ICO’s annual report shows most fines ever

Data governance regulator hits UK charities with £138,000 in fines – and that’s before penalties for GDPR non-compliance have started to bite the Third Sector…

Chloe Green | 20th Jul 18
The Information Commissioner’s Office latest report says that it imposed 11 fines which totalled £138,000 on UK charities for ‘unlawfully processing personal data’ in the 12 months to 31 March 2018.

The Information Commissioner’s Office (ICO) has released its annual report for 2017/18, which shows that they issued the largest number and amount of civil monetary penalties to date in that year.

The report details that the ICO:

  • Has seen a significant increase in data protection complaints (+15%), self-reported breaches (+30%) and freedom of information complaints (+5%).
  • Received a ‘huge increase’ in telephone, live chat and written queries from the public and organisations. In the last quarter of 2017 it received 30,000 more such calls than in the previous three months.

Focus on charities

The increase in the level of self-reported breaches and complaints has affected the charity sector as well as others, with 11 fines totalling £138,000 to UK charities for unlawfully processing personal data in the 12 months to 31 March 2018.

These fines were issued under the grounds of the Data Protection Act (DPA) 1998 rather than the General Data Protection Regulation (GDPR) 2018, meaning the figure for similar breaches would have been higher if discovered and investigated now.

The report does feature a note on the ICO’s work in educating charities on the incoming GDPR, including radio advertising, events attendance for the National Council of Volunteer Organisations and detailed input on guidance produced by the Fundraising Regulator and the Institute of Fundraising on wealth screening.


Important time

Speaking on the report, Elizabeth Denham, Information Commissioner at the ICO said: “This is an important time for privacy rights, with a new legal framework and increased public interest.”

“Transparency and accountability must be paramount, otherwise it will be impossible to build trust in the way that personal information is obtained, used and shared online.”

“We see the introduction of GDPR as a good thing for the charity sector. It encouraged many charities to review their data policies – or create them – to better protect the rights of the people they’re looking to help,” said Matthew Moorut, Head of Digital and Marketing at Charity Digital.

Moorut added: “I hope that the ICO will continue to consider the special positioning of charities, and provide as much assistance and guidance as possible for fundraisers and project managers as we need. On the flip side, the responsibility lies with charities’ trustees and staff to keep looking for any guidance that is produced, and to act sensibly and cautiously with any personal data they handle.

“We’ve yet to see the first fine given out under GDPR, so the fact that more fines were given out last year than ever before is likely a sign of things to come.”

Want to stay on top of the latest tech news in the third sector?

Get top insights and news from our charity digital experts delivered straight to your inbox three times per week.