Most charities have got to grips with and are respecting the General Data Protection Regulation, according to Gerald Oppenheim, chief executive of the Fundraising Regulator.
Speaking at the Westminster Social Policy Forum conference on the Future for Charity Fundraising in central London today, Oppenheim said he believed most charities were complying well with the GDPR, a stringent data protection law that came into force last year.
But a fellow speaker at the event warned that some charities might be struggling with the rules about cookies – small packets of data that websites leave on visitors’ computers to track their online behaviour – which are covered by separate legislation.
Oppenheim said many had been expecting to receive a lot of complaints about the use of data after the introduction of the GDPR.
"It’s a bit like Sherlock Holmes’s dog that didn’t bark in the night time," he said. "There is very little evidence that the GDPR is not being respected by charities."
Oppenheim said the regulator received the occasional complaint about charities that had continued contacting people despite being asked not to, but neither he nor the Information Commissioner’s Office were aware of systemic issues on the scale of those that led the ICO to fine 13 charities in 2016 and 2017 for misuse of data.
"Overall, charities have got to grips really well with the issues the GDPR presented and are managing their data and consent regimes pretty effectively," Oppenheim said.
But John Mitchison, director of policy and compliance at the Data and Marketing Association (formerly the Direct Marketing Association), who spoke later on at the same event, warned that many charities were not up to date on the rules about cookies.
Cookies are covered by the Privacy and Electronic Communications Regulations, and the ICO released guidance in July on how they should be used.
The guidance says that user consent is required for all cookies that are not necessary for the website to work, and analytics cookies, which allow websites to analyse how visitors are using them, do not count as necessary.
It also banned pre-ticked consent boxes and said websites could not prevent people from visiting them if they did not sign up to cookies.
But Gary Shipsey, managing director of the data protection consultancy Protecture, who was a delegate at the event, warned that there were also issues about whether charities had consent to process the data that was gathered by cookies, even if they had consent to plant the cookies themselves.
"There’s storm brewing, we can see its coming and we’ve got to take some steps to try and mitigate it," he said.