Bulk e-mail practices and data breaches: Could your Charity be at risk?

Mailing lists are an integral part of any marketing strategy for most charities; for both keeping in touch with your supporters but also as part of any campaign or fundraiser. Whilst bulk e-mailing can sometimes seem like an efficient use of resource to get your messaging out there, it does need to be compliant with data protection legislation.

Earlier this week, the ICO issued a fine to a Scottish charity for breaches of the UK GDPR due to their accidental disclosure of their entire mailing list. Moreover, given that the e-mails contained information about sensitive health conditions, it was held that the disclosure of the e-mails could have led to an assumption about the health conditions of those on the mailing list. As a result, the charity was issued with a £10,000 fine.

How could I prevent this for my charity?

Trustees of charities have a duty to safeguard donations and fundraised money, and therefore monetary penalties, such as these, certainly raise questions around governance and practice (including whether such an event would be a notifiable event for the purposes of OSCR).

In this particular case, the ICO undertook an investigation which concluded that the issue was with a lack of staff training and inadequate data protection policies. The ICO have been urging other organisations to review their bulk emailing practices this week in light of their findings and indeed one of the aggregating factors in this case was the fact the ICO had previously taken action against other organisations for similar breaches and therefore took the view the risk associated with such disclosures has been well reported in the media.

So what are the learnings from this case?

Here are a few ways you could protect your organisation following from their report:

  • Data Protection Policy: a robust data protection policy is a necessity for any organisation which deals with personal data and special category personal data (i.e. information about health conditions and protected characteristics such race, disability and gender). It is important to ensure that your Data Protection Policy is also not just generic, but sector specific. Every organisation encounters various levels of risk with data protection, so it is important to make sure that your policy identifies the appropriate areas of risk and resolves them with practical solutions e.g. for example, your charity may support vulnerable sectors of the public – so what additional measures (such as security) should you have in place to protect those data?
  • Staff Training: the key to a solid data protection regime is a well-trained workforce. In the ICO’s investigation, it was found that the Charity’s breach was a result of a misuse of the ‘carbon copy’ feature. Staff must be trained to ensure that members of any mailing list are listed in the ‘blind carbon copy’ (Bcc) field of your email platform. In terms of proper practice, the ‘carbon copy’ (Cc) field is generally only used for those email addresses which you are allowed to reveal to your mailing list, such as those of a relevant colleague or contact within your organization. And, as a rule, it is customary to put your own email address in the ‘To’ field. This means that the recipients of the email will only see the emails in the ‘To’ and ‘Cc’ fields; the rest of the recipients will be hidden. Staff training with concrete examples and interactive learning will assist your workforce to keep the personal data of subscribers safe.
  • And for when the unexpected happens: have personal data breach procedures in place to assist you in implementing the steps your organisation may need to take.

How can we help?

Our dedicated Data Protection & Cyber Security team are here to assist you with data compliance. We can draft a Data Protection Policy that is tailored to your organisation's needs, meanwhile also ensuring optimal compliance with the relevant rules and legislation. Our team are also able to provide training to your workforce to ensure that your policies are put into action.

If you have any queries in relation to Data Protection compliance, whether in the EU or the UK, please get in touch with a member of our specialist Data Protection & Cyber Security team.

This article was co-written by Jamie McGowan, Trainee Solicitor.

Latest updates from @MacRoberts