Data, dignity and digital threats: Why the Charity Sector needs to pay attention to the ICO’s evolving agenda

/ Uncategorised / By

Data, dignity and digital threats: Why the Charity Sector needs to pay attention to the ICO’s evolving agenda

As a consultant working across more than 400 charities, I’ve seen the tension organisations face when trying to meet their mission while navigating increasingly complex digital, data and compliance demands.

In 2024, that challenge has intensified and with the upcoming changes to the Information Commission, it’s a crucial time for the charity sector to take stock of where it stands on data protection, cyber resilience and AI risk.

The ICO’s new direction: What charities need to know

The Information Commissioner’s Office (ICO) has set out clear strategic goals under its ICO25 framework. These include:

  • Empowering organisations through practical support
  • Protecting vulnerable people through stronger enforcement
  • Tackling cyber security weaknesses and AI harms
  • Focusing on sectors most at risk, including health, education and social services

While not always named, charities sit right at the intersection of these priorities.

We handle deeply sensitive data, from mental health to domestic violence, housing status to disability, often without the infrastructure of larger agencies. We’re collecting consent, managing special category data, navigating online safeguarding, and making decisions that have ethical as well as legal consequences.

Yet many charities I work with still lack:

  • A robust GDPR refresh since 2018
  • Clear data retention schedules
  • Regular penetration testing or risk assessments
  • Confidence in their AI and digital procurement frameworks

AI & the Charity Sector: A growing blind spot

AI might seem like a “big tech” issue, but it’s already creeping into charity systems — from automated CRM tagging to grant decision support tools and predictive safeguarding.

Key concerns include:

  • Bias in datasets and automated decisions
  • Informed consent in digitally excluded communities
  • Poorly vetted third-party tools embedded in websites or helplines
  • Lack of sector guidance on responsible innovation

The ICO has been clear: organisations deploying AI must demonstrate fairness, transparency and accountability. Charities need to understand how that applies to them and urgently.

Cyber threats: Not If, but when

Recent years have seen high-profile breaches affecting major charities, from ransomware attacks to phishing-based payroll fraud. The threat isn’t going away — and with a sector increasingly reliant on hybrid working and cloud-based services, many charities remain vulnerable.

The ICO’s expectation is that organisations implement proportionate but effective controls, including:

  • MFA (multi-factor authentication)
  • Staff awareness training
  • Data breach response protocols
  • Supplier and third-party risk checks

Failure to act not only risks service user safety — it could result in regulatory action, reputational damage and funder mistrust.

A new statutory board: What it means

The new Information Commission Act will establish the ICO as a statutory corporation with an independent Board. This signals a more formal and future-facing regulatory model. The charity sector needs to make sure its voice is heard — especially on:

· Tailored guidance for under-resourced organisations

· Recognition of voluntary sector realities in enforcement approaches

· Investment in capacity-building, not just penalties

Having served on boards including VAPC and BBC Children in Need, I believe it’s vital that public bodies like the ICO understand the real-world challenges and trade-offs that charities face, but also hold us to account for the trust placed in us by the public.

What can you do?

Audit your data systems now — are they still fit for purpose?

Train your staff and trustees — especially on phishing, passwords, and data handling.

Start the AI conversation — if your charity is using or considering AI, make sure ethical and data protection risks are part of the planning.

Engage with ICO guidance — their voluntary sector resources are expanding, but they need your input.

Final thoughts

At its heart, data protection is about dignity, consent and power, values that the charity sector should already hold dear. But with new technologies, growing cyber threats, and changes to the ICO’s structure, it’s time for charities to move from compliance as paperwork to data as trust work.

We owe it to our beneficiaries and ourselves to get this right.