GDPR: How charities can avoid being a statistic in the era of ICO crackdown
In the wake of GDPR, we take a look at some of the recent enforcement action, who’s been hit and why, so charities can better manage their risk of non-compliance and avoid handing over their precious budgets to the ICO.
Just over a year since General Data Protection Regulation (GDPR) came into effect in May 2018, charities need to be aware that the Information Commissioner’s Office (ICO) is ready to crack down on non-compliant organisations.
One thing is becoming clear: the ICO isn’t a lame duck – the regulator has teeth. With the power to impose EUR 20 million of fines or 4% of annual turnover, falling afoul over GDPR rules can be material.
Last year, Charity Digital News noted that the ICO issued the largest number of fines to date. Matthew Moorut, Head of Digital and Marketing at Charity Digital at the time had said: “We see the introduction of GDPR as a good thing for the charity sector. It encouraged many charities to review their data policies – or create them – to better protect the rights of the people they’re looking to help.”
> See also: 2018’s biggest data breach fines: infographic
But while GDPR has brought with it many positive changes, it’s still early days to see what negative consequences GDPR could have for those charities not complying. The ICO is now beginning to carry out enforcement of penalties against large businesses and charities alike, but this is just the beginning as many incidents are now beginning to be investigated.
ICO enforcement action
In a statement released in July this year, the ICO stated its intention to fine British Airways £183.39 million for customer failings. The regulator found that BA’s website diverted customers and their data to fraudulent sites, where malicious groups stole data.
Elizabeth Denham, Information Commissioner said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
In the same week as the BA fine, the ICO noted its intention to fine Marriott International £99 million relating to a cyber incident where 339 million customers were exposed. In the main, the customers were guests of Starwood hotels, a recently acquired hotelier group which Marriott purchased in 2016. The ICO found that Marriott should have done better diligence on Starwood before the merger.
> See also: ICO annual report shows the most fines ever
While not in the same quantum of fines, telecoms company EE has also gotten into hot water by sending marketing text messages to customers. The ICO fined EE £100,000 for sending 2.5 million customers direct marketing messages without permission. Andy White, ICO Director of Investigations said: “EE Limited were aware of the law and should have known that they needed customers’ consent to send them in line with the direct marketing rules.”
ICO fines have not been limited to large companies – the first charity fines have also emerged. Shortly after GDPR came into effect, the British and Foreign Bible Society’s IT security protecting donor financial information was found to be insufficient. In addition to financial information, the details of donors and their religious beliefs could have been determined from personal data.
There is help for charities navigating the post-GDPR environment
For charities, keeping informed can help avoid GDPR mishaps. It’s worth observing that most of the GDPR fines relate to the handling of customer information – more specifically, data / IT security and inappropriate marketing. Ensuring that IT systems and access rights can help charities avoid fraudulent access. Good recording keeping of communication consent can also prevent charities from GDPR breaches.
To help charities and other organisations, the ICO has issued guidelines on how to comply with GDPR. Meant for data protection officers, the online resource includes sections on the principles of data protection; how to proceed with processing data from the outside world (i.e. clients); issues of governance; security; and certain exemptions.
A self-assessment and checklist directly from the ICO can also provide more practical support for charities. Specifically aimed at smaller organisations, the checklist and guidance offer easy-to-use online questionnaires which help to evaluate any gaps in data protection processes.
Some burning questions charities may have can also be answered quickly. Elizabeth Carter, Charity Digital Mail Manager at Charity Digital News helps charities navigate email and other electronic communications. As part of GDPR, Privacy and Electronic Communications Regulations (PECR) generally states that charities shouldn’t send out any marketing emails or texts without specific consent.
The ICO has also tailored advice for charities. Frequently asked questions and answers are available for charities and small enterprises in need of specific guidance – importantly, the FAQs tackles aspects of compliance with the Data Protection Act (DPA), PECR, and GDPR. A helpline has also been made available for more information.
Cost is not an excuse for non-compliance
The third sector can’t afford to lose more public trust – scandals from Oxfam, Kids Company, and more recently the British and Foreign Bible Society have encouraged public scrutiny into charitable operations, in an already challenging fundraising environment.
> See also: Free GDPR guidance gets an update
For a small to medium-sized charity to appear on the ICO’s public name-and-shame list of fines not only erodes trust even further but could jeopardise fundraising efforts. Once seen as luxury, cybersecurity in the third sector needs investment as donors are unlikely to be sympathetic if their funds or information is leaked.
There is hope – Philip Anthony, founder of experienced non-profit IT specialist Coopsys noted that some charities once perceived that “every pound spent on GDPR is one less towards the charity’s aims.” Mindsets are changing – the key message is that rather than a spend, GDPR, data protection, and cybersecurity are core business functions that protect charitable goals rather than detracting from them.
Catch up on Charity Digital’s GDPR Webinar – HR: the GDPR risks that could catch your charity out