Data protection for charities

10 April 2019

The General Data Protection Regulation (GDPR) is in force making information security a key challenge for charities.

Padlock and Contactless Debit Card sat on computer keyboard

How does GDPR apply to charities?

Data protection and information security are essential practices for charities and businesses alike. 

Though many of GDPR’s main concepts and principles are much the same as those in the previous Data Protection Act (DPA), checks should have been made to ensure existing processes are robust enough to comply with the legislation.

Collecting data

Collecting data is an integral part of operations for many charities. One of the key differences between GDPR and the Data Protection Act is the way you gain consent.

The Information Commissioners Office (ICO) stipulates that consent must be, “freely given, specific, informed and [an] unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.”

Consent can be used to build marketing lists, but the purpose of the consent must be clearly stated. Consent must also be separate from all other terms and conditions, so asking data subjects to sign up to a mailing list to, for example enter a competition, would not be valid. The scenario below is from RWA Business Consultancy and gives an example of how GDPR applies to consent.

GDPR consent example

A data subject enters their business card into a prize draw at an event. Submitting their details is an affirmative act, which demonstrates consent to their personal information (contained on the card) being processed for the purposes of the competition. However, it does not mean that the data subject consents to their details being used for any other purpose such as marketing. Separate consent will be needed for each different processing operation, so data subjects must have granular options to consent separately to each purpose.

Data protection methods

Cyber attacks can cause data breaches. Though the threat of cyber attack can be minimised, it’s impossible to create an impenetrable system. There are some simple steps your charity can take to protect data:

  • back-up data regularly
  • update software so it includes the latest patches
  • create an internet policy
  • provide training for system users
  • encrypt data stored on portable devices
  • ensure systems have strong passwords and don’t share them.

Remember to protect data that is stored offline too. A spring clean of your paper files might identify data your charity no longer needs. Read more in our charity cyber guide.

Cyber insurance for charities

Cyber insurance is also a way to manage cyber risks presented by hackers, ransomware and other threats. It’s important first and foremost that charities defend themselves by having cyber security controls in place. However, where they are still exposed, cyber insurance can provide additional support.

Cyber insurance from Ecclesiastical can be bought in conjunction with your charity insurance or as a separate stand-alone policy. It can protect against the financial impact of a cyber attack including:

  • Costs of dealing with data breaches
  • Cost of legal defence from cyber liability claims
  • Cost of professional IT and forensic services
  • Cover for loss of income from a cyber event.

Legal fines and penalties issued to charities are not usually covered by insurance policies. However, legal defence and compensation awarded to third parties can be.

Support services and access to experts

Our cyber insurance policy offers additional services to help charity organisations manage the aftermath of an attack. Professional services such as these can be expensive to use. Our cover gives your charity access to:

  • PR and crisis helplines to help manage reputational risks following an attack
  • IT and forensic investigation experts to recover lost files and secure the system.

If you have your charity insurance with us, you will find some elements of a cyber-attack are covered. A cyber-specific insurance policy will be more comprehensive and give extra support to help your charity to recover.

For cover information and terms and conditions please see our summary of cover and always discuss with your requirements with your broker.

Reporting data breaches

GDPR identifies the need for data breaches to be reported to the ICO within 72 hours of a breach that puts personal data at risk. There is also a requirement to notify data subjects if there is a high-risk breach, for example, if medical records were unavailable for a long period.

What to do if you are experiencing a cyber attack

If you experience a cyber attack, call Action Fraud for 24-hour support and immediate advice on 0300 123 2040.