An emerging theme in data protection is the combined working of regulators. We reported recently on the steps the Information Commissioner's Office (ICO) and the Financial Conduct Agency (FCA) are taking to effect combined regulatory action, and now news has emerged that the Fundraising Regulator has referred 59 charities to the ICO for apparent failure to act on requests (administered by the Regulator) by members of the public not to be contacted by email, telephone, post or text. The charities are, it is believed, primarily small ones, although there are understood to be two national organisations included in the list.
In 2016 and 2017, the ICO served a total of thirteen charities with monetary penalty notices under the now-repealed Data Protection Act 1998. The penalties were primarily for conducting what is known as "wealth screening" without the data subjects' knowledge and then targeting them with fundraising requests. The ICO investigations at the time were prompted in part by media coverage highlighting allegedly over-forceful and persistent fundraising practice by some charities.
The Fundraising Regulator succeeded the Fundraising Standards Board in July 2016, and was set up partly as a result of recommendations from the 2015 cross-party review of fundraising regulation chaired by Sir Stuart Etherington. It publishes a set of standards for fundraising, contained in the Code of Fundraising Practice. The Fundraising Regulator has no statutory powers, and nor does the Code have statutory status, but the former does have a Memorandum of Understanding with the ICO, as well as with the Charity Commission and the Gambling Commission. Although the MOU is from 2016 - and thus references the 1998 Data Protection Act - it does make clear that the Fundraising Regulator will "alert the[ICO] to any relevant breaches [and] provide relevant supporting information and intelligence".
The ICO's powers have, of course, increased since the 2016 and 2017 monetary penalties – the highest of the thirteen penalties then was £25000 (imposed on the RSPCA). At the time, the maximum penalty was £500,000, but under GDPR it is the higher of €20m or 4% of global annual turnover. Although it is highly unlikely that the ICO would countenance imposing such a huge penalty on a charity, it is worth noting that the penalties imposed in 2016 and 2017 were reduced by a factor of ten, at the Commissioner's own instigation, because she felt that donors to charities shouldn't be penalised for the charities' infringements. However, it was emphasised at the time that "this should not be taken as an indication that [she would] always reduce a penalty in such circumstances".
If they haven't done so already, those charities who have been referred to the ICO by the Fundraising Regulator would be wise to seek advice on their liability to a penalty. And all other charities – at least those who solicit donations directly from individual members of the public - should take urgent steps to comply with the Fundraising Regulator's Code, and the expectations under that Code that they will act promptly on requests by members of the public not to be contacted.
Mishcon de Reya's data protection and regulatory lawyers have extensive and proven experience in assisting organisations subject to regulatory investigations.