The ICO found some areas of good practice as well as areas of concern. On direct marketing (for many charities, the area causing most concern) the ICO identified a positive move towards an opt-in approach to obtaining marketing consent, with most charities meeting the GDPR consent requirements by providing separate check boxes for each type of communication.
However, the ICO also found areas that could be improved. Alarmingly, they found that the majority of charities do not carry out routine data compliance checks, and that data protection compliance does not form part of their internal audit programmes. It was also found that many charities do not have key information governance policies in place and do not effectively communicate data protection responsibilities to staff. These charities are at risk of breaching the new 'Accountability Requirement' under the General Data Protection Regulation (GDPR).
When the GDPR came into force in May 2018, a new Accountability Requirement was introduced. It is no longer enough to comply with the requirements of the GDPR, charities must also be able to demonstrate how they comply. This means that data protection must form part of every charity's internal audit and governance requirements.
This review follows closely on from a series of fines issued against 13 charities in 2016/2017. An ICO spokesperson said the eight charities were “organisations where concerns about data practices were identified during our investigation into the sector between 2015 and 2017” but that “these concerns were not sufficiently serious to warrant a financial penalty”. The ICO also said of this review that "engagement with charities [is] not just about fines and enforcement but to encourage genuine, ongoing improvements in the wider sector”. It will be interesting to see if the ICO continue to take this approach when enforcing the new Accountability Requirement in the future.