Recent high profile charity cases and figures from the Information Commissioner’s Office (ICO) show an overall rise in the numbers of charities who have suffered data breaches. This is an area that could have huge potential consequences for charities. Protecting your data can also help you to maintain your reputation, both with your donors and the wider public. So what can be done by charities to help protect against this potential threat?
- Be prepared and plan, plan, plan!
If your charity faces a data breach there are ways that you can potentially mitigate the harmful impact of the breach by having a plan in place for potential data breaches. The ICO will be more lenient to a charity if it can prove that they are aware of what type of data they keep, who has access to it, and if workers and volunteers have been trained in managing the data. Most data breaches are straight forward or simple mistakes and often happen through third parties. A charity should be able answer these questions:
- We know the types of data we capture, where it comes from and who has access to it in our organisation.
- We know what the data is used for and have asked the subject’s permission.
- We know how to keep it safe, and how to get rid of it when it is not needed (this is especially important for physical data that is not needed anymore).
- We train our people and have put measures in place to be able to trust third parties.
- We have a plan to handle a data breach.
Data protection should be considered a top-down attitude and one where there is shared ownership of good practices. Transparency is needed to ensure that reporting data breaches will be treated professionally.
- But won’t the ICO be more lenient if I’m a charity?
Short answer, no! The ICO will not take into account what type of organisation suffers from a data breach, but instead how the breach is handled. The most common advice is to inform the ICO as soon as possible and to start to implement your pre-existing plan. If you can show that your organisation is attempting to do the right thing at the right time, the chances of receiving a heavy fine or other punishment is reduced. It is now estimated that a breach in data in 2015 can cost £120 per compromised record, highlighting how important it is to understand data protection laws. Charities have recently made headlines by having to pay fines of up to £200,000 for data breaches. Charities also have to remember that if a volunteer is handling data that they are recognised by the ICO has having the same responsibilities as permanent staff. This means that they should also receive training on data protection policies for the charity they are working with.
- Modern technology makes everything easier, right?
The ability to access work through numerous devices (phones, tablets etc.) has become very important for most charities. These devices still have to comply with your charities data protection policies if you’re using them to access personal or sensitive data. While a work computer might be encrypted this is often not the case for personal devices, meaning you organisations should be particularly careful to monitor where this data is being sent. Another way that data is shared is through various online cloud services. Most of the data stored in cloud services is not sufficiently secured and is headquartered in the USA, not the EU as it legally has to be.A UK charity should try and ensure that any cloud services they use will hold their data only in the EU. One way of countering this is by encrypting any personal or sensitive data that is shared in a cloud service.
- But wait, isn’t this is all about to change?
While the introduction of the European General Data Protection Regulation in 2016 (to update the 1995 Data Protection Directive) will mean significant changes organisations that already have an effective data policy will find the new regulation easier to implement. Organisations in the UK (whether or not a Brexit occurs) will have till 2018 to implement the new. Under this new regulation, more data will be classified as personal data (IP addresses, URLs etc.) and anonymised data will be removed and will instead be replaced with pseudonymised data (meaning where a number can be used to identify people instead of a name).
Another important difference is that the ICO will be able to audit the private sector, not just the public sector if they fear that data laws are not being upheld. New rules will also be introduced about organisations gaining consent on collecting data needs to be unambiguous for personal data and explicit for sensitive data. Silence, pre-ticked boxes or inactivity will not constitute consent. The ICO will also have to be notified within 72 hours of a charity becoming aware of a data breach. Fines for data breaches will range up to £20 million or 4% or annual global turnover, though again if a plan is in place and attempts have been made to prevent a data breach this fine should be greatly reduced. So though the type of data and the way we store it has dramatically changed since 52 BC, the idea that important data should be kept out of the hands of your enemies is still the same.
« Back to all blog posts