IoF to ICO: Charities need clarity in new GDPR compliance guidance

News by Max Metzger

The Institute of Fundraising has called out the Information Commissioner for a lack of clarity over GDPR compliance

The Institute of Fundraising (IoF) has called on the Information Commissioner's Office (ICO) to give greater clarity for charities on compliance with incoming European data protection regulation.

The ICO is currently mulling its guidance around consent and the GDPR. Submissions closed on 31 March and will now be considered by the office.

The UK body for professional fundraising and charities hit out at the ICO in a recent statement, saying that current guidance on the advent of the General Data Protection Regulation (GDPR) leaves charities in the dark, especially around the issue of consent.

Daniel Fluskey, head of policy and research at the Institute of Fundraising, said in a statement, "The standard for consent is raised under GDPR, and we think that the guidance could be clearer and more helpful for charities in certain areas.”

The ICO should look at “a more joined up approach in the presentation of the guidance so that organisations understand different legal conditions for processing data and fundraising activity.”

Specifically, the IoF wants clearer guidance of ‘opt in' and ‘opt out', as well as examples of how consent “can be used to process an individual's data fairly and lawfully”.

The statement adds, “Charities want to make sure they get this right and need clear guidance to be able to implement the legal requirements and give supporters the best experience of fundraising.”

The GDPR requires explicit consent to be given if data is to be used, that consent must also be documented and provable. Consent may also be withdrawn by the owner of that data.

The GDPR is set to transform the European data protection landscape in a profound way. The regulation sets out concrete data protection policy for firms working within the EU. Any organisation that wants to do business within European borders will have to comply with a variety of regulations including disclosing data breaches and establishing data protection officer roles within firms.

Failure to do so will be painful for the non-compliant. The regulations threatens to take four percent of global revenue or 20 million euros, whichever is higher, for those who do not abide by the rules. Firms will be expected to comply by 25 May 2018.

The fact that the UK is set to leave the EU in 2019 doesn't matter. Information commissioner Elizabeth Denham has repeatedly urged UK firms to comply whether or not the UK is part of the EU.

Brexit or not, UK firms will be expected to comply. Denham told the House of Lords on 8 March that the ICO would be growing by 200 staff to help UK businesses bear the weight of the incoming regulation.

But charities are not the only ones wondering what's required of them in the run up to May 2018.  A recent survey by the Direct Marketing Association showed that only 68 percent of respondents thought their companies would be compliant in time for May 2018.

An ICO survey conducted earlier in the year found that even local authorities have their work cut out for them when getting ready for the start date. The ICO found that many councils were still without some of the basic mechanisms, such as data protection training and data protection officers, that are required for compliance.

Fluskey told SC, “We think there could be some useful additions and clarifications to give greater clarity.The rules apply across all sectors – we aren't looking for special treatment for charities.”

Find this article useful?

Get more great articles like this in your inbox every lunchtime

Video and interviews