such as 'You consent to us sending you fundraising emails. Please email us to opt out.' is not valid consent by any standards.In order to cover off the transparency and consent requirements, we envisage more schools using 'opt in' tick boxes to obtain consent as appropriate with a detailed description of how personal data is used for fundraising purposes.
  • Existing Data Even if you are satisfied that your school has a compliant privacy notice/consent form in place going forward, you will also have to consider what steps to take to make your existing database compliant.
  • GDPR You should also be mindful of how the GDPR will impact on fundraising practices. The ICO's position appears to be that 'opt out' consent is no longer lawful under the GDPR.

The General Data Protection Regulation

The General Data Protection Regulation (GPDR) will replace the Data Protection Act from 25 May 2018. Although implementation is still over a year away, you should be taking steps now to ensure that they are compliant. This includes:

  • reviewing information security arrangements to check that they meet the standards required by the GDPR
  • checking policies and procedures for GDPR compliance
  • considering how to meet the requirement under the GDPR that schools must be able to evidence compliance with data protection law
  • updating privacy notices, which will require additional information to be included. For example, under the GDPR individuals must be told about their right to complain to the ICO.


Schools are increasingly being targeted by criminals via sophisticated cyber-attacks. Emails are particularly vulnerable. For example, a fraudster might intercept an email from a supplier to your school and replace the supplier's bank details with their own. Another common attack involves the fraudster sending an email to parents requesting payment of school fees, but again, the payment details are the fraudster's and not the school's.

To ensure that you are adequately protected against such risks, you should:

  • check that your IT systems are sufficiently robust so as to prevent school systems and email accounts from becoming compromised
  • train staff to be vigilant and how to spot the risks (such as suspicious emails)
  • consider whether your current practices are secure - for example, is it really appropriate to send the school's bank details to parents via email
  • have a security breach action plan in place - this can be used as a checklist so that a school can respond quickly should a breach occur