January 2018 welcomes the Kingston Smith and IBB Solicitors annual charities update to bring you up to speed with the legal and regulatory developments in the Charity Sector. For advice on developments in the Charity Sector please see: https://www.ibblaw.co.uk/sector/charities For charity law experts see: https://www.ibblaw.co.uk/service/charities Rosie Brass, senior solicitor in the Charities team at IBB, will provide an overview of the legal framework for the GDPR. Then Dan Fletcher, Director (Fundraising), at Kingston Smith, will guide attendees on how to make the most of the GDPR and use the changes to improve their data management. Dan will also discuss practical ways to use the changes to improve fundraising and marketing for the better. For more information on GDPR please see: https://www.ibblaw.co.uk/insights/blog/are-you-ready-general-data-protection-regulation In the second half of the seminar, Mahmood Ramji and Luke Holt from the Kingston Smith Charities team will provide an update on accounting, including looking at the recent SORP information sheet and the expected future timeline for new SORP iterations, followed by an overview of another 2017 hot topic - charity fraud, including cybercrime. Mahmood will also share details of the most pertinent areas we have been discussing with our clients during 2017. Looking forward into 2018, Luke will highlight the main points from the Lords Select Committee on Charities and how the sector may adapt as a result. Following the release of the third edition of the Charity Governance Code, Luke will also discuss the main areas of consideration and significant changes from previous versions. They will then conclude with a look at the new CC32 Independent Examination guidance and its key amendments. The last part of the presentation will be provided by Paul Ridout, who heads the IBB Charities practice and will talk briefly about some recent regulatory action by the Charity Commission, including the deployment of some of the new powers brought in by the Charities (Protection and Social Investment) Act 2016. He will also address the tricky issue of serious incident reporting, in the light of the Commission’s recent changes to its guidance to trustees about what needs to be reported, and when.

1. CHARITIES UPDATE SEMINAR
23 JANUARY 2018
WELCOME

2. C H A R I T I E S A N D D A T A
P R O T E C T I O N :
G D P R
R O S I E B R A S S
S E N I O R S O L I C I T O R , I B B S O L I C I T O R S

3. S U M M A R Y
What is the GDPR?
Terminology
Data Protection Principles
GDPR Myth Busting
What steps should you be taking towards
compliance?
Key Reflections

4. W H A T I S T H E G D P R ?
• GDPR: the General Data
Protection Regulation
2016
• Replaces the Data
Protection Act 1998
• Will apply from 25 May
2018
• UK Data Protection Bill
‘adopts’ GDPR

5. T E R M I N O L O G Y
• GDPR regulates use of information about individuals (‘personal
data’)
• Individuals are referred to as ‘data subjects’
• ‘Processing’ means doing anything with personal data
• Organisation which controls the purposes and manner of
processing is the ‘data controller’
• Organisation which processes personal data on behalf of the
data controller is the ‘data processer’
• The Information Commissioner’s Office (‘ICO’) is the UK
Regulator

6. D A T A P R O T E C T I O N P R I N C I P L E S
• Personal data must be:
• Processed fairly, lawfully and in a transparent manner -
lawfulness, fairness and transparency
• Collected for specified, explicit and legitimate purposes and
not further processed in a way incompatible with those
purposes -purpose limitation
• Adequate, relevant and limited to what is necessary in
relation to the purposes for which they are processed - data
minimisation
• Accurate, and where necessary, kept up to date - accuracy

7. D A T A P R O T E C T I O N P R I N C I P L E S I N T H E
G D P R
• Personal data must be:
• Kept in a form which permits identification of data subjects
for no longer than is necessary for the purposes for which
the personal data are processed - storage limitation
• Kept in accordance with data subjects rights – rights of data
subjects
• Processed in a way that ensures appropriate security of the
personal data – integrity and confidentiality
• Only transferred to a third country or international
organisation if the provisions of the GDPR are complied with
- transfers

