Charity agrees to data undertaking – but why?

The British Red Cross has signed an undertaking committing the charity to best practice around its fundraising calls.  Following press reports of charities allegedly aggressive fundraising techniques, the British Red Cross has acceded to demands of the Information Commissioner’s Office (ICO) to go beyond what is required under PECR, the Privacy and Electronic Communications Regulations, which set out the rules concerning what permissions people need to have given before an organisation can call them to market to them.

The ICO found that the British Red Cross had complied with the law, but nonetheless managed to convince it that it should agree to be bound by a higher duty.

The issue now facing the charity, which simply got caught up in a media frenzy surrounding other charities’ alleged non-compliance, is that if it falls short of best practice, whilst still complying with the law, it will be in breach of its undertaking.  The issue now facing the ICO is what to do in such circumstances?  It surely can’t take any action for breach of the undertaking, when the charity continues to comply with the law, but not go above and beyond that duty?

I am often asked to advise clients who are put in this position.  My view remains that non-compliant data controllers should be able to commit by way of undertaking to comply with the law – after all, that is what they are meant to be doing anyway; but I really do struggle to see why anyone should commit to a higher standard than is required, and especially in terms that any casual onlooker will fairly assume means that it was not already complying with the law. The whole process has a somewhat surreal feel.