Hugh Radojev asks whether the fundraising community has built a constructive relationship with the Information Commissioner's Office.
Data protection has turned into a very key issue for fundraisers. Not only has the Information Commissioner's Office handed down fines to the sector's biggest names for breaching the Data Protection Act, but a new, stricter regime is coming - GDPR.
For much of the fundraising community, the initial reaction to this has been to go on the offensive, and try to claim that charities are being victimised. The results have not been good.
The Information Commissioner has had enough
I’ve personally heard from a number of sources now that the ICO as a whole and, perhaps more importantly, the Information Commissioner herself, has now effectively had enough of fundraisers.
The rot well and truly set in during the fractious Fundraising and Regulatory Compliance Conference held at the Manchester Town Hall on 21 February. Our sources say that, after being aggressively questioned throughout the day at the event, Elizabeth Denham was “shocked” and “angered” by the reception, and reportedly said she no longer wanted to attend any more sector specific events.
Other ICO staff present at the event were clearly disgruntled by the events of the day and the tone in conversation in the months since has clearly changed. The tone from the ICO press office has certainly hardened as well.
I wrote at the time, having been at the conference, that the ICO and the sector seemed further apart on key issues than ever before. I also wrote that, while robust debate was encouraged the “public airing of grievances from so many fundraisers – often met by rounds of applause from delegates – didn’t really paint the sector in a positive light”.
Biting the hand that feeds
The overriding feeling amongst the fundraisers at the time of the conference was that the ICO was unfairly singling the profession out. The ICO’s own datasets on complaints and concerns for 2015/16 prove that this is simply untrue.
In the 2015/16 financial year, the ICO handled 279 complaints, either self-reported or made by the public, that were charity-related. In the same time period, the ICO handled over 22,000 complaints in total. Enforcement action took place against 13 charities, for widespread data breaches over more than a decade.
The Information Commissioner personally intervened to lower fines made as part of enforcement action against charities. That is not something that was done for many, if any, other sectors which ran afoul of data protection legislation.
The prevailing notion that charities, and in particular fundraisers, have been ‘picked on’ by the ICO is still being advanced by plenty of quite high-profile consultants and fundraisers, who continue to subscribe to this notion.
The sector’s main issue with the ICO now has moved on to the data protection regulator’s supposed ‘lack of guidance’ around how charities can work towards being compliant with GDPR before 25 May 2018.
The ICO has so far this year put out two GDPR-related documents – one on consent and another on data profiling – for general consultation. While neither has yet been published, it’s worth remembering that not only was the ICO hamstrung by the recent snap election, but is also only one of 29 other organisations currently working out what the final GDPR legislation will look like on behalf of EU member states.
In Fundraising Magazine
The ICO certainly hasn’t handled all of its fundraising-related enforcement perfectly. Yet, by the same token, the sector has not acquitted itself in a particularly constructive or conciliatory manner thus far. In the end, the ICO does not make the rules, it only enforces them.
It might be worth fundraisers putting aside their grievances and working with the regulator in a more constructive way.