How confident are you that your charity’s data is safe from hackers or carelessness on the part of your users? What are the penalties for getting it wrong? How can you minimise the risk of data loss? PKF Littlejohn’s Ian Singer examines the evidence.

Charities rely heavily on personal data relating to beneficiaries, donors and other stakeholders. But many organisations face serious challenges regarding the capture, processing and securing of this information.

What are the penalties for getting it wrong?

Both the risks and the likely penalties for suffering a data loss are increasing. The Information Commissioner’s Office stated recently that organisations need to rethink their approach to data protection and is backing up this warning with decisive action. In total, 36 organisations were collectively fined £2 million in 2016, up from nine fines totalling £668,500 two years earlier. And don’t think that these large penalties are levied only on corporates: as part of 'Operation Cinnabar', the ICO’s inquiry into charity fundraising practices, 11 charities were issued with notices of intent to fine earlier this month. You have been warned!

The difficulty for most charities is that they typically have limited financial resources and relevant expertise, and the focus is almost certainly on fundraising and the provision of services. But none of that will count as mitigating factors if you suffer a data breach or use personal information inappropriately.

How are the rules changing?

All personal data held by any organisation for any purpose is governed by the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications (EC Directive) Regulations 2003 (PECR). However, there is a new EU Directive, the General Data Protection Regulation (GDPR), which is due to come into force on 25 May 2018. The GDPR increases the size of the fines that can be levied in the event of a data breach or non-compliance with the Directive to as much as 4 per cent of the annual worldwide turnover of an organisation or €20 million (whichever is the greater). This is enough to put most charities out of business.

What can you do?

There are a number of steps you can take to minimise the risk of your charity suffering a data loss or using information inappropriately:

• Security and confidentiality of data must be at the heart of your IT decision-making, not just an afterthought
• Ensure you have explicit consent for storing and using any personal information for the specific process you wish to use it for
• Encrypt confidential data. The ICO has said categorically that it will not accept any excuse for a data breach if the data were not encrypted, regardless of any other measures in place
• Make sure you know what data you’re capturing, where it is stored and how it is protected. Take particular care before entering into agreements with third-parties for data storage and processing, such as specialist emailing services or outsourced data centres. Remember that you are responsible for your data at all times, regardless of where it is located or who is processing it
• Ensure you have well-defined policies and procedures that are communicated regularly to all relevant personnel regarding both the security and use of personal information
• Commit to an independent review of your measures and policies on at least an annual basis to identify issues and gaps
• As a general rule, don’t do anything with data unless you are certain that it is appropriate and secure to do so.

Ian Singer is an IT Assurance Partner at PKF Littlejohn and has many years' experience providing advice to charities on data security.

Civil Society Media would like to thank PKF Littlejohn for its support with this article.