ICO Enforcement Against Charities: What Has Gone Wrong and What the Lessons Are
The ICO has made clear through its enforcement actions that charitable status does not confer immunity from data protection law. Charities have received monetary penalties, enforcement notices, and public reprimands for a range of data protection failures — from fundraising data misuse to inadequate security controls. Understanding the cases — what went wrong, why the ICO took action, and what could have prevented it — is the most direct route to avoiding the same outcome.
The ICO's largest charity monetary penalty to date was £500,000 — issued to a major fundraising charity for using donor data without adequate consent.
Key ICO Enforcement Cases Involving UK Charities
Notable ICO enforcement cases involving charities include: the 2015 RSPCA, British Heart Foundation, and other charities monetary penalties (totalling over £3 million) for sharing donor data with wealth screening companies and other organisations without adequate consent — prompting sector-wide reform of fundraising data practices; multiple enforcement notices against charities for failure to respond to subject access requests within the statutory 30-day period; reprimands issued to health charities for inadequate security measures on beneficiary case management systems (specifically: no MFA, unencrypted data storage, inadequate access controls); and an investigation into a mental health charity following a data breach caused by a former volunteer's retained system access.
What the ICO Considers in Charity Data Protection Investigations
ICO investigations into charities consider: whether the charity had documented and implemented appropriate technical and organisational measures proportionate to the risk; whether governance and oversight of data protection was adequate at trustee level; whether the charity reported the breach promptly and cooperated with the investigation; whether the charity had implemented prior ICO guidance relevant to the sector; and whether any harm occurred or was likely to occur to individuals as a result. Charities that can demonstrate proportionate controls, active trustee oversight, prompt reporting, and full cooperation typically receive more lenient treatment than those that demonstrate systemic governance failures. A documented, implemented data protection programme is the most effective risk mitigation against ICO enforcement.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.