Information Security

Avoid these 6 Data Protection Mistakes Charities Always Make

As a charity or nonprofit, you’re making the world a better place. You’re also now the guardian of a vast amount of data. Specifically, personal data on volunteers, supporters, staff, and the people you help. How you look after that data is just as important as how you use it.

Before we get into the challenges of data protection for charities, we want to answer one big question:

Does GDPR still apply after Brexit?

Yes. The Data Protection Act 2018, amended by the 2021 UK General Data Protection Regulation (UK GDPR), contains near-identical requirements to the EU version of GDPR.

The UK General Data Protection Regulation (UK GDPR) sets legal guidelines for the way organisations, including charities and nonprofits, use, process, and store personal data.

GDPR is still a reality for charities of all sizes and statuses in the UK. But don’t worry, today we’re covering everything you need to know on data protection:

  • What is data protection for charities?
  • Common GDPR challenges for nonprofits and charities
  • GDPR checklist: What to do next

What is data protection for charities?

Data protection is everything you do to secure how you gather, process, transfer, store, and maintain data. Regulations such as the UK GDPR set out the requirements for doing so.

GDPR applies to all charities and non-profits and everything they do. No one is exempt. Fundraising or internal emails; data protection applies everywhere personal data exists.

Data protection also isn’t a ‘tech issue’. Everyone in your organisation is responsible. The Charities Commission set out to protect people from data breaches under GDPR as a duty of charity trustees.

To comply with data protection, your charity must follow and apply seven principles to all of your data processes:

  1. Lawfulness, fairness and transparency: You must obtain, process and store data how the law sets out and do so in a way others can verify.
  2. Purpose limitation: You must have a clear reason, or purpose, for processing someone’s data.
  3. Data minimisation: You must only hold necessary data relevant to your purpose from principle number two.
  4. Accuracy: You must ensure all of your data is up to date and won’t mislead anyone.
  5. Storage limitation: You must not keep or store data longer than needed. You will also need a reason for storing data for that timeframe. 
  6. Integrity and confidentiality (security): You must have carefully planned and implemented security measures to protect your organisation and data.
  7. Accountability: You must take full responsibility for the data you process and the consequences of your actions.

Seven principles? Seems simple enough.

So what are the challenges in keeping up with the principles of data protection?

6 Common GDPR challenges for charities:

1. Processing and storing data in everyday operations

Challenge: Keeping GDPR standards across all of the operations your charity needs to run.

Unfortunately, it’s common for internal operations to cause charity GDPR breaches.

For example, the transgender charity, Mermaids was fined £25,000 over their internal email group. They accidentally made 780 pages of confidential emails available to search online for three years, including 550 people’s names and email addresses.

HIV Scotland made a bcc error when sending an email and revealed the email addresses and names of over 100 people. As a result, they were fined £10,000 in 2020 by the Information Commissioner’s Office (ICO). 
Solution: Conduct a security review every time you update or add new software or processes to your organisation. Train everyone who touches data in your organisation on data compliance, especially volunteers who collect or manage data.

2. Assigning lawful basis to your charity contact database

Challenge: Understanding and assigning the correct lawful basis to each contact.

The six lawful bases of GDPR are the only reasons you are allowed to process someone’s data. You must assign a lawful basis to every contact you have.

What are the lawful bases of GDPR for charities?

  1. Freely given consent: E.g. A donor consents to email updates on how you’re using their donation.
  2. Performance of a contract: E.g. A supplier’s data to complete a contracted action.
  3. Legal obligation: E.g. A payee’s data so you can inform them you have taken payment.
  4. Vital interests: E.g. A patient’s data is held by a medical professional.
  5. Public task: E.g. A  public body completing a statutory function. (Public tasks usually only apply to government or council)
  6. Legitimate interests: E.g. A person you believe has a legitimate reason to be interested in the emails you are sending.

