The Charity Commission and the Fundraising Regulator have warned charities that they should immediately cease the fundraising practices for which the RSPCA and the British Heart Foundation were fined by the Information Commissioner's Office last week.
The two bodies issued a joint regulatory alert on Friday after the ICO decided last week to issue financial penalties to the two charities for wealth screening and tele-matching without donors’ explicit consent.
The ICO fined the RSPCA £25,000 and the BHF £18,000 for carrying out wealth screening, in which the charities hired wealth management companies to analyse the financial status of supporters and estimate how much more money they could be persuaded to give, and tele-matching, where the external companies were used to track down additional pieces of donor data – for example, using an email address to track down a postal address.
Both charities were also part of the Reciprocate scheme, allowing them to share or swap personal data with other charities to get details of prospective donors.
The ICO said donors were unaware of these practices and thus could not consent or object.
The regulatory alert issued by the Charity Commission and the Fundraising Regulator reminded charities of their duty to comply with data protection law as well as charity law.
It called for the charities to "immediately cease any activity without explicit consent described and set out by the ICO... as being in breach of data protection law" in enforcement notices on the RSPCA and BHF cases.
David Holdsworth, chief operating officer and registrar at the Charity Commission, said: "Charities must learn the lessons from this week and do so quickly. Practices that some charities consider ‘common practice’ are in breach of the data protection requirements and should be ceased immediately.
"Charities are subject to the same legal requirements as all other organisations and must properly safeguard personal information according to the law."
He warned that charities breaching data protection legal obligations risked generating damaging public criticism about charity fundraising.
"Our expectation is that trustees have systems in place so that, at their charity, there is the right level of knowledge and awareness about the rules and that, crucially, they are adhered to," he said.
The alert said charities should review and assess their data collection, storage and use activities, including ensuring their fair processing statements were explicit, clear, transparent and highly visible, and to make sure their data governance systems were fit for purpose.
Where breaches had occurred, the alert said, charities should establish if they were required to notify the ICO and, if so, should also inform the commission using serious incident reporting and consider whether donors needed to be informed.
The commission should also be notified if the ICO opened an investigation, the alert said.
Stephen Dunmore, chief executive of the Fundraising Regulator, said the fines levied on the two charities should be a "wake-up call for the whole sector".
He said: "Charities must meet their legal obligations to ensure that they always have the proper consents in place for the use of personal data, both by purpose and communication channel.
"Achieving compliance with data protection law is now an urgent priority, if charities are to avoid further reputational risk and re-establish public and donor confidence in fundraising."