Data Protection for charities: What you need to know

Earlier this year, American cloud computing company, Blackbaud, became a victim of a large-scale cyber attack. Hackers breached the firm’s security before copying sensitive data relating to their clients – most of which were organisations in the not-for-profit sector. The scenario ended with Blackbaud paying the cyber criminals an undisclosed amount to erase the data that they had stolen, a classic ‘ransom-to-delete’ strategy. 

Although it appears that no client data was released in the end, Blackbaud’s reputation was undoubtedly damaged. And such attacks are becoming more common, especially on charities. According to the government’s Cyber Security Breaches Survey 2020, 26% of charities have reported breaches or cyber attacks in the previous 12 months, with the percentage rising to 57% for larger, higher income non-profit organisations. 

With the third sector notoriously lacking in tech skills, it’s incredibly important that charities take their data protection measures seriously. In this post, we outline what charities (big and small) need to consider when safeguarding sensitive information, and how to get in-line with the latest regulation. 

GDPR for charities 

The regulation that addresses how data should be handled by charities (or any organisation) is the General Data Protection Regulation (GDPR) law, which was implemented in 2018. Although this is EU regulation, it’s expected to be incorporated into UK data protection law at the end of the Brexit transition period. 

GDPR is intended to give individuals control over their private data and is based on seven principles:

• Lawfulness, Fairness, and Transparency – All organisations must be transparent with individuals about how they’re collecting data. There must be a legitimate, clear reason for collecting data – the regulation establishes six reasons, known as the ‘lawful bases’. 
• Purpose Limitation – Personal data can only be used for clearly specified uses. Data cannot be used for any reason that’s not specified to individuals. 
• Integrity and Confidentiality – Organisations are responsible for the security of individuals’ personal data. Security measures need to protect against unlawful processing, accidental loss, or destruction/damage. 
• Data Minimisation – Organisations should aim to collect as little data as possible, retaining only what is strictly necessary for their operations. All data collected and stored should be adequate, relevant, and limited to a specific purpose. 
• Storage Limitation – Organisations should not store the personal data of individuals longer than is necessary. Periodic reviews should be undertaken to identify and delete data that’s redundant. 
• Data Accuracy – Organisations should take every step necessary to ensure that the personal data of individuals is accurate, and should not hesitate to delete or rectify it if inaccurate. 
• Accountability – Organisations are responsible for complying with GDPR, and must be able to clearly demonstrate their adherence to current regulations. 

Data protection tips for charities 

Although GDRP can seem daunting at first (especially for smaller charities without a data protection officer), it’s easier to comply with than you might imagine. For a start, it’s likely that you’ve already been adhering to most of its rules and regulations; many of the principles are similar to the UK’s 1998 Data Protection Act (DPA). 

If, however, all things cyber security are new to you, read on for our simple steps on how to get your charity GDPR-compliant: 

• Get consent – Give people a clear choice of what data they are giving you, and provide an easy way for them to withdraw their consent. Be transparent and concise – it’ll go a long way to improving trust in charities. 
• Communicate purpose – Let individuals know why you’re collecting data. Whether it’s for operational or marketing needs, be entirely open about how your organisation will use their data. 
• Limit data collection – Data is valuable to charities for a variety of reasons, but only if it is relevant and high-quality. If you need data for your charity’s operations, keep it as streamlined as possible. 
• Keep data secure – Access to personal data should be limited to those who have a legitimate purpose for it. Password-protect data-sets and documents with sensitive information. 
• Document records – All steps taken to comply with GDPR should be kept on record and updated regularly. In the event of a breach, these records will demonstrate that your data protection policies and procedures are in line with current regulation. 

Useful resources 

• ICO self-assessment – If you haven’t already thought about your data policies, this tool from the ICO will help to clarify your current situation and what you need to do to meet regulatory standards. 
• Charity Finance Group – General Data Protection Regulation  – This guide has been designed for trustees, charity finance officers, and data protection officers. It provides an in-depth explanation of the impacts of data protection for fundraising, and how charities can ensure full compliance. 
• ICO – GDPR FAQs for charities – If you have a specific question in mind, this page from the ICO will likely have the answer. It covers everything from how to obtain data collection consent to how to structure a data privacy notice. 

GoodBox understands the importance of data. Our contactless donation terminals help charities to boost their fundraising revenue whilst providing a wealth of relevant information. When viewed in our user-friendly portal, the data collected by our terminals helps to shape future fundraising campaigns. If you’re interested in finding out more, sign up to become a GoodBox member for free, and gain access to our data insight white papers and exclusive hardware offers.