Research reveals GDPR could leave charities at risk
More than a third of smaller charities do not know that the General Data Protection Regulation (GDPR) will be enforced from May 2018, leaving them potentially exposed in the event of a data breach.
A survey carried out by specialist charity insurer, Ecclesiastical, revealed that while awareness of the new data protection regulation is almost universal among charities with a turnover over £1.5m – only 4% are unaware of the forthcoming changes – that figure stands at an alarming 36% for charities with a turnover of less than £500,000. A quarter (24%) of mid-size charities are unaware of GDPR.
The low level of awareness of GDPR by charities was also recently highlighted in a Cyber Security Breaches survey by the Department for Digital, Culture, Media and Sport (DCMS).
Among wide ranging changes to data protection legislation that cover how personal data is processed, the GDPR introduces a duty on all organisations to report certain data breaches. When enforcement of the GDPR starts on 25 May, not only could charities face major fines for data breaches, they will be required to notify the Information Commissioners Office (ICO) within 72 hours following a breach that puts personal data at risk. They will also need to notify individuals, including potentially donors and service users, if there is a high-risk breach.
Worrying lack of awareness
David Britton, charity director at Ecclesiastical Insurance, said: “The lack of awareness about GDPR by smaller charities is worrying because it is precisely these organisations who are the least likely to be able to deal with the fall-out of a data breach; from paying the potential fine to resourcing the legal notification of those whose data has been breached and recovering from the long-term reputational damage.
“The charities I have spoken to that are aware of GDPR are taking steps to prepare but many are unsure where to focus first and what essential information they need to inform trustees about. There’s also low awareness of some of the specifics, such as the new data breach notification requirements.”
In Ecclesiastical’s survey, a third of smaller charities admitted they have very little or no knowledge about the impact GDPR will have on their charity (compared to 5% of mid-sized and 4% of large charities), and 47% of all charities feel they still need to know more about how the new regulation will impact on them.
Larger and mid-sized charities are much more confident they will ready to comply when GDPR becomes law in May – 92% and 97% respectively, compared to 80% of smaller charities.
Although many of the GDPR’s main concepts and principles are aligned to the current Data Protection Act (DPA), charities should not automatically assume their current processes are robust enough to comply with the new legislation.
Britton added: “It is great news that so many charities of all sizes are now embracing digital, but this new regulation coupled with the increasing threat from cyber-attacks makes it even more important to stay informed and do everything possible to manage and mitigate the risks.
“We still don’t have the complete picture of what the ramifications of the GDPR will be, but the sooner charities can start to get to grips with the new regulation, the sooner they can understand the best way to deal with how it may affect their organisation.
“This is especially important when thinking about how to deal with data breaches. Consider a scenario where all of a charity’s sensitive personal data has been compromised by a ransomware attack and the records are encrypted with no backups available to restore the data. The cost of notifying all parties of data breaches can be £100 to £130 per record, which adds up pretty quickly! And as the data hasn’t been backed up and contact records can’t be restored, this could be a complex, lengthy and costly process.”
The cost of a data breach can stretch beyond financial losses too. A breach can cause major damage to an organisation’s reputation and even force services to stop temporarily.
While good governance is the most important factor in managing this risk, it’s also vital to engage staff and volunteers with the relevant experience and skills, to provide training and to ask for support from partners who can offer digital skills and advice. Charities should also factor managing the fall-out of a cyber-attack into business continuity planning and it is worth considering cyber insurance.