8. M Y T H 1 : G D P R I S A R E V O L U T I O N
I N D A T A P R O T E C T I O N L A W
“The new regime is an evolution in data protection
not a burdensome regulation”.
(Steve Wood, Deputy Information Commissioner)

9. . . . B U T T H E R E A R E S O M E
R E V O L U T I O N A R Y T R A I T S
• Mandatory for some charities to appoint a Data Protection
Officer
• Mandatory reporting of data breaches to the ICO
• Mandatory Data Protection Impact Assessments in some
circumstances
• Increased data subject rights
• Overarching theme of accountability - requires data controllers
to be responsible for, and demonstrate, compliance

10. M Y T H 2 : G D P R I S M O S T L Y A B O U T
I M P O S I N G H U G E F I N E S
“Thinking that GDPR is
about crippling punishment
misses the
point….Issuing fines has
and always will continue to
be a last resort”.
(Elizabeth Denham, the
Information
Commissioner)

11. M Y T H 3 : Y O U M U S T B E C O M P L I A N T
B Y T H E I M P L E M E N T A T I O N D A T E
• Work on it and get as far
as you can by May 2018
• Put in place plans with due
dates and tasks assigned
• Do not forget about data
protection in June - GDPR
is not a one-off exercise

12. M Y T H 4 : Y O U M U S T H A V E C O N S E N T
I F Y O U W A N T T O P R O C E S S
P E R S O N A L D A T A
Consent
Necessary to fulfil
contract
Legal obligation
Necessary to protect
vital interests
Legal power/public
function
Legitimate interests

13. M Y T H 5 : D A T A B R E A C H R E P O R T I N G
• All personal data breaches need to be reported to the ICO
• All details need to be provided as soon as the breach occurs
• If you do not report a breach in time, a fine will always be
issued

14. M Y T H 6 : I T ’ S J U S T A F U N D R A I S I N G
I S S U E
• Requirements apply to
personal data about
employees, members,
service users etc
• No volunteer exemption
• Must be on the trustees’
agenda
• Need a cross functional
steering group to implement
GDPR

15. M Y T H 7 : A L L I N D I V I D U A L S H A V E A N
A B S O L U T E R I G H T T O B E
F O R G O T T E N

16. W H A T S T E P S S H O U L D Y O U B E
T A K I N G T O W A R D S C O M P L I A N C E ?
Undertake a data audit and mapping exercise
Consider the grounds of processing
Update your policies, procedures and documents

17. K E Y R E F L E C T I O N S
Education on top
of awareness
Principles based
regulation
GDPR is not the
only factor

18. 18
Ready for GDPR?
Charities Update 2018
Making the most of change
23 January 2018

19. 19
Session overview
 Main areas to consider
 Implications for the voluntary sector
 Data protection landscape in 2023
 Any questions

20. 20

21. 21
Main areas of concern

22. 22
Information Commissioner’s Office and Fundraising
Background
 Following complaints in July 2015, the ICO investigated a number
of charities’ use of personal data in fundraising
 13 charities were fined between £6,000-£18,000 in December
2016 and April 2017.
 The ICO identified three issues where charities had not informed
data subjects of how data would be used:
 Sharing with other charities
 Data-appending phone or full address information
 Automated profiling to deselect less wealthy individuals
 Data-sharing has now largely ceased
 Charities need to improve Privacy Policies and notify data subjects
about data appending or reviewing wealth potential at data capture

23. 23
Decide the purpose for data processing
There are six conditions to choose from:
1. Consent
2. Necessary for contract
3. Legal obligation
4. Vital interests
5. Lawful authority, in the public interest
6. Legitimate interest
The same data may be processed at different times under different
conditions, but a condition must be chosen every time.

