The Fundraising Regulator has warned that 59 charities could be in breach of data protection law for failing to apply suppression requests made via the Fundraising Preference Service (FPS) and has referred the charities to the Information Commissioner’s Office (ICO).
In the past charities, in particular, found themselves thrust in to the regulatory spotlight after high-profile media campaigns highlighted how people, often vulnerable people, were being unduly targeted. For example the Olive Cook case.
In light of this, the rules charities had to adhere to were toughened up and they’ve been moved to change their approach to compliance.
Why have charities been referred?
When a member of public registers with the FPS on behalf of themselves (or on behalf of someone else) requests that a charity stop communicating with them, the FPS sends an email to the charity’s nominated contact which asks them to log into the FPS platform within a 21-day period and act on the request.
The FPS gives the public control over the contact they receive from charities and enables individuals to select charities that they no longer want to receive communications from. Around 8,300 individuals have requested a total of 25,000 suppressions and these opt-outs mean charities must cease direct marketing.
Gerald Oppenheim, chief executive of the Fundraising Regulator, said: “The FPS is an important tool in helping to rebuild trust between members of the public, particularly those who are vulnerable, and the charity sector. Charities that fail to respect requests made by the public to stop unwanted communication risk damaging the good work done by the rest of the sector.
Some charities may think they have valid reasons for not accessing the suppression request. Despite this, they are still in breach of the code and possibly in breach of the Data Protection Act, because the request is an individual’s wish to stop receiving direct marketing.”
The Fundraising Regulator has said that it has made ‘repeated attempts’ to contact the charities’ Chief Executives, but requests had been ignored on a number of occasions and now action has been taken.
The requirement for good governance applies to businesses across different sectors and perhaps more so to charities of all sizes, who have arguably been under a higher degree of scrutiny. A lack of resource and funding (in particular, the smaller charities) can lead to shortfalls in risk management. It’s important to highlight areas of risk and put in procedures and policies to mitigate these.
What Are the Key Risk Areas for Charities?
- Unsolicited direct marketing where there’s no evidence of valid consent (when not relying on Legitimate Interests as a basis) – including where data comes from third parties or online sources.
- ‘Invisible’ processing – you must notify supporters of all types of processing, including any data appending or wealth screening.
- Handling sensitive data without due care & protection.
- Data security risks, e.g. insecure systems/processes and data transfers.
- Accidental disclosure of data – Training can play a key part in minimising this risk.
- Fundraising activities must be managed carefully – face to face, telemarketing.
- Volunteers who have access to personal data and don’t keep it safe.
This action by the Fundraising Regulator serves as a reminder to charities to ensure their compliance program is regularly monitored and the Data Protection principles adhered to.
Stephen Eckersley, ICO’s director of investigations, added: “Charities that ignore the Fundraising Preference Service run the real risk of causing distress and offence to people who just don’t want to receive their marketing communications. The ICO has written to these charities to remind them they must act lawfully and responsibly in protecting people’s personal data, and in how they communicate with them.
Our advice for charities is clear: they must not contact people registered on the FPS and, where we see this happening, we will investigate and take enforcement action where necessary.”
Published 8th March 2019
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.