• Careers
  • Contact Us

ICO Report on Eight Charities and the GDPR Accountability Requirement

on Tuesday, 06 November 2018.

In April 2018 the Information Commissioner’s Office (ICO) published a report following a programme in which eight charities took part in voluntary information risk reviews.

The ICO found some areas of good practice as well as areas of concern. On direct marketing (for many charities, the area causing most concern) the ICO identified a positive move towards an opt-in approach to obtaining marketing consent, with most charities meeting the GDPR consent requirements by providing separate check boxes for each type of communication.

However, the ICO also found areas that could be improved. Alarmingly, they found that the majority of charities do not carry out routine data compliance checks, and that data protection compliance does not form part of their internal audit programmes. It was also found that many charities do not have key information governance policies in place and do not effectively communicate data protection responsibilities to staff. These charities are at risk of breaching the new 'Accountability Requirement' under the General Data Protection Regulation (GDPR).

When the GDPR came into force in May 2018, a new Accountability Requirement was introduced. It is no longer enough to comply with the requirements of the GDPR, charities must also be able to demonstrate how they comply. This means that data protection must form part of every charity's internal audit and governance requirements.

This review follows closely on from a series of fines issued against 13 charities in 2016/2017. An ICO spokesperson said the eight charities were “organisations where concerns about data practices were identified during our investigation into the sector between 2015 and 2017” but that “these concerns were not sufficiently serious to warrant a financial penalty”. The ICO also said of this review that "engagement with charities [is] not just about fines and enforcement but to encourage genuine, ongoing improvements in the wider sector”. It will be interesting to see if the ICO continue to take this approach when enforcing the new Accountability Requirement in the future.

For more information please contact Penny Bygrave in our Commercial Law team on 020 7665 0867.