24. 24
I hereby confirm my understanding of and acceptance of the following information.
Donningly Council (the 'Council') will utilise the personal data I have provided in this
form and via any evidence I have submitted in support of my claim in order to process
my claim for housing benefit, council tax benefit, both of these or other applicable
benefits which may be available to myself in accordance with the Council's personal
data usage policies. The Council may check the personal data against other sources
within the Council and other relevant third party public sector organisations as
necessary in order to prevent and detect crime, protect public funds and make sure
the personal information is accurate. The Council may also require to check personal
data I have provided, or information in relation to myself, which has been provided to
the Council by a third party with other information held by the Council. The Council
may also get information about me from third parties or give information about me in
accordance with the law. For the purposes of the Data Protection Act 1998 the data
controller processing your personal data is Donningly Council. The Council processes
all personal data in accordance with the Data Protection Act 1998 and the law.
Having read and understood the above information I hereby provide declaration that
the data on this form is correct and comprehensive and understand that if I give the
Council information that is incorrect or incomplete the Council may commence legal
action against me potentially leading to or including court action.
Language should use Plain English

25. 25
Do everything with GDPR in mind
1. Privacy is the default
2. Privacy is embedded into design
3. Full functionality
4. End-to-end security
5. Visibility and transparency
6. Respect for user privacy
Data Protection by Design

26. 26
 Report a breach within 72 hours, if delayed you must explain
why.
Your ICO Report should include:
• nature of breach
• number and categories of subjects
• number of records
• provide the name of your DPO
• likely consequences of breach
• measures already taken to mitigate the breach
 But report not required if unlikely to cause prejudice to subjects’
rights and freedoms.
 If the breach doesn’t justify reporting to the ICO, detail it in the
internal breach log.
Security and avoiding breaches

27. 27
Implications for the voluntary sector

28. 28
 Undergo an Information Asset Audit
 Review Policies and Procedures
 Review Privacy Notices
 Commence Data Protection Impact Assessments
 Review Security measures
 Consider Subject Access rights
 Review use of CCTV, biometric data, etc
 Decide whether to appoint a Data Protection Officer at board
level
 Consider conditions for communicating to supporters and past
supporters
Implications for voluntary sector

29. 29
Data protection landscape in 2023

30. 30
Data protection landscape in 2023
In five years time…
• Some significant fines for commercial companies?
• Small organisations stung for lack of awareness and
compliance
• Increased awareness of risk in data management
• The media and public more aware of their data rights
• An expectation for granularity of communication choices
• Increase in number of subject access requests
• Lower tolerance for unsolicited emails, calls or texts
• Increase in unaddressed mail
• Reduction in size of charity mailing lists
• Great examples in not-for-profit world of honest, open
communication

31. 31
Kingston Smith services
 KS ClearComm
 GDPR compliance review
 Outsourced Data Protection Officer role
 GDPR compliance training
 Kingston Smith Fundraising and Management
 Full fundraising governance briefings to governors
 Fundraising governance audits
 Fundraising policies and procedures audits
 Support to use GDPR to improve fundraising processes
Mark Burnett, Head of Privacy, ClearComm, mburnett@ks.co.uk, 07817 779006
Dan Fletcher, Director (Fundraising), KSFM, dfletcher@ks.co.uk, 020 7566 3826

32. 32
Charities Update 2018 – Making the most of
change
Mahmood Ramji
Luke Holt
NFP Partners
23 January 2018

33. 33
Charities Update 2018 – SORP (again!)

34. 34
Charities Update 2018 – SORP (again!)
 SORP clarification paper issued in April 2017
Key areas: -
- Confirmation of comparatives required (net
assets by fund)
- Clarification of Eers NI in relation to key
management disclosures
 No new SORP for 2019
 Expect to be a further “Update Bulletin in 2019” due to FRS
102 triennial review
 Next SORP expected to be 2022

35. 35
Charities Update 2018 – Charity Fraud
Charity fraud on the increase

36. 36
Charities Update 2018 – Charity Fraud
 Former Mencap PA pleads guilty to fraud at Crown
Court
 Former chief of education charity on trial for alleged
fraud
 Charities 'lose hundreds of thousands to fraud each
month'
 823 employee frauds against charities in last 6
months
“ActionFraud”
 Former chief executive of Birmingham Dogs Home
and his wife admit £900,000 fraud
Recent headlines

37. 37
Charities Update 2018 – Charity Fraud
 In 2006 Assoc of Chief Police Officers - £0.5 billion
 In 2010 National Fraud Authority AFI - £0.75 billion
 In 2012 National Fraud Authority AFI - £1.1 billion
 In 2013 National Fraud Authority AFI - £1.17 billion
 In 2016 National Fraud Authority AFI - £1.9 billion
 2017 Early indications suggest £2.3 billion (£400m inc)
 Some 2.5% of the estimated value of the sector
 For frauds identified, average losses are 5.6% of
expenditure!

