GDPR is not going to be the end of the world, says ICO

The regulator wants to reassure charities that it will not rush to issue huge fines immediately after the new rules come into force

After what seems like an eternity, the General Data Protection Regulation is finally coming into force on 25 May.

The new rules have significant implications for how organisations can process personal data and have caused great anxiety in the charity sector, with some fearing that they could lead to a dramatic fall in the number of people charities can contact for donations.

Organisations could also face fines of up to €20m (£17.6m) if they break the rules.

But the Information Commissioner’s Office has sought to reassure charities and other organisations that it will not rush to issue huge fines to small organisations at one minute past midnight on 25 May.

"The message we really want to get across is it’s not all about 25 May," a spokeswoman tells Third Sector. "It’s not Y2K and it’s not going to suddenly be the end of the world.

"We’re not out to get people and it’s not all about fines. Although it is enforced, we’re not going to go and start fining all the small organisations, which I think is the big worry charities have."


But the duty for charities to comply with the rules would not end on 25 May either, she warns. "People still need to keep taking steps to implement the responsibilities, long weeks, months and years after that," she says.

The spokeswoman says charities have been proactive in preparing for the arrival of the GDPR, adding that the dedicated charity sector advice page on the ICO website had been viewed 62,511 times between 1 January and 9 May this year. Its frequently-asked-questions page for charities had recorded 57,096 views over the same period, she says.

At the start of May, the ICO published the final version of its guidance on consent under the GDPR. The updated guidance is similar to the draft version published in March 2017, but includes more detailed explanations of some of the key concepts and more real-world examples.

But among the updates is a different position on whether organisations can continue to process data once someone has withdrawn their consent.

The original document said that if someone was to withdraw their consent "you will either need to stop the processing or identify another lawful basis and be able to justify why continued processing is fair". But the new version offers a stricter interpretation. "You are not able to swap to a different lawful basis for this processing," the new guidance says.

Elizabeth Denham, the Information Commissioner, says charities should continue to refer to the ICO website for advice. "There are lots of resources already on our website, such as our Guide to the GDPR, to help you to help yourselves," she says.

Have you registered with us yet?

Register now to enjoy more articles and free email bulletins

Already registered?
Sign in

Latest Digital Jobs

RSS Feed

Third Sector Insight

Sponsored webcasts, surveys and expert reports from Third Sector partners


Expert hub

Insurance advice from Markel

How bad can cyber crime really get: cyber fraud #1

Promotion from Markel

In the first of a series, we investigate the risks to charities from having flawed cyber security - and why we need to up our game...