A leading South West expert in data protection is highlighting the pitfalls of data protection, following 11 charities being fined by the UK’s data watchdog.

The Information Commissioner’s Office has issued fines to high profile charities including Cancer Research UK, The Royal British Legion and Oxfam. The offences included piecing together data from various sources and trading personal details to target new and lapsed donors.

The International Fund for Animal Welfare received the highest fine of the 11 charities, at £18,000, after being found to have shared over 5 million donor records with other charities. This follows similar fines for serious data protection breaches issued to RSPCA and British Heart Foundation last December.

Jowanna Conboye, a solicitor from Stephens Scown LLP is an expert in data protection law. She said: “These are serious data protection breaches, including so-called ‘wealth screening’ where charities give donor data to an external processing company, who then identify the wealthiest donors for targeted marketing.

“Some of the charities also undertook ‘data matching’, where they combined data from past supporters with other publicly available  information, and in some cases used third party companies to data mine to get new phone numbers and updated addresses.

“Other offences included pooling information held on donors with information provided by other charities to build more in-depth profiles and to add extra donors to their marketing lists without telling the donors or asking for their consent. Many of the charities fined were not able to tell the ICO how many times donor records had been shared nor identify the eventual recipient of the data.”

The law around data protection will undergo a major upheaval next year when the General Data Protection Regulation 2016 (GDPR) comes into force on 25 May 2018. The new law will bring in tighter regulations and much bigger fines.

Jowanna adds: “The GDPR has even stricter rules on consent to use of data for profiling and marketing and we are likely to see much higher fines for those charities that don’t have their house in order.

“Prudent organisations – both charities and businesses – should start to audit their use of supporter and customer data now to make sure they are not carrying out any of these banned activities and to prepare for the tighter rules that are coming in 2018. The current maximum fine the ICO can issue for data protection breaches is £500,000. Under the GDPR, this will increase to €20 million or 4% of worldwide turnover, whichever is higher.”

As a result of the fines announced today, the Charity Commission has announced it is launching investigations into each of the fined charities to review their compliance with their ongoing duties under charity law. The ICO, Charity Commission and the Fundraising Regulator are currently working together to both monitor and assist charities in getting their data protection compliance right.