Information Commissioner's Office
Blog: Reflecting on the past five years of fundraising and data protection regulation
Lord Toby Harris, Chair of the Fundraising Regulator & Elizabeth Denham CBE, the UK Information Commissioner, reflect on the past five years of fundraising and data protection regulation in the charity sector.
It has been more than five years since serious public concerns were raised about how some charities were using the personal data they held about their donors. A lack of adequate fundraising regulation meant that practices of sharing and exchanging donor data had become common.
A review of charitable fundraising regulation followed, which found that the existing regulatory system for the sector needed reform. This review recommended a single, new regulator, and out of this, the Fundraising Regulator was established in 2016 to reverse poor public perceptions of charities and re-establish good relationships with donors.
Meanwhile, the Information Commissioner’s Office (ICO), the UK information rights regulator, fined 13 charities for breaking data protection laws by misusing donors’ personal data in data sharing, data and tele-matching or wealth screening. This shook public trust in charities and was the catalyst for transforming the way that charities interact with donors.
Committing to positive change
A year later, the charity sector came together to share learning from the past and prepare for the implementation of the incoming General Data Protection Regulation (GDPR). At a joint conference between the ICO, the Fundraising Regulator and the Charity Commission for England and Wales in February 2017, charities were encouraged to commit to positive change – and that meant playing by the rules even if that made practices a little more complicated.
The large number of people who participated in this conference and signed up to the ICO’s fundraising and consent webinar, showed that charities wanted to get it right. Since then, charities have taken this commitment seriously by firmly embedding new ways of working into their operations.
The ICO’s audit of eight charities published in 2018 sought to assess charities’ compliance and showed many areas of good practice, including clear governance structures and the appointment of data protection officers. Like most organisations, charities want to do the right thing and maintain trust with their donors and stakeholders. While the ICO took action against a small number of charities for falling short of what is expected in law, we have not seen the wide-spread issues from previous years.
Enhancing data privacy rights
When the GDPR became enforceable in May 2018, it represented the most significant shake up of how charities handle donor information. The new law created enhanced privacy rights for people and placed greater emphasis on accountability for organisations using personal data.
By contributing to and implementing the Fundraising Regulator’s GDPR guidance – produced with the Chartered Institute of Fundraising and reviewed by the ICO – which supports organisations to comply with the rules, charities have demonstrated their commitment to good fundraising and data protection practices. In addition, the ICO’s direct marketing guidance, which applies to all organisations and includes fundraising activity, continues to be a key resource for the sector.
The launch of the Fundraising Preference Service (FPS) in 2017 created an additional backstop for donor protection. By allowing people to choose how they are contacted by charities, organisations can make sure they are respecting the contact preferences of individuals. Together, the Privacy and Electronic Communications Regulations (PECR) - which govern direct marketing calls, emails and texts - and the FPS are giving people back control of how and when they are contacted by charities.
Building a resilient future
The past 18 months have tested the charity sector again, but this time for different reasons. Restrictions on public fundraising have meant that many charities increased their use of digital fundraising methods or have taken to digital fundraising for the first time. This has implications for the way they collect data from individuals interacting with their services.
Guidance from both the ICO and Fundraising Regulator supports organisations to navigate data protection issues and fundraising regulation during this unprecedented time. Data protection is not a barrier to fundraising and we want to make sure that charities are supported to fundraise effectively, while handling people’s information in line with the law.
Charities should continue to follow, and refresh their memories of, the ICO’s data protection advice and direct marketing rules. This includes helpful information about protocols for processing personal data and outlines six circumstances, or lawful bases, in which charities can make contact with donors.
A reminder of the lessons learned
As we emerge from the pandemic restrictions, it is right that we as regulators do what we can to support organisations. We will continue to publish guidance and proactively engage with the sector on issues we encounter.
Under pressure of the pandemic, charities should remind themselves of the lessons learnt in all those years ago. The sector must make sure that it maintains the high standards that it has set itself, particularly when it comes to trust, accountability and transparency, which are all key elements that underpin data protection laws and fundraising regulation.
A key outcome of the GDPR is that people are now more aware of the value of their personal data and how it’s used than ever before. So, any organisation that wants to be trusted must get data protection right. Driving trust is a hugely important part of our joint role in protecting the public. We know that trust, and a positive donor experience from start to finish, will drive confidence in charities and their fundraising activities.
As we reflect on the progress that has been made over the past five years, it is right that we, the Fundraising Regulator and the ICO, commend charities for the significant strides they have taken to improve fundraising and data protection practices. We have been consistently pleased with the charities’ willingness to engage with our regulation, and in doing so, they have together built a stronger, more resilient, sector.
Latest News from
Information Commissioner's Office
Blog: Spotlight on the Children’s Code standards - best interests of the child, detrimental use of children’s data and data minimisation28/07/2021 16:15:00
A blog by Michael Murray, ICO’s Head of Regulatory Strategy
Blog: Regulating through a pandemic and beyond28/07/2021 13:20:00
A blog by James Dipple-Johnston, Deputy Commissioner - Chief Regulatory Officer
ICO approves the first UK eIDAS Regulations Qualified Trust Service Provider28/07/2021 09:10:00
The Information Commissioner’s Office has approved GlobalSign as the UK’s first qualified trust service provider [QTSP] under the UK eIDAS Regulations.
ICO's blog on its information rights work26/07/2021 16:20:00
Colleagues from the ICO’s FOI Directorate share their experiences and involvement in raising awareness of our regulation of access to information legislation.
Blog: New toolkit launched to help organisations using AI to process personal data understand the associated risks and ways of complying with data protection law21/07/2021 09:20:00
Alister Pearson, the ICO’s Senior Policy Officer – Technology introduces a new beta version of our AI and Data Protection Risk Toolkit. He explains how it can assure organisations that use AI to process personal data that they are processing it in line with the law and how organisations can help the ICO shape a final version.
Blog: What’s next for the Accountability Framework?19/07/2021 09:10:00
Blog posted by: Anulka Clarke, 15 July 2021.
Statement on ICO investigation into Department of Health and Social Care CCTV footage16/07/2021 09:10:00
The ICO can confirm it is investigating an alleged data breach.
ICO fines transgender charity for data protection breach exposing sensitive personal data09/07/2021 09:25:00
The Information Commissioner’s Office (ICO) has fined transgender charity Mermaids £25,000 for failing to keep the personal data of its users secure.