Solution: Create a single point of truth for your identifiable data. In your single point of truth database, make legal basis a compulsory field when you create a new contact.

3. Protecting your data from hackers

Challenge: Protecting your data from malicious individuals and teams.

Your data may be processed appropriately and have a legal basis, but is it safe? Hackers access your data by targeting your website, databases, staff, and volunteers.

There are three places to think about for cyber security: 

  • Software security: Anti-hacking software such as a firewall, anti-malware and anti-virus software. 
  • Human security: General awareness and processes for people in your organisation, such as anti-phishing skills and strong passwords. 
  • Physical security: Secure spaces for your computers and no USBs.

Solution: Install high-quality security software and invest in training for your employees and volunteers. Ensure you lockdown software permissions and stop your staff from using USBs as they are easy to steal.

4. Sharing data with third-party software suppliers

Challenge: Protecting your data when you need to trust and work with third parties.

Third-party software is essential to running a charity. Building a bespoke CRM, fundraising hubs, payment processors, and email software would cost millions. But handing your data over to third-party vendors means you must sacrifice security for the sake of efficiency.

In 2021, Blackbaud, a software for charities, was hacked. The hackers stole sensitive data such as bank account information and users’ passwords. Major charities, including The National Trust, were among the 116 organisations using the software whose customers may have been compromised by the hack.

Solution: Only work with cyber security accredited software. Ask suppliers if they use encryption software to store your data. And as a final measure, share the minimum amount of essential information with each partner.

5. Designing ethical data collection for children

Challenge: Gaining consent from children for marketing and fundraising.

Lots of schools and families love to help charities and fundraise. But we can’t always assume children understand they are giving consent when they hand over their data.

Confusing legal language and poor user experiences (UX) cause children to provide data they don’t want to share. Unclear experiences at physical fundraising events or online can cause permanently or temporarily handicapped adults to mistakenly share their data, too.
Solution: Use the age-appropriate design code from ICO to create simple and transparent data collection techniques. Go a step further by avoiding collecting data from children you don’t need.

6. Responding to individual rights requests

Challenge: Accessing and responding to requests for individual’s data

GDPR gives the public eight new rights over their data: 

  1. The right to be informed on how you are collecting and using their data
  2. The right to access the data you have on them
  3. The right to have their data corrected or completed if incomplete
  4. The right to erase their data and be forgotten by a company
  5. The right to restrict how you process their data and what you can do with it
  6. The right to data portability means individuals can take their data and use it for other purposes.
  7. The right to object to direct marketing, even if they consented.
  8. The rights to all of the above concerning automated decision making and profiling.

Most of these rights only apply in certain circumstances. 

For example, if someone might request to have their data erased but still want to keep donating to your cause. It’s worthwhile reaching out to confirm if they understand they won’t be contributing anymore. In which case, they may redact the request.

Solution: Have a single truth for your data so it’s easy to reference, update, and delete records. Also, give someone in your charity or nonprofit the responsibility and time to complete every request within 30 days.

Data protection checklist: What to do next?

Assign an internal GDPR advocate

If you leave data protection to be managed by everyone, it will be managed by no one. Assign an internal GDPR advocate who is responsible for raising the topic of data security at meetings.
They don’t need to be a GDPR expert, but ideally, they’ll be a willing data protection cheerleader. You can hire an external data protection manager to work with your GDPR advocate and deliver GDPR improvements.

Be prepared to respond to a breach within 72 hours

When you have a data breach, the ICO gives you 72 hours to identify, report, and take reasonable steps to resolve the violation. Map out a breach process and put a cyber security team on speed dial so you’re ready for anything.

Map your data processes

Assess your current situation by physically mapping how data comes into your organisation, is processed, and stored. Ensure you include how you pass data between software and storage points. With your processes mapped, you can begin a gap analysis where you look for problems and weak points in your data processing and security.

Begin fixing problems

Create an action plan! A great place to start is specialist GDPR training for charities and their volunteers and fundraisers.