January 2018 welcomes the Kingston Smith and IBB Solicitors annual charities update to bring you up to speed with the legal and regulatory developments in the Charity Sector.
For advice on developments in the Charity Sector please see:
https://www.ibblaw.co.uk/sector/charities
For charity law experts see:
https://www.ibblaw.co.uk/service/charities
Rosie Brass, senior solicitor in the Charities team at IBB, will provide an overview of the legal framework for the GDPR. Then Dan Fletcher, Director (Fundraising), at Kingston Smith, will guide attendees on how to make the most of the GDPR and use the changes to improve their data management. Dan will also discuss practical ways to use the changes to improve fundraising and marketing for the better. For more information on GDPR please see: https://www.ibblaw.co.uk/insights/blog/are-you-ready-general-data-protection-regulation
In the second half of the seminar, Mahmood Ramji and Luke Holt from the Kingston Smith Charities team will provide an update on accounting, including looking at the recent SORP information sheet and the expected future timeline for new SORP iterations, followed by an overview of another 2017 hot topic - charity fraud, including cybercrime. Mahmood will also share details of the most pertinent areas we have been discussing with our clients during 2017. Looking forward into 2018, Luke will highlight the main points from the Lords Select Committee on Charities and how the sector may adapt as a result. Following the release of the third edition of the Charity Governance Code, Luke will also discuss the main areas of consideration and significant changes from previous versions. They will then conclude with a look at the new CC32 Independent Examination guidance and its key amendments.
The last part of the presentation will be provided by Paul Ridout, who heads the IBB Charities practice and will talk briefly about some recent regulatory action by the Charity Commission, including the deployment of some of the new powers brought in by the Charities (Protection and Social Investment) Act 2016. He will also address the tricky issue of serious incident reporting, in the light of the Commission’s recent changes to its guidance to trustees about what needs to be reported, and when.
2. C H A R I T I E S A N D D A T A
P R O T E C T I O N :
G D P R
R O S I E B R A S S
S E N I O R S O L I C I T O R , I B B S O L I C I T O R S
3. S U M M A R Y
What is the GDPR?
Terminology
Data Protection Principles
GDPR Myth Busting
What steps should you be taking towards
compliance?
Key Reflections
4. W H A T I S T H E G D P R ?
• GDPR: the General Data
Protection Regulation
2016
• Replaces the Data
Protection Act 1998
• Will apply from 25 May
2018
• UK Data Protection Bill
‘adopts’ GDPR
5. T E R M I N O L O G Y
• GDPR regulates use of information about individuals (‘personal
data’)
• Individuals are referred to as ‘data subjects’
• ‘Processing’ means doing anything with personal data
• Organisation which controls the purposes and manner of
processing is the ‘data controller’
• Organisation which processes personal data on behalf of the
data controller is the ‘data processer’
• The Information Commissioner’s Office (‘ICO’) is the UK
Regulator
6. D A T A P R O T E C T I O N P R I N C I P L E S
• Personal data must be:
• Processed fairly, lawfully and in a transparent manner -
lawfulness, fairness and transparency
• Collected for specified, explicit and legitimate purposes and
not further processed in a way incompatible with those
purposes -purpose limitation
• Adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed - data
minimisation
• Accurate, and where necessary, kept up to date - accuracy
7. D A T A P R O T E C T I O N P R I N C I P L E S I N T H E
G D P R
• Personal data must be:
• Kept in a form which permits identification of data subjects
for no longer than is necessary for the purposes for which
the personal data are processed - storage limitation
• Kept in accordance with data subjects rights – rights of data
subjects
• Processed in a way that ensures appropriate security of the
personal data – integrity and confidentiality
• Only transferred to a third country or international
organisation if the provisions of the GDPR are complied with
- transfers
8. M Y T H 1 : G D P R I S A R E V O L U T I O N
I N D A T A P R O T E C T I O N L A W
“The new regime is an evolution in data protection
not a burdensome regulation”.
