Charities learning GDPR lessons the hard way

A delivery firm in Portsmouth has stated that charities are losing donation money because of ongoing confusion over the implementation of the EU’s new data laws.

 The firm, which counts a number of charities among its clients has revealed that the GDPR, which came into being at the start of the summer, is being incorrectly interpreted by many in the charity sector.

In what appears to be a rushed application of the rules, organisations have been contacting all database members to ask for explicit and active opt-in to charity mailing lists.

Under the GDPR, charities are not required to request re-opt-in, and can instead rely upon legitimate interests to validate their data processing activity. As stated by the Information Commissioners Office – the UK regulator for GDPR – this kind of processing “is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.”

Warnings not heeded

The revelations follow prescient comments made back in May by Ian MacQuilin, director of the fundraising think tank, Rogare, who spoke of an anticipated “drop in donations…not because of what’s in the GDPR, but because of the way that charities have badly interpreted and run with the legislation.”

“This is something this sector does…Rushes into things without being in full possession of the facts, then presents what it has done as the right thing to do,” MacQuilin added.

Six lawful grounds for data processing

As detailed by the ICO, companies must be able to satisfy at least one of six requirements needed for data processing to be lawful under the GDPR:

  • Consent: the individual has given clear consent for you to process their personal data for a specific purpose.
  • Contract: the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: the processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: the processing is necessary to protect someone’s life.
  • Public task: the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests. (This cannot apply if you are a public authority processing data to perform your official tasks.)

Understand GDPR in action

While business leaders have been aware of new obligations the GDPR puts on all organisations regarding data processing and security within the EU, we are still getting to grips with the new laws as they play out within the global community.

Data Protection World Forum is an exclusive two-day conference coming to Excel London on 20th and 21st November 2018, dedicated to bringing clarity on these vital issues. The event is designed for business owners, executives and IT professionals seeking to develop understanding of their roles and responsibilities in the new regulatory landscape.

Experts from every industry will delve into the topics that matter, including: data protection by design and default; data protection as a fundamental right; subject access requests; data protection impact assessments, rights of the data subject and many more.

Besides tackling critical issues of cyber threats and ransom wear, speakers will highlight ways in which bosses can compliantly harness technologies such as Internet of Things (IoT), blockchain, AI and much more.

Speakers include

Mr Ventsislav Karadjov, Chairman of the Commission for Personal Data Protection and Bulgarian Commission for Personal Data Protection

Since 2006 Wojciech Wiewiórowski has been working for public administration. In 2010 he was elected by Polish Parliament to the post of the Inspector General for the Protection of Personal Data (Polish Data Protection Commissioner) to which he was re-elected for the second term in 2014.

Mr Karadjov was vice chairman of the Working Party Art. 29 since February until November 2014 and is author of numerous studies, publications and lectures in the field of personal data protection, IT law, e-government and legal informatics.

Steve Wright, Data Privacy & Information Security Officer at John Lewis

Steve is responsible for both information security and data privacy, at John Lewis, both of which enable partnership to protect the personal data of customers and partners, to be compliant with data protection laws and regulations, and to provide trust and transparency, resulting in greater brand experiences across digital, mobile and ecommerce channels.

Having once served as a CISO, and held senior roles at, Unilever, Deloitte, PwC, Siemens and Capita, Steve has a full appreciation of what is required to get the job done in a cost-effective, pragmatic and timely fashion.

Steve is passionate about big data and all things digital. With more than 20 years’ experience, designing, developing, managing and delivering transformational data, governance, privacy and security programmes.

Rowena Fell, Global and EMEIA Risk Assurance Operations Leader at Ernst & Young LLP

Rowena is a business executive currently employed in a Chief Operations Officer role, responsible for driving and coordinating Leadership strategy execution work streams and influencing senior leaders to achieve the right outcomes.

Rowena advises senior executives on a broad range of complex strategy related topics and has a high level of autonomy to assess situations, identify issues and recommend solutions.

A Board-Certified Protection Professional (CPP), Rowena has been awarded a Master’s degree with distinction in Security and Intelligence Studies and is a Fellow of the Security Institute.

Other speakers include

  • Chris Combemale, CEO at DMA
  • Andrew Gould, Detective Superintendent and National Cybercrime Programme Lead
  • Andy Wall, Chief Security Officer at Office for National Statistics
  • Suzanne Dibble, multi-award-winning business lawyer

Free exhibition passes now available for a limited time

We have 200 free passes now available until 12th October, granting the holder entry into our Exhibition Area at Data Protection World Forum.

The Exhibition Area includes access to the following conference theatres:

  • ISF Pavilion Cyber Security & Risk Management
  • OneTrust Marketing & Advertising Theatre
  • TrustArc / BigID GDPR Refresh Theatre
  • Speakers Corner in association with Cyber Talks

To redeem your free pass, simply use the code: FREEPASS” on the DPWF website.


PrivSec Conferences will bring together leading speakers and experts from privacy and security to deliver compelling content via solo presentations, panel discussions, debates, roundtables and workshops.

For more information on upcoming events, visit the website.

We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.

Privacy Culture: Data Privacy and Information Security Consulting, Culture & Behaviour, Training, and GDPR maturity, covered. https://www.privacyculture.com/