New ICO report identifies common areas for improvement

Recently the UK’s data protection regulator, the Information Commissioner’s Office (ICO), published its findings following a targeted review of eight charitable organisations’ data processing activities. In its report, the ICO identified areas of good practice as well as common opportunities for improvement. The ICO noted that the findings in its report correlated with smaller charities’ areas of non-compliance which it had identified during routine advisory visits.

Article 5(2) of the GDPR requires that all data controllers demonstrate their compliance with the core data processing principles listed in Article 5(1). This is known as the ‘accountability’ principle. Writing and maintaining appropriate data protection policies and documentation is a key means of demonstrating accountability. The ICO’s investigations therefore focused on the existence and content of the charities’ written data protection policies.

As a result, the ICO identified that charities could generally improve in a number of areas, which included the following:

Governance, policies and procedures

Monitoring and reporting

Training

Consent, fair processing and data sharing

Incident reporting

Retention and disposal of personal data

Three months clear of the GDPR implementation date, now would be a good opportunity for charities to review their compliance. The above points can be used as a check-list for your Data Protection Officer, Data Protection Committee and/or board of trustees to run through as part of this exercise. It is worth remembering that, despite their not-for-profit objectives, charities are not exempt from the ICO’s enforcement powers.

I am a solicitor in Paris Smith’s Data Protection Team. If you have any questions about this article, including if you operate or work for a charity and would like advice on your data protection compliance, then you can contact me either by email or telephone 023 8048 2316.