(Steve Wood, Deputy Information Commissioner)
9. . . . B U T T H E R E A R E S O M E
R E V O L U T I O N A R Y T R A I T S
• Mandatory for some charities to appoint a Data Protection
Officer
• Mandatory reporting of data breaches to the ICO
• Mandatory Data Protection Impact Assessments in some
circumstances
• Increased data subject rights
• Overarching theme of accountability - requires data controllers
to be responsible for, and demonstrate, compliance
10. M Y T H 2 : G D P R I S M O S T L Y A B O U T
I M P O S I N G H U G E F I N E S
“Thinking that GDPR is
about crippling punishment
misses the
point….Issuing fines has
and always will continue to
be a last resort”.
(Elizabeth Denham, the
Information
Commissioner)
11. M Y T H 3 : Y O U M U S T B E C O M P L I A N T
B Y T H E I M P L E M E N T A T I O N D A T E
• Work on it and get as far
as you can by May 2018
• Put in place plans with due
dates and tasks assigned
• Do not forget about data
protection in June - GDPR
is not a one-off exercise
12. M Y T H 4 : Y O U M U S T H A V E C O N S E N T
I F Y O U W A N T T O P R O C E S S
P E R S O N A L D A T A
Consent
Necessary to fulfil
contract
Legal obligation
Necessary to protect
vital interests
Legal power/public
function
Legitimate interests
13. M Y T H 5 : D A T A B R E A C H R E P O R T I N G
• All personal data breaches need to be reported to the ICO
• All details need to be provided as soon as the breach occurs
• If you do not report a breach in time, a fine will always be
issued
14. M Y T H 6 : I T ’ S J U S T A F U N D R A I S I N G
I S S U E
• Requirements apply to
personal data about
employees, members,
service users etc
• No volunteer exemption
• Must be on the trustees’
agenda
• Need a cross functional
steering group to implement
GDPR
15. M Y T H 7 : A L L I N D I V I D U A L S H A V E A N
A B S O L U T E R I G H T T O B E
F O R G O T T E N
16. W H A T S T E P S S H O U L D Y O U B E
T A K I N G T O W A R D S C O M P L I A N C E ?
Undertake a data audit and mapping exercise
Consider the grounds of processing
Update your policies, procedures and documents
17. K E Y R E F L E C T I O N S
Education on top
of awareness
Principles based
regulation
GDPR is not the
only factor
22. 22
Information Commissioner’s Office and Fundraising
Background
Following complaints in July 2015, the ICO investigated a number
of charities’ use of personal data in fundraising
13 charities were fined between £6,000-£18,000 in December
2016 and April 2017.
The ICO identified three issues where charities had not informed
data subjects of how data would be used:
Sharing with other charities
Data-appending phone or full address information
Automated profiling to deselect less wealthy individuals
Data-sharing has now largely ceased
Charities need to improve Privacy Policies and notify data subjects
about data appending or reviewing wealth potential at data capture
23. 23
Decide the purpose for data processing
There are six conditions to choose from:
1. Consent
2. Necessary for contract
3. Legal obligation
4. Vital interests
5. Lawful authority, in the public interest
6. Legitimate interest
The same data may be processed at different times under different
conditions, but a condition must be chosen every time.
24. 24
I hereby confirm my understanding of and acceptance of the following information.
Donningly Council (the 'Council') will utilise the personal data I have provided in this
form and via any evidence I have submitted in support of my claim in order to process
my claim for housing benefit, council tax benefit, both of these or other applicable
benefits which may be available to myself in accordance with the Council's personal
data usage policies. The Council may check the personal data against other sources
within the Council and other relevant third party public sector organisations as
necessary in order to prevent and detect crime, protect public funds and make sure
the personal information is accurate. The Council may also require to check personal
data I have provided, or information in relation to myself, which has been provided to
the Council by a third party with other information held by the Council. The Council
may also get information about me from third parties or give information about me in
accordance with the law. For the purposes of the Data Protection Act 1998 the data
controller processing your personal data is Donningly Council. The Council processes
all personal data in accordance with the Data Protection Act 1998 and the law.
Having read and understood the above information I hereby provide declaration that
the data on this form is correct and comprehensive and understand that if I give the
Council information that is incorrect or incomplete the Council may commence legal
action against me potentially leading to or including court action.
Language should use Plain English
25. 25
Do everything with GDPR in mind
1. Privacy is the default
2. Privacy is embedded into design
3. Full functionality
4. End-to-end security
5. Visibility and transparency
6. Respect for user privacy
Data Protection by Design
26. 26
Report a breach within 72 hours, if delayed you must explain
why.
