Subscribers | Charities Management magazine | No. 125 Spring 2019 | Page 4
The magazine for charity managers and trustees

Pursuing effective data governance

HARJ SINGH, founder and CEO of cyber risk management company ARISTI, urges charities to focus on making their data safe in light not only of the latest compliance rules but also the help and information available, as well as his own advice.

Like many organisations, charities are becoming increasingly reliant on IT to better store, manage and secure their datai. However, as a result of this, many are falling victim to the relentless cyberwarfare every organisation is subjected to.

The ICO (Information Commissioner’s Office) – in its Annual Report and Financial Statements 2017-2018 – says: “We continue to take decisive action on nuisance calls and the misuse of personal data, an area of particular aggravation for people.”

In 2017, the ICO fined eleven charities for misusing donors’ personal data and breaching GDPR, demonstrating that no organisation is exempt from GDPR’s jurisdiction, no matter how noble its cause. A list of the fines to charities and voluntary organisations can be found on the ICO’s website.

ICO investigations discovered:“…many charities had secretly screened millions of donors so they could target them for additional funds. Some charities traced and targeted new or lapsed donors by piecing together personal information obtained from other sources. And some traded personal details with other charities creating a large pool of donor data for sale.”

Charities’ care of data

There is a real concern around charities’ information governance because the nature of how the sector operates calls for copious quantities of personal information to be held – much of which is highly sensitive and therefore at high risk of cyberattack.

Since GDPR came into force in the UK in May 2018, all organisations have had to consider how they handle their personal information and the people, processes and technologies involved.

For charities – many of which hold a significant amount of personal data from donors, volunteers, trustees, team and, in some cases, patients – full compliance and effective data management can be daunting.

Achieving this effective data management is not only essential for charities to mitigate the risk of cyberattacks but also to fully understand the needs of your users, the service you provide and the impact of what you do. Ultimately better information governance is a key enabler in helping you achieve your charity’s vision.

Multi-dimensional governance

GDPR introduced the need for public organisations which carry out particular processing activities to appoint a data protection officer (DPO).

Your charity’s DPO must have a certain level of independence from your purpose for data collection but they may be either in-house or outsourced. Your DPO must also be an expert in data protection.

Information governance can be extremely complex so it’s important to take time to consider whether you might benefit from external support.

Alongside GDPR compliance, some charities – such as hospices – are also legally obliged to further demonstrate compliance with the NHS Information Governance Toolkit regards information governance.

Many charities also seek compliance with the government’s Cyber Essentials programme – a critical list of precautions that act as a foundation on which to build your cyber resilience. Embracing this standard helps charities demonstrate their commitment to ensuring the safety of individuals’ personal information.

But for many charities, fears surrounding information governance stretch beyond the legal requirement. Because they hold such large quantities of data, charities often fear the risk of hacking – or even worse – attacks of the nature where data is held to ransom in exchange for Bitcoin payments.

Good IT compliance benefits

Data security isn’t just about ensuring compliance for legal reasons. As well as ensuring a mitigated risk of cyberwarfare, GDPR compliance presents charities with the opportunity to demonstrate best practice – building and safeguarding their reputation.

Prior to the implementation of GDPR, it was often reported that charities were using unethical methods to achieve fundraising targets – including selling on personal data to scamming companies and making it difficult for donors to prevent further communications.

For charities, reputation is everything – it determines how you operate, or indeed, if you operate. Evidence of data breaches or cyberattacks could lead donors to put their money elsewhere – where their information may be better handled and protected.

Building reputation in this way can lead to greater support going forward.

GDPR compliance and best practice data handling will also streamline your processes and systems meaning that your charity can operate with greater efficiency. You will only hold data that truly adds value to your cause. This will enable you to place your focus and energies into achieving your charity’s vision more effectively.

How others gained compliance

EXAMPLE – UTILISING SUPPORT FOR COMPLIANCE. A charity involved in the provision of training to young people to get them into employment needed to demonstrate to its government client that it met the minimum standards for cyber security in order to safeguard the information it was entrusted with. The charity had some knowledge of the Cyber Essentials certification but no internal expertise to help achieve it.

The charity had a scoping session with an adviser to discuss the requirements of the charity and how Cyber Essentials could be achieved without compromising its ability to operate. Some technical changes were recommended to its IT environment and working with the charity's IT supplier, a secure and compliant environment was configured.

The charity achieved Cyber Essentials and Cyber Essentials Plus, meeting the requirements of their contract and raising its own the security posture.

MITIGATING REPUTATIONAL RISK WITH INFORMATION GOVERNANCE COMPLIANCE. A hospice was concerned about how it could best handle its data to ensure best practice compliance with GDPR and the NHS toolkit. It knew it needed to mitigate the risk of cyberattack and reputational damage so an independent GDPR review was completed initially. This highlighted any gaps in compliance from which an improvement plan was developed and a penetration test identified potential vulnerabilities.

To counter these gaps and vulnerabilities, an external, virtual DPO service was appointed to provide GDPR expertise and a regular monthly compliance audit to focus priorities.

In addition to this, the hospice achieved Cyber Essentials certification demonstrating to all its stakeholders its commitment to good cyber security.

As a result, the hospice leadership team has gained peace of mind to focus more efficiently on its primary vision. It is also continually working to perfect its systems to remain one step ahead of cyber attackers.

Mitigate the risks

The National Cyber Security Centre (NCSC) provides a cyber security guide for small charitiesi which details how charities can best improve their cyber security quickly, easily and at low cost. The ICO also provides frequently asked questions and answers for charities surrounding GDPR.

Top tips for improving your charity’s information governance

  1. Identify:

    A. The personal information you hold.
    B. What value/how does it serve your charity?
    C. Do you really need it?

  2. Ensure you’re aware of:

    A. Where your data is held.
    B. Who has access to it at any one time.

  3. Regularly test your systems to ensure they’re as secure as they can be in order to safeguard your data effectively.
  4. Regularly test your ability to detect, mitigate and recover from a data breach - don’t wait for a real breach to happen. Be prepared.
  5. Embed best practice information governance into your charity’s culture - minimising reputational risk and securing your charity’s future.

Leading best practice

Having the right policies, processes, procedures, checks and balances in place is important but they’re not failsafe.

Your culture will also govern how secure your data is. Articulating a clear “code of conduct” which states how everything is done in your charity will tighten what each member of your team does with data, especially in those moments which call for judgment. In turn, best practice cyber security and information governance will embed your procedures into your culture.

Leaders in charities need to ensure everyone – team, volunteers, donors and all other stakeholders – involved in their cause, understands when and how the new “rules” should be applied to prevent falling into the cyber security trap.

END OF ARTICLE

Return to top of page

NEXT ARTICLE

Next Article