Charities and other organisations will not be given fully comprehensive guidance telling them what to do in every scenario under the General Data Protection Regulation, according to John Mitchison of the Direct Marketing Association.
Mitchison, who is head of preference services, compliance and legal at the DMA, told delegates at a Westminster Social Policy Forum seminar on charity fundraising yesterday that, in the absence of definitive answers, charities would have to make their own decisions about how best to do things in a compliant way.
But he added that the open nature of the legislation, which will impose higher data-protection standards on all organisations and is due to come into force in May 2018, could prove to be a positive for charities and other organisations.
"I think we’re lucky that the GDPR is a principles-based regulation and is not prescriptive" he said.
"So if you’re a glass-half-empty person, you might take this to mean you’re never going to have all the answers. There are just too many variations on what people do to have a prescriptive rule on what to do in every situation.
"If you’re more of a glass-half-full person, you’ll see this as giving you flexibility: you make the judgements yourself on how to do it and the way you do it is through the process of accountability."
Mitchison said accountability was embedded in the GDPR in a way that meant it was not enough for organisations simply to comply – they also had to demonstrate that they were complying.
To do this, he said, organisations would need to put in place technical, organisational measures, as well as training programmes, policies and audits, to ensure they had got the evidence there to justify what they had done if anybody came asking.
He said: "Ultimately, you take into consideration the legislation but, because there’s going to be no definitive answers, you have to make a business-risk choice about how you’re going to go. If you can ensure you’ve got an accountability process in place, the chances are you’re going to be doing all right."
But if organisations viewed the GDPR as a burden to be dealt with until they could carry on treating data in the same way as they had before, they were really not making the best of the situation, said Mitchison.
And he warned that the GDPR was a big deal for everyone within organisations that handled any sort of data, not just those in marketing or fundraising.
But he added: "It might be a big change, but I don’t think it’s the apocalyptic disaster that a number of GDPR consultants who have conveniently appeared out of the woodwork would have us believe."
Rowenna Fielding, data protection lead at the consultancy Protecture, warned that charities should want to comply with the legislation even if they felt they could get away with a lower standard of behaviour. She pointed out that charities would not consider using child slavery, even if it were legal or poorly regulated, because they would feel they had a moral obligation not to – similarly, she argued, that moral standard should be applied to how data was treated.
"Character is who we are when nobody’s watching, and for 10 years the Information Commissioner’s Office has not really been watching," Fielding said. "It’s been under-resourced and understaffed, and it has had too much work to do.
"But we’re supposed to be the good guys, the ethical ones that people look up to to do things right."