“The latest fine issued by the ICO office to transgender charity Mermaid for failing to keep the personal data of its users secure, yet again highlights the importance of regulatory compliance and the need for it to be reviewed thoroughly, rather than taking the easy option of using template documents and a privacy policy on a web site.
“A proper audit of this charity would have revealed not only the data that was no longer in use but also remind the charity that they still had the data. This is despite the fact that the service had been discontinued some time ago. The audit would have revealed the existence of the data but also the risk that its continual storage posed. Clearly this data was sensitive and contained information that the GDPR classifies as special category data. We have always recommended that the storage of such data should be avoided where possible. However, if this cannot be avoided then the data should be encrypted or deleted if no longer required or a legal basis for retaining it no longer exists.
“Donors give money to the charity to help other people that need its help, not for that money then be given to the ICO. Incidents like this can have a serious effect on the charity’s fundraising as well as shatter confidence in the charity itself.
“The ICO report has confirmed that mermaids have now improved their data protection practices. This is all too common, and we hear it all the time. The businesses we do not hear about are those that have put their house in order and therefore problems like this are avoided. Preparation is better than firefighting. We concede that GDPR can be daunting but it needn’t be.
“An audit fee at the start of the process would have been a fraction of the price which would have cost around £4000 and avoided the loss of time in addressing the problem- a far more cost effective route than the £25,000 the charity now needs to pay, plus the time to deal with the issue”.