The Information Commissioner’s Office (ICO) has recently issued guidance on the concept of “undertaking” in the context of imposing fines under UK GDPR and DPA 2018. This concept could be relevant to charities, as it may impact the maximum fine they might face for data protection breaches.
What is an undertaking?
The ICO’s guidance clarifies that an undertaking can encompass a group of legal entities or natural persons acting as a single economic unit. In simpler terms, this means that multiple organizations could be considered a single undertaking if they function as one economic unit. The ICO also states that charities would fall within the definition of undertaking if they carry on an economic activity. “The fact that the organisation is not motivated by profit or economic purpose, does not, in itself mean that it does not engage in economic activity”, says the ICO.
How does the ICO determine if an organization is part of a wider undertaking?
The ICO will assess various factors to determine if a controller or processor is part of a wider undertaking. A crucial factor is whether the organization has ‘decisive influence’ over other entities or is conversely influenced by another entity.
Why should charities care about the concept of undertaking?
For charities, the concept of undertaking could be significant because it could affect the maximum fine they could be liable for in case of a data protection breach. If a charity is deemed part of a larger undertaking, the ICO might base the maximum fine on the combined turnover of the entire undertaking rather than just the charity’s individual turnover. This could potentially result in a much higher fine than the charity would have faced otherwise.
Recommendations for Charities
You might want to check if your organisation falls under the definition of an “undertaking.” If it does, make sure all charities in the group have strong data protection measures in place to lower the risk of fines.
Understanding the concept of undertaking and its consequences can help charities prepare for possible ICO enforcement actions and ensure compliance with data protection rules.
Keep in mind that the interpretation of this guidance may vary until it’s applied practically in the charity sector. Stay tuned for updates on how this guidance will impact charities in practice.
Need help understanding how the new fining guidance might affect you? Or want support with your data protection compliance? Just reach out to us at info@hope-may.com