Protecting Philanthropy – Part 3

02 November 2017

Charities and foundations, no matter their size, are the same as any other organisation when it comes to information security. And they have a key asset that needs protecting: donor information.

The Information Commissioner’s Office (ICO) announced this year that it has fined eleven charities that breached the Data Protection Act 1998 by misusing donors’ personal data. A survey by Third Sector Insight last year revealed that only 14% of respondents believed their charity was well protected and an alarming 54% either didn’t know or said their charity was not well equipped to fend-off a cyber attack.

Given stakeholder trust is paramount for charities and foundations, it’s time that information security and cyber security is given the same level of importance as fundraising.

The target

The ICO investigation established that many charities had secretly screened millions of donors so they could target them for additional funds. Specifically, charities were found to be in breach of data protection rules by: 

  • Ranking supporters based on their wealth;
  • Finding and storing data that a supporter had not provided to them directly; and
  • Indiscriminately sharing data with other charities. 

Individuals often make donations with little regard to the information they are providing a charity and how it may be disseminated by them. And why should they? Giving is noble and to attach questions and conditions to the act undermines its nature. But if a donor is giving anonymously, wants to keep details of their wealth private and does not want their data shared and/or associated with another charity, then the ICO’s findings are troubling news.

Cyber attacks

Not only are there question marks over these charities’ data collection, sharing and marketing methods; their processes and activity have made them susceptible to cyber-attacks. A cyber-criminal is attracted to private and confidential information like a wasp to honey.

This should be troubling news if you are charity or a foundation. The ramifications of a data breach and compromising donor data are vast. With the enactment of the GDPR in May 2018, the ICO will be able to fine an organisation €10,000 or 2% of their global turnover and this is the same if you are a non-profit organisation or a corporation.

The GDPR will also introduce mandatory notification of a data breach to the ICO (or a relevant supervisory authority) and in some cases to the individuals affected if the data breach poses a high risk to their rights and freedoms, such as a leak of their personal data from which they can be identified. A data breach can therefore be a significant blow financially and reputationally.

Best Practice

Schillings’ latest study in partnership with Campden Wealth, Private and Confidential: The Cyber Security Report,  highlights that cyber security should be a board level issue and that establishing a human firewall should be the first line of defence against a cyber-attack. Schillings research reveals that while 86% of respondents expressed some or full confidence in their resilience to reputational threats, they may still be exposed.  In fact, 38% do not have a cyber security plan in place, highlighting a fine line between complacency and confidence.  

Whether you are a donor, a charity or a foundation, due diligence on data storage, collection practices and cyber security infrastructure is vital. It is prudent to audit: 

  • the personal data collected, how it is stored and managed and who has access to it and whether  consent to share data with third parties has been provided; 
  • the information on the equipment and software used, the encryption methods and arrangements with  third parties to bolster cyber security if required. 

A defined security policy and crisis management plan is the first step to protecting data; charities and foundations should have this and donors should check that they do before making any donation.  

To read part one of this Protecting Philanthropy series, click here.

To read part two of this Protecting Philanthropy seriesclick here.

Receive our monthly newsletter

About the Author


+1 646 934 6219
Our 24 hour number
+1 646 934 6219
Legal information

© 2020 Schillings International LLP. SCHILLINGS is a trading name of Schillings International LLP and Schillings International (USA) LLP.

Schillings International LLP is a limited liability partnership registered in England and Wales with registration number OC398731. A list of members of Schillings International LLP is available for inspection at our registered office 12 Arthur Street, London, EC4R 9AB. Schillings International LLP is an Alternative Business Structure regulated and authorised by the Solicitors Regulation Authority.

Schillings International (USA) LLP is a registered limited liability partnership organised and existing under the laws of the State of Delaware, United States of America, whose principal place of business is at One World Trade Center, Suite 8500, New York, NY 10007. Our New York based attorneys are registered as a foreign legal consultant in the State of New York.