Gerald Oppenheim, head of policy at the Fundraising Regulator, has said GDPR would likely necessitate “50 or 60 changes to the Code of Fundraising Practice”.
He was speaking at the Institute of Fundraising’s Convention today when he said that changes will need to be made to the Code of Fundraising Practice to reflect requirements under the General Data Protection Regulation, which comes into force in May 2018.
Oppenheim said that the Fundraising Regulator is waiting on the ICO to publish its guidance around processing personal data through consent and legitimate interests before updating the Code of Fundraising Practice to reflect these.
He did say however that changing the Code to reflect GDPR was going to be a lot of work for the regulator.
Oppenheim also used a part of the session to criticise elements of the Telegraph’s Fundraising Preference Story published this morning.
In particular, he called the article’s suggestion that breaches of the Fundraising Preference Service could lead to a £25,000 fine as “embroidery” and urged fundraisers to read the piece “with care”.
The FPS will launch to the public this Thursday - 6 July.
Charities will have to demonstrate compliance to ICO under GDPR
Meanwhile a data protection lawyer told delegates that charities will need to be able to demonstrate compliance to the ICO under GDPR, or face the prospect of further fines.
Speaking at the Institute of Fundraising convention this morning Penny Bygrave, senior associate and a data protection expert at Bircham Dyson Bell, said that under GDPR organisations processing data will need to demonstrate compliance to the Information Commissioner’s Office as opposed to the other way around.
Bygrave said that under GDPR “it’s not enough to be compliant” as the onus will be placed on organisations to be able to demonstrate “appropriate policy procedures”.
“The big change now is the concept of accountability and transparency. It’s not enough to be compliant, if the ICO is concerned about what you’re doing with personal data they will come and they will ask you to demonstrate your procedures.
The ICO will come and they will ask you to prove that you’re compliant, whereas at the moment they might just question what you’re doing and it’s really for them to prove that you’re not compliant.
“If you cannot demonstrate compliance by way of appropriate policy procedures, then that in and of itself could mean you would face a further fine. This is new and something to really be aware of.”
Bygrave reiterated that this would be the case starting on 25 May 2018, when GDPR comes into force.
She also touched on the issue of lawfully processing data under consent, and said that under GDPR any “confusion” is going to be “determined on the side of the individual”.
“Any confusion there may be about whether you did or did not have consent is going to be determined on the side of the individual. If there is doubt about whether you have consent then the old ways of being able to justify what you’ve done historically are going to go.”