First Charity GDPR Fine – 5 Lessons to Learn

First Charity GDPR Fine – 5 Lessons to Learn

It is just over three years since the GDPR came fully into force. Since then, we’ve had only four fines – three for large corporates (British Airways, Marriot and Ticketmaster) and one to an SME (Doorstep).

We now have the first fine issued to a relatively small-scale charity.

As always, the penalty notice provides a fascinating insight into the ICO’s thinking and offers all organisations key lessons to learn.


  1. Size isn’t important – it’s who you are and what you do with the data are key

Compared to the other fines the numbers involved here are tiny.

The charity had just under £1m income in March 2020; there were 780 pages of emails visible online, affecting 550 people.

Of those, less than 5% (24) had more sensitive details disclosed via the emails; 15 of these 24 had outright Special Category Personal Data disclosed and less that 1% (4) related to children under 13s. There were only six complaints.

The critical issue is the sensitive nature of the services the charity provided and the environment in which it operated.

  • The term “sensitive data in context” is used by the ICO several times to highlight that basic data (names, email addresses, job titles, employer’s name) held in relation to general discussions (around fundraising; arranging attendance at conferences and advice on anti-bullying) can, when connected to a transgender charity, enable very sensitive information to be inferred about someone.
  • “If someone had accessed the email group online there would have been sufficient available identifying data to potentially “out” the data subject, removing any choice and infringing their privacy.”
  • “Due to the nature of the services offered by the Mermaids charity…[the ICO] expected them to ensure stringent safeguards were in place to protect service users and their personal data.”

At a number of key points the GDPR requires organisations to consider the “nature, scope context and purposes” to assess data protection risk. Account should be taken of the wider environment you operate within when assessing how your handling of personal data could pose risks to people.

In this case, the ICO consider the following issues when assessing the potential harm that may be caused to those people affected:

  • The general sensitivity and controversy around the topic of gender incongruence; the ICO considered “that the likely increased vulnerability of a data subject in turn increases the risk of damage or distress being caused to the data subject” by any breach – which in this case revealed that people were seeking information and/or support about gender incongruence.
  • The fact that the Government ran a consultation on reform of the Gender Recognition Act in 2018 “which generated widespread public interest in and debate about gender incongruence” which “should have promoted Mermaids to re-visit their policies and procedures to ensure appropriate measures were in place to protect individuals’ privacy rights

Do you consider how (i) the environment in which you operate and (ii) any changes to it over time affect the sensitivity of the data you handle, the threats you face and the risks your data handling pose to people?

Have you reviewed your approach to data protection to ensure it is still fit for purpose and appropriate to the environment in which you operate?


  1. Whether you cause actual (provable) harm is not the issue

You will not escape enforcement action simply because a limited number of people had unauthorised access to personal data.

In this case, the ICO did not need to establish whether anyone other than a single person, a journalist at the Sunday Times, had accessed the personal data.

The ICO was at pains to highlight that the “nature and gravity” of the breach was “unaffected by the unanswered questions as to whether the journalist…stumbled across the data by accident” or the “extent to which any other third party or parties access the data

The fact that anyone could have accessed such sensitive data (or could infer such sensitive information) in relation to over 500 people, and that appropriate controls were not in place, is sufficient to demonstrate a lack of compliance with information security requirements.


  1. The cost of non-compliance is more than a fine

The fine was £25,000. The ICO is not out to take organisations down; they sought to ensure the charity was “able to maintain effective provisions for service users” and that the fine did not fully take “away donations made by the public.

However, the fine is not the only cost. The ICO highlights that Mermaids

  • Employed solicitors and data protection consultants to review the incident.
  • Instructed a specialist media law firm.
  • The solicitors had to engage with Google to remove archived versions of the data.
  • The lawyers worked with staff to review records and consult with complainants.
  • An information technology auditor reviewed the incident.
  • Further security assessments were conducted.
  • There was further data protection training and policy updates.

Plus, there is the cost and time of staff, volunteer and Trustee time re-directed to the addressing the breach.

The point being: a significant breach will cause unplanned costs that need to be met. And these will happen regardless of whether you’re fined by the ICO.

It’s far better to plan ahead: to routinely identify threats, assess risks and identify possible solutions; to document the extent to which the solutions will address the threats and protect privacy, and establish whether and why the potential costs are proportionate.

When allocating budgets for data protection and IT, do you assess whether the cost of a proposed technical and organisation measure is appropriate for your organisation? Do you factor in the impact on people’s privacy, as well as the broader (unplanned) financial impact of what a breach could mean?


  1. Rapid expansion is no defence against not addressing data protection

Mermaids income grew significantly, from £317k in 2018 to £902k just two year later.

The ICO noted that “since 2016, Mermaids has raised its profile and in recent years it…received funding from various sources, including from the National Lottery, Children in Need and the Government. These factors have contributed to an increase in the public attention which Mermaids receives and the good standing from which it has benefited

Yet increased income and profile brings heightened expectations: the ICO was clear that by May 2018 Mermaids was a “was a well-established significant charity and should have implemented appropriate measures to ensure that personal data was safeguarded” but that “there was a negligent approach towards data protection.”


Has your approach to data protection and information security kept pace with your expansion and/or any changes in how you operate?


  1. Training

We know training is important. The GDPR requires it. Organisations have to “…take steps to ensure that any…person acting under [their authority]…who has access to personal data does not [do anything with the data] except on instructions from the controller…”​ ​

But Mermaids had mandatory training. The issue with all training is: does it ensure staff know what is required and expected of them? And do staff in key roles know what to do with regards personal data?

The ICO notes that, because “the ongoing contraventions were not identified by anyone at Mermaids” the training must have been “inadequate and / or ineffective.

Beyond having mandatory training, do staff in key roles – in relation to IT security; administration of databases; data sharing; Senior Management / Boards / Trustees – have the data protection knowledge to guide the organisation?


Join our webinar on Wednesday the 18th August @ 10am where we will discuss further.

Register here…

For more information on how you can be GDPR compliant contact us!