38. 38
Charities Update 2018 – Charity Fraud
“There are only two types of organisation. Those
that have been hit by fraud, and those that are
going to be."
 Alan Bryce, Strategic Counter-Fraud Lead, Charity Commission

39. 39
Charities Update 2018 – Charity Fraud
 Don’t be complacent – it can and will happen
 Charities are an easier target:
– Use of volunteers
– Culture of openness and trust
– Separation of trustees and operational team
– Small operational team/finance function
– Income streams are often less predictable
– Partnership working and reliance on others
– Resource strapped (people and money)

40. 40
Charities Update 2018 – Charity Fraud
 Common frauds and controls to protect against
–Supplier mandate fraud
–Batch supplier duplication
–Procurement fraud
–Fraudulent staff costs
–Cyber fraud – email takeover

41. 41
Charities Update 2018 – Cyber Fraud

42. 42
Charities Update 2018 – Cyber Fraud
How it happens?
 Ineffective information security governance
 Poor access controls
 Identity details not held securely
 Weak data and data management controls
 Vulnerable applications
 Penetrable website
 Inadequately controlled accounting systems
 End-user computing weakness e.g. uncontrolled
critical spread sheets

43. 43
Charities Update 2018 – Cyber Fraud
How to protect against?
 Technology protection
 Information security governance
 Access management
 Identity management
 Data encryption
 Secure data warehousing, storage, classification
 Automated application controls
 Vulnerability/penetration testing
 Exception and user access reporting

44. 44
Charities Update 2018 – Cyber Fraud
Just starting out on cyber fraud controls?
 Review access privileges
 Risks of data theft – email, usb, cloud storage
 Revise and re-publish information security policy
 Re-train staff
 Test staff responses to “phishing” e-mails
 Initiate regular penetration tests
 Review third party contracts and controls
 Consequences/established internal process for
breaches

45. 45
Charities Update 2018 – Charity Commission 10 questions on fraud

46. 46
Charities Update 2018 – Lords Select Committee

47. 47
Charities Update 2018 – Lords Select Committee
Lords Select Committee on the Charity
sector
 Trustee Skills
 Diversity and turnover
 Payment of Trustees
 Funding for “core costs”
 Impact reporting
 Volunteers
 Regulation by the Charity Commission

48. 48
Charities Update 2018 – the Charity Governance Code
 Charity Governance Code – there have been 3 issued in the
last twelve years (2010 was the second edition) – Jul 2017
 Developed by a broad steering group of sector specialists
 Latest edition has raised the bar in response to the challenges
that the sector has faced over the last two years
 Follows a “foundation principle”, matched with seven key
principles
 Each principle then explained by a rationale, key outcomes and
recommended practice
 Smaller and larger code for the first time
 “Apply or explain” not “Comply or explain”

49. 49
Charities Update 2018 – the Charity Governance Code
 Principle One – Organisational purpose
 Principle Two – Leadership
 Principle Three – Integrity
 Principle Four – Decision making, risk and control
 Principle Five – Board effectiveness
 Principle Six – Diversity
 Principle Seven – Openness and accountability.

