Protecting Philanthropy – Part 3
02 November 2017
Charities and foundations, no matter their size, are the same as any other organisation when it comes to information security. And they have a key asset that needs protecting: donor information.
The Information Commissioner’s Office (ICO) announced this year that it has fined eleven charities that breached the Data Protection Act 1998 by misusing donors’ personal data. A survey by Third Sector Insight last year revealed that only 14% of respondents believed their charity was well protected and an alarming 54% either didn’t know or said their charity was not well equipped to fend-off a cyber attack.
Given stakeholder trust is paramount for charities and foundations, it’s time that information security and cyber security is given the same level of importance as fundraising.
The ICO investigation established that many charities had secretly screened millions of donors so they could target them for additional funds. Specifically, charities were found to be in breach of data protection rules by:
- Ranking supporters based on their wealth;
- Finding and storing data that a supporter had not provided to them directly; and
- Indiscriminately sharing data with other charities.
Individuals often make donations with little regard to the information they are providing a charity and how it may be disseminated by them. And why should they? Giving is noble and to attach questions and conditions to the act undermines its nature. But if a donor is giving anonymously, wants to keep details of their wealth private and does not want their data shared and/or associated with another charity, then the ICO’s findings are troubling news.
Not only are there question marks over these charities’ data collection, sharing and marketing methods; their processes and activity have made them susceptible to cyber-attacks. A cyber-criminal is attracted to private and confidential information like a wasp to honey.
This should be troubling news if you are charity or a foundation. The ramifications of a data breach and compromising donor data are vast. With the enactment of the GDPR in May 2018, the ICO will be able to fine an organisation €10,000 or 2% of their global turnover and this is the same if you are a non-profit organisation or a corporation.
The GDPR will also introduce mandatory notification of a data breach to the ICO (or a relevant supervisory authority) and in some cases to the individuals affected if the data breach poses a high risk to their rights and freedoms, such as a leak of their personal data from which they can be identified. A data breach can therefore be a significant blow financially and reputationally.
Schillings’ latest study in partnership with Campden Wealth, Private and Confidential: The Cyber Security Report, highlights that cyber security should be a board level issue and that establishing a human firewall should be the first line of defence against a cyber-attack. Schillings research reveals that while 86% of respondents expressed some or full confidence in their resilience to reputational threats, they may still be exposed. In fact, 38% do not have a cyber security plan in place, highlighting a fine line between complacency and confidence.
Whether you are a donor, a charity or a foundation, due diligence on data storage, collection practices and cyber security infrastructure is vital. It is prudent to audit:
- the personal data collected, how it is stored and managed and who has access to it and whether consent to share data with third parties has been provided;
- the information on the equipment and software used, the encryption methods and arrangements with third parties to bolster cyber security if required.
A defined security policy and crisis management plan is the first step to protecting data; charities and foundations should have this and donors should check that they do before making any donation.
To read part one of this Protecting Philanthropy series, click here.
To read part two of this Protecting Philanthropy series, click here.