Data protection for charities
10 April 2019
The General Data Protection Regulation (GDPR) is in force making information security a key challenge for charities.
How does GDPR apply to charities?
Data protection and information security are essential practices for charities and businesses alike.
Collecting data is an integral part of operations for many charities. One of the key differences between GDPR and the Data Protection Act is the way you gain consent.
GDPR consent example
A data subject enters their business card into a prize draw at an event. Submitting their details is an affirmative act, which demonstrates consent to their personal information (contained on the card) being processed for the purposes of the competition. However, it does not mean that the data subject consents to their details being used for any other purpose such as marketing. Separate consent will be needed for each different processing operation, so data subjects must have granular options to consent separately to each purpose.
Data protection methods
Cyber attacks can cause data breaches. Though the threat of cyber attack can be minimised, it’s impossible to create an impenetrable system. There are some simple steps your charity can take to protect data:
- back-up data regularly
- update software so it includes the latest patches
- create an internet policy
- provide training for system users
- encrypt data stored on portable devices
- ensure systems have strong passwords and don’t share them.
Cyber insurance for charities
Cyber insurance is also a way to manage cyber risks presented by hackers, ransomware and other threats. It’s important first and foremost that charities defend themselves by having cyber security controls in place. However, where they are still exposed, cyber insurance can provide additional support.
Cyber insurance from Ecclesiastical can be bought in conjunction with your charity insurance or as a separate stand-alone policy. It can protect against the financial impact of a cyber attack including:
- Costs of dealing with data breaches
- Cost of legal defence from cyber liability claims
- Cost of professional IT and forensic services
- Cover for loss of income from a cyber event.
Support services and access to experts
Our cyber insurance policy offers additional services to help charity organisations manage the aftermath of an attack. Professional services such as these can be expensive to use. Our cover gives your charity access to:
- PR and crisis helplines to help manage reputational risks following an attack
- IT and forensic investigation experts to recover lost files and secure the system.
Reporting data breaches
GDPR identifies the need for data breaches to be reported to the ICO within 72 hours of a breach that puts personal data at risk. There is also a requirement to notify data subjects if there is a high-risk breach, for example, if medical records were unavailable for a long period.
What to do if you are experiencing a cyber attack
If you experience a cyber attack, call Action Fraud for 24-hour support and immediate advice on 0300 123 2040.