Fri 29 Oct 2021

Bulk e-mail practices and data breaches: Could your charity be at risk?

Mailing lists are an integral part of any marketing strategy for most charities – for both keeping in touch with your supporters and as part of any campaign or fundraiser. Whilst bulk e-mailing can sometimes seem like an efficient use of resource to get your message out there, it does need to be compliant with data protection legislation.

Earlier this week, the ICO issued a fine to a Scottish charity for breaches of the UK GDPR due to their accidental disclosure of their entire mailing list. Moreover, given that the e-mails contained information about sensitive health conditions, it was held that the disclosure of the e-mails could have led to an assumption about the health conditions of those on the mailing list. As a result, the charity was issued with a £10,000 fine.

How could I prevent this from happening to my charity?

Trustees of charities have a duty to safeguard donations and fundraised money, and therefore monetary penalties, such as these, certainly raise questions around governance and practice (including whether such an event would be a notifiable event for the purposes of OSCR).

In this particular case, the ICO undertook an investigation which concluded that the issue was a lack of staff training and inadequate data protection policies. This week, the ICO has been urging other organisations to review their bulk e-mailing practices in light of their findings, and indeed one of the aggregating factors in this case was the fact the ICO had previously taken action against other organisations for similar breaches and therefore took the view that the risk associated with such disclosures has been well reported in the media.

What can we learn from this case?

Here are a few ways you could protect your organisation following from their report:

Data Protection Policy

A robust data protection policy is a necessity for any organisation which deals with personal data and special category personal data (i.e. information about health conditions and protected characteristics such race, disability and gender). It is important to ensure that your Data Protection Policy is also not just generic, but sector specific. Every organisation encounters various levels of risk with data protection, so it is important to make sure that your policy identifies the appropriate areas of risk and resolves them with practical solutions e.g. for example, your charity may support vulnerable sectors of the public – so what additional measures (such as security) should you have in place to protect those data?

Staff Training

The key to a solid data protection regime is a well-trained workforce. In the ICO’s investigation, it was found that the charity’s breach was a result of a misuse of the ‘carbon copy’ feature. Staff must be trained to ensure that members of any mailing list are listed in the ‘blind carbon copy’ (Bcc) field of your e-mail platform. In terms of proper practice, the ‘carbon copy’ (Cc) field is generally only used for those e-mail addresses which you are allowed to reveal to your mailing list, such as those of a relevant colleague or contact within your organisation. As a rule, it is customary to put your own e-mail address in the ‘To’ field. This means that the recipients of the e-mail will only see the e-mails in the ‘To’ and ‘Cc’ fields; the rest of the recipients will be hidden. Staff training with concrete examples and interactive learning will assist your workforce to keep the personal data of subscribers safe.

When the unexpected happens

You should have personal data breach procedures in place to assist you in implementing the steps your organisation may need to take.

How can we help?

Our dedicated Data Protection & Cyber Security team can assist you with data compliance. We can draft a Data Protection Policy that is tailored to your organisation's needs, meanwhile also ensuring optimal compliance with the relevant rules and legislation. Our team is also able to provide training to your workforce to ensure that your policies are put into action.

If you have any queries in relation to Data Protection compliance, whether from the EU or the UK, please get in touch with a member of our specialist Data Protection & Cyber Security team.

Make an Enquiry

From our offices we serve the whole of Scotland, as well as clients around the world with interests in Scotland. Please complete the form below, and a member of our team will be in touch shortly.

Morton Fraser MacRoberts LLP will use the information you provide to contact you about your inquiry. The information is confidential. For more information on our privacy practices please see our Privacy Notice