In early Autumn the Information Commissioner’s Office (ICO) revealed ‘areas for improvement’ in incident reporting, consent and data sharing and monitoring and reporting risk following data protection audits it conducted with eight charities.
Eight unnamed charities took part in voluntary information risk reviews between December and February this year. The ICO has also incorporated the findings from 25 ‘advisory visits’ to smaller charities in its review.
The eight charities agreed to let the ICO audit their practices around data protection and direct marketing, to show the ICO’s engagement with charities “is not just about fines and enforcement, but to encourage genuine, ongoing improvements in the wider sector”
The review was completed under the previous Data Protection Act 2018 but has been updated to include GDPR recommendations making it a helpful guide to charities still getting to grips with the new regulations.
The report identifies areas of good practice along with areas for improvement at the charities reviewed.
Areas of good practice
The review highlighted areas of good practice, which included that “all charities had clear governance structures in place with delegated responsibility from the board down”. It found that most charities had moved to an opt-in approach to consent for marketing. Of these, “most were also using opt-in for postal marketing with the rest relying on legitimate interests for postal marketing. Consent was granular, providing separate check-boxes for each type of communication, ie phone, email, SMS”.
Areas for improvement
The report also outlined several areas for improvement. It said that the majority of charities visited “did not undertake any routine data protection or direct marketing policy compliance checks” and “compliance checks on data processors were also inconsistent with only three carrying out routine checks”.
The research also revealed only two of the charities had a “consistent and co-ordinated approach to fair processing notices” and most did not have any form of sign-off process, meaning they varied in both content and quality.
It said that although there was mostly good awareness among staff of how to report an incident, “most charities visited did not have documented reporting procedures in place”.
It also found that the majority of charities visited were retaining personal data for far longer than was necessary, in some cases indefinitely, and that some charities’ IT systems did not allow for permanent deletion of records.
Training was also an area of concern with the majority of charities failing to provide any annual refresher training. Additionally, the ICO found staff and volunteers at the charities audited did not receive any data protection training before being allowed to access or process personal data.
What charities can learn from the report
It is important for charities to look at the findings of the ICO’s report below and consider whether they adhere to the ‘areas of good practice’ as well as take on board the ‘areas for improvement’ which the report identified and whether any could apply to their own organisation’s current data protection policies and procedures.
To read the full ICO report please click here.
For further information please contact a member of our Charities team below: