News and insights from our Charity team
Charity data breaches and electronic communications
- AuthorJulia Seary
During the last 12 months there have been around 150 data breaches reported to the ICO regulator; to put it in perspective this equates to a 100% increase in just two years.
Like it or not, all charities must comply with the GDPR; there are minimal carve-outs for the not-for-profit sector. Therefore with GDPR now in full operation it is important to be aware of the duty of care charities owe in relation to their donors’ data and put steps in place to stop breaches happening wherever possible.
In June 2018 we saw GDPR in action for the first time as the British and Foreign Bible Society were fined £100,000 when they were struck by a ransomware attack. The ICO found that the trustees had not taken sufficient care regarding their cyber security responsibilities and left themselves as somewhat of an open target, which could have been prevented. As a result 400,000 donors’ personal data was compromised and the charity has consequently faced financial and reputational damage.
How can charities avoid a data breach?
Firstly, the phrase prevention is better than the cure is one that should be remembered when considering how to best protect your data and avoid any nasty surprises. It is important to be as transparent as possible with your supporters and inform them of how their data will be used and stored whilst providing them with the option of a quick and easy opt out should they change their mind about hearing from you. The key is to have in place a simple and easy to read Privacy Notice available for review.
Also ensure that all your software is kept up to date and your firewalls are secure, so should a breach occur you can provide evidence to demonstrate that you took all necessary precautions.
Managing Subject Access Requests within the law
If you receive a subject access request you are legally obliged to respond within one month of receiving it. As an organisation it should be made as simple as possible for an individual to submit a request and you should categorise data in such a way that makes it straightforward to provide the individual with all relevant information your organisation holds on them.
If you have taken the steps to organise your data sufficiently and responsibly this won’t be an issue.
A few extra points to note when processing a subject access request are …
- Blank out all exempt/irrelevant information where necessary
- Verify the identity of the individual
- Do not disclose anything that could be classed as confidential e.g. legal advice
For further information on subject access requests, The University of Edinburgh has written a very useful article for practitioners which you can read here.
Contacting individuals lawfully by electronic means
Remember that due to the fact that supporters and donors are not usually ‘purchasing’ products or services from a charity, charities can rarely rely on the ‘soft opt-in’ right to make contact / follow-up with individuals electronically (ie. email, SMS or text). Therefore, even if the individual that you would like to contact by electronic means is considered to be an active supporter of your charity, sending a simple newsletter is something that could require consent because it could fall into the category or being ‘direct marketing’.
Should you need any further clarity on how to avoid data breaches, update privacy notices, policies or advice on GDPR or electronic marketing in general, please feel free to contact me directly via email: email@example.com