The Information Commissioner’s Office has dismissed claims that it has been too slow in issuing guidance for the EU General Data Protection Regulation (GDPR) despite the RNLI being forced to rethink elements of its opt-in only regime which have been blown out of the water by the regulator’s more restrictive approach.
Speaking at a charity event in London, ICO group manager for compliance Richard Marbrow said: “When people are asking for clarity, what they often mean is ‘I don’t like that answer; give me a better one’.
Over the past week there have been countless new stories exposing UK businesses’ lack of both awareness and preparedness over GDPR but the RNLI, which actually worked with the ICO to draw up its privacy strategy, regrets starting so early.
Some 18 months ago, Leesa Harwood, director of fundraising at the charity, said in a statement: “The RNLI is making this change because we believe it’s the right thing to do. We’ve always prided ourselves on our ethical approach to fundraising and the RNLI has been investigating how to reduce its reliance on direct marketing since late last year.”
But speaking at a GDPR briefing organised by Civil Society Media, RNLI head of fundraising strategy Tim Willett said the organisation made some decisions regarding opt-in that it may now have to “unpick”.
The issue was first highlighted by the DMA which pointed out that the privacy statement the RNLI used does not meet the overly strict interpretation the ICO is now proposing, claiming that the financial impact could be “catastrophic”.
Willett said: “We don’t know all the answers about GDPR, we went early on consent, got that out of the way, but there’s a lot of work still to do on GDPR. Actually if you’re doing it all at once, there’s real benefits to that. We’re having to unpick stuff we’ve already done on opt-in because of what we’re now doing around GDPR.”
He said in hindsight, the charity perhaps would have done things differently.
“The ICO and Fundraising Regulator advice on GDPR came out a bit too late for us. We’d already made all of our decisions by then, which is a problem for us,” said Willett. “If I’m being reflective, looking back with a bit of hindsight, we probably tied a couple of big rocks around our ankles that perhaps we wouldn’t have done if we’d known what the guidance was going to be at the time.
“There are things we’ve done that we now need to revisit, and say actually ‘well, we guessed at that. We don’t even know if that’s going to be compliant come next year.’ So we’re going to have to start looking at some of that.”
12 months until GDPR D-day: compliance fears rocket
12 months until GDPR D-day: still not too late to act
GDPR countdown fuels warning of 4,500% rise in fines
84% of UK SMEs have still not heard of EU data reforms
ICO’s 2016 fines would rocket to £69m under GDPR
GDPR consent updates spark chilling warning to brands
Opt-in switch to rip £36m hole in RNLI’s finances