Your ICO Report should include:
• nature of breach
• number and categories of subjects
• number of records
• provide the name of your DPO
• likely consequences of breach
• measures already taken to mitigate the breach
But report not required if unlikely to cause prejudice to subjects’
rights and freedoms.
If the breach doesn’t justify reporting to the ICO, detail it in the
internal breach log.
Security and avoiding breaches
28. 28
Undergo an Information Asset Audit
Review Policies and Procedures
Review Privacy Notices
Commence Data Protection Impact Assessments
Review Security measures
Consider Subject Access rights
Review use of CCTV, biometric data, etc
Decide whether to appoint a Data Protection Officer at board
level
Consider conditions for communicating to supporters and past
supporters
Implications for voluntary sector
30. 30
Data protection landscape in 2023
In five years time…
• Some significant fines for commercial companies?
• Small organisations stung for lack of awareness and
compliance
• Increased awareness of risk in data management
• The media and public more aware of their data rights
• An expectation for granularity of communication choices
• Increase in number of subject access requests
• Lower tolerance for unsolicited emails, calls or texts
• Increase in unaddressed mail
• Reduction in size of charity mailing lists
• Great examples in not-for-profit world of honest, open
communication
31. 31
Kingston Smith services
KS ClearComm
GDPR compliance review
Outsourced Data Protection Officer role
GDPR compliance training
Kingston Smith Fundraising and Management
Full fundraising governance briefings to governors
Fundraising governance audits
Fundraising policies and procedures audits
Support to use GDPR to improve fundraising processes
Mark Burnett, Head of Privacy, ClearComm, mburnett@ks.co.uk, 07817 779006
Dan Fletcher, Director (Fundraising), KSFM, dfletcher@ks.co.uk, 020 7566 3826
32. 32
Charities Update 2018 – Making the most of
change
Mahmood Ramji
Luke Holt
NFP Partners
23 January 2018
34. 34
Charities Update 2018 – SORP (again!)
SORP clarification paper issued in April 2017
Key areas: -
- Confirmation of comparatives required (net
assets by fund)
- Clarification of Eers NI in relation to key
management disclosures
No new SORP for 2019
Expect to be a further “Update Bulletin in 2019” due to FRS
102 triennial review
Next SORP expected to be 2022
36. 36
Charities Update 2018 – Charity Fraud
Former Mencap PA pleads guilty to fraud at Crown
Court
Former chief of education charity on trial for alleged
fraud
Charities 'lose hundreds of thousands to fraud each
month'
823 employee frauds against charities in last 6
months
“ActionFraud”
Former chief executive of Birmingham Dogs Home
and his wife admit £900,000 fraud
Recent headlines
37. 37
Charities Update 2018 – Charity Fraud
In 2006 Assoc of Chief Police Officers - £0.5 billion
In 2010 National Fraud Authority AFI - £0.75 billion
In 2012 National Fraud Authority AFI - £1.1 billion
In 2013 National Fraud Authority AFI - £1.17 billion
In 2016 National Fraud Authority AFI - £1.9 billion
2017 Early indications suggest £2.3 billion (£400m inc)
Some 2.5% of the estimated value of the sector
For frauds identified, average losses are 5.6% of
expenditure!
38. 38
Charities Update 2018 – Charity Fraud
“There are only two types of organisation. Those
that have been hit by fraud, and those that are
going to be."
Alan Bryce, Strategic Counter-Fraud Lead, Charity Commission
39. 39
Charities Update 2018 – Charity Fraud
Don’t be complacent – it can and will happen
Charities are an easier target:
– Use of volunteers
– Culture of openness and trust
– Separation of trustees and operational team
– Small operational team/finance function
– Income streams are often less predictable
– Partnership working and reliance on others
– Resource strapped (people and money)
40. 40
Charities Update 2018 – Charity Fraud
Common frauds and controls to protect against
–Supplier mandate fraud
–Batch supplier duplication
–Procurement fraud
–Fraudulent staff costs
–Cyber fraud – email takeover
42. 42
Charities Update 2018 – Cyber Fraud
How it happens?
Ineffective information security governance
Poor access controls
Identity details not held securely
Weak data and data management controls
Vulnerable applications
Penetrable website
Inadequately controlled accounting systems
End-user computing weakness e.g. uncontrolled
critical spread sheets
43. 43
Charities Update 2018 – Cyber Fraud
How to protect against?
