Posted by Deanna Hurst, Partner
Charities fall foul of data protection obligations
Last year, we warned about the pitfalls surrounding personal data and the hefty fines many companies received from the Information Commissioner’s Office (ICO), showing how easy it is for companies to fall foul of data protection legislation. The ICO is once again proving it has got teeth, however this time it is a number of charities that have been named, shamed and fined.
Great Ormond Street Hospital Children’s Charity, the NSPCC, Cancer Research UK, Macmillan Cancer Support, The Guide Dogs for the Blind Association and the Royal British Legion have all received substantial fines from the ICO after it was discovered that their supporters had been illegally screened by the charities based on their wealth. Information obtained by the charities about donors’ income, property values and even friendship circles was then used to target wealthy donors in a bid to encourage them to leave a legacy to the various charities in their will.
Further fines were issued to Oxfam and Battersea Cats and Dogs Home for “telematching” – essentially obtaining further information about donors by using existing information they held without the donor’s permission.
Many of the charities have fought back claiming the fines, ranging from £6,000 to £18,000, are excessive and disproportionate. However as these cases clearly demonstrate, charities are bound by exactly the same rules as companies and all types of organisations in the UK. Leaving moral arguments about whether it is fair to punish charities in this way aside, particularly if the charity has taken immediate remedial action, the reality is that the penalties for breaching data protection are being actively enforced no matter how unintentionally a breach has occurred.
Data protection obligations are set to become even more onerous when the General Data Protection Regulations (GDPR) come into force on 25 May 2018 in the UK. The Government has confirmed that Brexit will not affect commencement. These regulations contain provisions for maximum financial penalties of 4% of annual worldwide turnover of the preceding financial year or 20 million euros, whichever is the greater, for various violations including breaches of the data protection principles and conditions for consent.
These recent headlines serve as a timely reminder for all types of organisations to be alert to the penalties for breaching data protection and to take specialist legal advice to prevent breaches occurring unnecessarily. If you are a charity, have you got robust mechanisms in place to protect your donors’ personal data?
If you are a charity, get in touch with Jacqui or Jessica Bent to review your data protection obligations and avoid unnecessary penalties on:
01225 730100 Email us
Invaluable insight into the charity sector