Compliance with GDPR should be a top priority for every charity. In the space of a year following the introduction of the law, the Information Commission’s Office (ICO) has issued several fines against big companies and charities alike – an indication that GDPR compliance needs to be taken seriously by everyone.
Telecoms company EE has been fined £100,000 for sending over 2.5 million direct marketing messages to its customers without consent in violation of GDPR policy. And both British Airways and Marriott International have been issued with a notice of intention for fines of £189 million and £99 million respectively.
Charities have not been exempted from fines. In 2018, the ICO fined the British and Foreign Bible Society £100,000 after cyber hackers exploited their weak password to gain access to more than 400,000 donor’s data. In the wake of recent fines, it is imperative that charities and small businesses ensure that their activities and data processing are GDPR compliant.
Elizabeth Denham, the UK’s Information Commissioner said: “People’s personal data is just that – personal. When an organisation fails to protect it from loss, damage or theft it is more than an inconvenience. That’s why the law is clear – when you are entrusted with personal data you must look after it. Those that don’t will face scrutiny from my office to check they have taken appropriate steps to protect fundamental privacy rights.”
What can you do as a charity to be compliant with GDPR?
- Keep a good record of communication consent. Most GDPR fines relate to the handling of customer information (data IT security and inappropriate marketing). The ICO’s guidance on electronic marketing states that marketing messages can only be sent to existing customers if they have given consent and are also given a simple way to opt out of receiving messages.
- Hire or outsource the role of a data protection officer. A data protection officer is an independent expert responsible for monitoring an organisation’s compliance with GDPR and acts as a point of contact with the supervisory body. Kazient has direct experience working with charities (past clients include SKT Welfare and One Nation) and we are expertly placed to advise charities and act as outsourced DPOs as we are currently doing with Rahma Mercy.
- Keep up to date with ICO issued guidelines on how to comply with GDPR. The guidance summarises key points you need to know and contains practical checklists to help you comply. Tailored advice for charities can also be found here as well as a self assessment checklist aimed specifically at small organisations to help identify any gaps in your data protection processes. Lastly, you can also use the ICO helpline for further advice and guidance.
Is it all bad?
The introduction of GDPR is an opportunity for charities to review their data policies. In the past, GDPR compliance has been perceived by charities as an ‘optional’ exercise. However, as demonstrated by the fines issued by ICO, the cost of non-compliance is high. The regulator has the power to fine organisations in breach of GDPR rules up to 4% of their annual turnover. Aside from the monetary cost, non-compliance can also affect trust in the charity possibly jeopardising fundraising efforts and harming the charity in the long run. GDPR compliance should be seen as an opportunity for charities to protect their recipients and build trust with donors.
Kazient Privacy Experts offer Data Protection, Privacy and GDPR compliance solutions in a language you understand to UK and international organisations, and has received positive media coverage across Europe. Kazient’s GDPR consultants are fully certified to be your outsourced Data Protection Officer or EU Representative. Get in touch to find out how we can help your business by visiting our website www.kazient.co.uk or calling us on 0330 022 9009.