Technology protection
Information security governance
Access management
Identity management
Data encryption
Secure data warehousing, storage, classification
Automated application controls
Vulnerability/penetration testing
Exception and user access reporting
44. 44
Charities Update 2018 – Cyber Fraud
Just starting out on cyber fraud controls?
Review access privileges
Risks of data theft – email, usb, cloud storage
Revise and re-publish information security policy
Re-train staff
Test staff responses to “phishing” e-mails
Initiate regular penetration tests
Review third party contracts and controls
Consequences/established internal process for
breaches
47. 47
Charities Update 2018 – Lords Select Committee
Lords Select Committee on the Charity
sector
Trustee Skills
Diversity and turnover
Payment of Trustees
Funding for “core costs”
Impact reporting
Volunteers
Regulation by the Charity Commission
48. 48
Charities Update 2018 – the Charity Governance Code
Charity Governance Code – there have been 3 issued in the
last twelve years (2010 was the second edition) – Jul 2017
Developed by a broad steering group of sector specialists
Latest edition has raised the bar in response to the challenges
that the sector has faced over the last two years
Follows a “foundation principle”, matched with seven key
principles
Each principle then explained by a rationale, key outcomes and
recommended practice
Smaller and larger code for the first time
“Apply or explain” not “Comply or explain”
49. 49
Charities Update 2018 – the Charity Governance Code
Principle One – Organisational purpose
Principle Two – Leadership
Principle Three – Integrity
Principle Four – Decision making, risk and control
Principle Five – Board effectiveness
Principle Six – Diversity
Principle Seven – Openness and accountability.
50. 50
Charities Update 2018 – Why does Governance matter?
Avoids the inefficient Board of Trustees:
51. 51
Charities Update 2018 – new areas of the Governance Code (Larger)
Mergers and collaborations
Nine year maximum term for Trustees (unless explained)
Openness on Senior Staff salaries
Being risk adverse recognised as a risk in itself
Board review annually, external review triennially
Board size (generally 5-12 seen as best practice)
More emphasis on the role of the Chair & Vice Chair
Increased oversight of subsidiaries and third parties
Registers of interest, hospitality and gifts amongst others
Impact reporting throughout
Wearing two hats – Trustee and general volunteer
52. 52
Charities Update 2018 – Governance reviews by Kingston Smith
The 3rd edition of the Code represents an excellent
time to review your Charity’s governance structure
Review against the Code (7 principles in general)
Details review using the Code framework (including deep
dive into 2 code principles in more detail)
A “full” governance review including Terms of reference,
mem & arts, standing orders and interviews etc
53. 53
Charities Update 2018 – Independent examinations (CC32)
Summary of changes (CC32)
Additional information/new requirements in relation to:
Provision of other services
Reserves policy
Going concern
Related party transactions
Independent examination of groups
Correcting accounting records
All new reporting format (including qualified)
Already applicable – for all reports signed from 1/12/17
55. C H A R I T I E S A N D T H E I R
R E G U L A T O R :
N E W P O W E R S A N D R E C E N T
A C T I O N
P A U L R I D O U T
P A R T N E R , I B B S O L I C I T O R S
56. S U M M A R Y
The objectives of the Charity Commission
The Commission’s regulatory approach
When will the Commission get involved?
What are the Commission’s priority areas?
What powers does the Commission use?
What are the latest regulatory hot topics?
57. T H E O B J E C T I V E S O F
T H E C H A R I T Y
C O M M I S S I O N
promote
compliance
public benefit
public trust
and
confidence
effective use
of resources
enhance
accountability
58. T H E C O M M I S S I O N ’ S
R E G U L A T O R Y
A P P R O A C H
Promoting
compliance
with legal
obligations
More rigour
in holding
charities to
account
Upholding
definition of
charity
More
public
trust and
confidence
59. W H E N W I L L T H E
C O M M I S S I O N G E T
I N V O L V E D ?
Do we need
to get
involved?
What is the
nature and
level of risk?
What is the
most effective
response?
