Most charities will be thinking about data protection ahead of the European General Data Protection Regulation (GDPR) coming into force in spring 2018. But for many, the real call to action came when the Information Commissioner’s Office (ICO) issued 13 charities with fines of up to £25,000 following an investigation into fundraising practices.
How should a monetary penalty be calculated?
There is no binding guidance on how the ICO should assess a monetary penalty, although the ICO's own statutory guidance and publications provide some general pointers.
As far as we are aware, none of the charities that were fined as a result of the ICO’s fundraising investigations have appealed. With reports suggesting that public trust in the sector was falling, it would be understandable if those organisations chose to pay the fines in order to bring matters to a swift close and avoid any further reputational damage. Nonetheless, a First Tier Tribunal decision published last week shows that ICO penalties can be reduced on appeal.
The Tribunal’s decision
The case concerned LAD Media Ltd that was found to have breached the Privacy Regulations 2003 when it instructed a third party to send direct marketing text messages to individuals who had not consented to receive them. The ICO issued LAD with a money penalty notice (MPN) for £50,000.
LAD appealed against both the imposition of the MPN and the amount of the penalty. The Tribunal found that LAD had breached the Privacy Regulations and that the ICO had been right to issue the MPN, however, it disagreed with the amount of the fine and reduced it to £20,000, taking into account factors including:
- the circumstances of the breach and harm caused or likely to be caused
- whether it was deliberate or negligent and any steps taken to avoid the contravention
- the size and sector of the company
- the financial circumstances of the company and the impact of the MPN
- any steps taken to avoid further contraventions and any redress offered to those who were affected
Lessons learned
This decision may provide some comfort to smaller and medium-sized charities who could ill-afford a penalty running to tens of thousands of pounds. However, it also highlights the importance of obtaining satisfactory consent from individuals before sending direct marketing (including fundraising material) and reinforces the steps that organisations are expected to take before entering into arrangements with third parties to share and process personal data.
Both of these issues are key aspects of the GDPR and charities should be preparing now to ensure that they will be compliant when the new legislation comes into force next year. We are already working with a number of clients to provide ahead of May 2018. As the ICOs recent investigations have demonstrated, charities who ignore data protection could find themselves paying a high price.