50. 50
Charities Update 2018 – Why does Governance matter?
Avoids the inefficient Board of Trustees:

51. 51
Charities Update 2018 – new areas of the Governance Code (Larger)
 Mergers and collaborations
 Nine year maximum term for Trustees (unless explained)
 Openness on Senior Staff salaries
 Being risk adverse recognised as a risk in itself
 Board review annually, external review triennially
 Board size (generally 5-12 seen as best practice)
 More emphasis on the role of the Chair & Vice Chair
 Increased oversight of subsidiaries and third parties
 Registers of interest, hospitality and gifts amongst others
 Impact reporting throughout
 Wearing two hats – Trustee and general volunteer

52. 52
Charities Update 2018 – Governance reviews by Kingston Smith
 The 3rd edition of the Code represents an excellent
time to review your Charity’s governance structure
 Review against the Code (7 principles in general)
 Details review using the Code framework (including deep
dive into 2 code principles in more detail)
 A “full” governance review including Terms of reference,
mem & arts, standing orders and interviews etc

53. 53
Charities Update 2018 – Independent examinations (CC32)
Summary of changes (CC32)
Additional information/new requirements in relation to:
 Provision of other services
 Reserves policy
 Going concern
 Related party transactions
 Independent examination of groups
 Correcting accounting records
 All new reporting format (including qualified)
 Already applicable – for all reports signed from 1/12/17

54. 54
Charities Update 2018 – Thank you!
Luke Holt
NFP Partner
LHolt@kingstonsmith.co.uk
020 7566 3636
Mahmood Ramji
NFP Partner
MRamji@kingstonsmith.co.uk
020 8848 5523

55. C H A R I T I E S A N D T H E I R
R E G U L A T O R :
N E W P O W E R S A N D R E C E N T
A C T I O N
P A U L R I D O U T
P A R T N E R , I B B S O L I C I T O R S

56. S U M M A R Y
The objectives of the Charity Commission
The Commission’s regulatory approach
When will the Commission get involved?
What are the Commission’s priority areas?
What powers does the Commission use?
What are the latest regulatory hot topics?

57. T H E O B J E C T I V E S O F
T H E C H A R I T Y
C O M M I S S I O N
promote
compliance
public benefit
public trust
and
confidence
effective use
of resources
enhance
accountability

58. T H E C O M M I S S I O N ’ S
R E G U L A T O R Y
A P P R O A C H
Promoting
compliance
with legal
obligations
More rigour
in holding
charities to
account
Upholding
definition of
charity
More
public
trust and
confidence

59. W H E N W I L L T H E
C O M M I S S I O N G E T
I N V O L V E D ?
Do we need
to get
involved?
What is the
nature and
level of risk?
What is the
most effective
response?

60. W H A T A R E T H E
C O M M I S S I O N ’ S P R I O R I T Y
A R E A S ?
fraud and financial abuse
safeguarding
terrorism
other non-compliance that damages
public trust and confidence

61. W H A T P O W E R S D O E S
T H E C O M M I S S I O N U S E ?
E X I S T I N G
P O W E R S
information or documents
suspend trustee/employee
freezing orders
restricting transactions
appoint interim managers
removing trustee/employee
directions
schemes

62. N E W
P O W E R SJuly 2016
remove a trustee who is disqualified, but still holds office
consider conduct by a trustee outside the charity that is under
investigation
remove a trustee who resigns
extend the suspension of a trustee
direct that certain actions should not be taken
direct the winding up of a charity and transfer of assets to
another charity
October 2016
• discretionary power to disqualify a person from trusteeship

63. 2018?
extending automatic disqualification
November 2016
formal warnings

64. S O M E R E C E N T A C T I O N S
Catalyst Trust
“doubtful accuracy” in accounts
Loans to connected parties
Non-cooperation with Commission
Cup Trust
£46 million Gift Aid claim
Discretionary disqualification

65. S O M E R E C E N T A C T I O N S ( c o n t ’ d )
National Hereditary Breast Cancer Helpline
• Charity at risk of financial distress
• Shops running at a loss
• Unauthorised payments to Chair
• Official warning issued

66. C O N T A C T U S
Paul Ridout, Partner
T: 01895 207862
E: paul.ridout@ibblaw.co.uk
Rosie Brass, Senior Solicitor
T: 01895 207290
E: rosie.brass@ibblaw.co.uk
IBB Solicitors
Capital Court
30 Windsor Street
Uxbridge
UB8 1AB