Charities should heed the Charity Commission and Fundraising Regulator’s warning about fundraising in line with data protection law

Co-written by Jason Riley, Trainee Solicitor and Laura Trapnell, Partner and Head of Intellectual Property

The Charity Commission, the independent regulator of charities in England and Wales and the Fundraising Regulator, which maintains the Code of Fundraising Practice for the UK and practice standards, has issued a stern reminder to charities and trustees.

Charities and in particular the trustees running them, have been warned to comply with the law on data protection (as well as maintain compliance with charity law). Data protection law includes, but is not restricted to, the collection, use and storage of donors’ personal data which can include information such as email addresses, postal addresses, telephone numbers, financial information etc.

The Charity Commission has made it clear that trustees are responsible for ensuring that their charity is compliant with the legislation. Often this involves ensuring that there are systems and processes are fit for purpose and are in place to adhere to the above laws, such as ensuring that the charity always obtains the explicit consent of a donor for the use and storage of their personal data.

In December 2016, the ICO fined the RSPCA and the British Heart Foundation £25,000 and £18,000, respectively, for wealth screening. This involved the charities hiring wealth management companies to analyse the financial data and status of donors and supporters in order to quantify how much more money they could be potentially persuaded to give. The charities were also found to have used telematching. This is the method by which external companies are used to find additional information of an individual, in order to add further communication channels through which the charity can attempt to contact someone.

Considering the current law on data protection, the implementation of the General Data Protection Regulation next year and considering the potential punitive consequences of a breach, we advise our charity clients to consider the following steps:

  1. Review your charity’s activities and practices with regard to data collection, use and storage to ensure that it is compliant with data protection law.
  2. Assess whether current systems and processes are fit for purpose and comply with data protection law.
  3. Ascertain whether donors’ consent has been given freely and clearly in the context of intended activities.
  4. Where explicit consent has not been obtained from a donor and there is a strong likelihood that your charity is acting in breach of data protection law, prepare a risk impact assessment and take steps to ensure that consent is freely given.
  5. Where any breaches have occurred, consider the risk to those donors whose data has been infringed and consider immediate action, which may include:
    1. mitigating the risks to those parties and their data;
    2. notifying those affected if appropriate (following a risk assessment); and
    3. complying with reporting obligations to the ICO.

Acting in breach of your legal obligations has been shown to result in substantial financial penalties. Failing to identify the risks and breaches could also attract public criticism, result in reputational damage and undermine donor confidence in charity fundraising and the industry as a whole.

At some stage this year, the Charity Commission, ICO and Fundraising Regulator intend to hold a joint educational event for charities on data protection requirements.

To keep up-to-date with the above event and any further announcements, or if you have any questions or enquiries as a result of the above article, please do not hesitate to contact me.