60. W H A T A R E T H E
C O M M I S S I O N ’ S P R I O R I T Y
A R E A S ?
fraud and financial abuse
safeguarding
terrorism
other non-compliance that damages
public trust and confidence
61. W H A T P O W E R S D O E S
T H E C O M M I S S I O N U S E ?
E X I S T I N G
P O W E R S
information or documents
suspend trustee/employee
freezing orders
restricting transactions
appoint interim managers
removing trustee/employee
directions
schemes
62. N E W
P O W E R SJuly 2016
remove a trustee who is disqualified, but still holds office
consider conduct by a trustee outside the charity that is under
investigation
remove a trustee who resigns
extend the suspension of a trustee
direct that certain actions should not be taken
direct the winding up of a charity and transfer of assets to
another charity
October 2016
• discretionary power to disqualify a person from trusteeship
64. S O M E R E C E N T A C T I O N S
Catalyst Trust
“doubtful accuracy” in accounts
Loans to connected parties
Non-cooperation with Commission
Cup Trust
£46 million Gift Aid claim
Discretionary disqualification
65. S O M E R E C E N T A C T I O N S ( c o n t ’ d )
National Hereditary Breast Cancer Helpline
• Charity at risk of financial distress
• Shops running at a loss
• Unauthorised payments to Chair
• Official warning issued
66. C O N T A C T U S
Paul Ridout, Partner
T: 01895 207862
E: paul.ridout@ibblaw.co.uk
Rosie Brass, Senior Solicitor
T: 01895 207290
E: rosie.brass@ibblaw.co.uk
IBB Solicitors
Capital Court
30 Windsor Street
Uxbridge
UB8 1AB
Notes de l'éditeur
Much better than its previous version
Foundation principle is that Trustees will look for best interest of the charity, understand their role in the charity and public benefit.
Smaller is for those outside the audit threshold (£1m income or less) – so not applicable to RNRMC (larger code needed)
Just guidance (allbeit the Charity Commission is supporting it by removing CC10, its own Governance guidance), it is NOT LEGALLY BINDING, hence apply or explain not comply or explain.
Seven principles, many of which we will delve into in more detail this afternoon.
Those in red – Effectiveness, openness and accountability (I think are those that most closely resemble the basis for your discussions during your morning session, so I will not be spending any time on those areas this afternoon).
There will be some cross over with this morning, but I know that you used the NCVO governance wheel (which is loosely based on the old 2nd edition code), so there are updates in this third code and also brand new areas that require consideration.
So why do people like myself and many others believe in good governance being of Paramount
Any of your who have seen me present before – know that I like an elaborate cartoon representation for comic effect – so here is this afternoons!
But seriously – obviously this is an exaggeration, but I bet if I started to explain some of the characteristics of some of these Board members, I’d start to ring some bells around the room, or even start to get some heads nodding (for those of you who are brave enough!)
The Politician – Loud, opinionated and always the first to claim their expenses?The Naysayer – we can’t possibly do that, No no noThe know all – my way or the highway, the “king or queen of the Veto”
The historian – never without a pair of rose tinted glasses.
The truth is that there is probably parts of each of the above in many of us, but governance is about working together, collectively to deliver a charitable mission.
Embracing the different personalities and using those to your advantage – to grow and develop
Mergers and collaborations
Nine year maximum term for Trustees (unless explained)
Openness on Senior Staff salaries
Being risk adverse recognised as a risk in itself
Board review annually, external review triennially
Board size (generally 5-12 seen as best practice)
More emphasis on the role of the Chair & Vice Chair
Increased oversight of subsidiaries and third parties
Recognised as being aspirational – continued improvement
Mergers and collaborations
Nine year maximum term for Trustees (unless explained)
Openness on Senior Staff salaries
Being risk adverse recognised as a risk in itself
Board review annually, external review triennially
Board size (generally 5-12 seen as best practice)
More emphasis on the role of the Chair & Vice Chair
Increased oversight of subsidiaries and third parties
Recognised as being aspirational – continued improvement
Mergers and collaborations
Nine year maximum term for Trustees (unless explained)
Openness on Senior Staff salaries
Being risk adverse recognised as a risk in itself
Board review annually, external review triennially
Board size (generally 5-12 seen as best practice)
More emphasis on the role of the Chair & Vice Chair
Increased oversight of subsidiaries and third parties
Recognised as being aspirational – continued improvement