Our research series identifies the key risks for the charity sector so you can ensure that your risk management and control arrangements remain robust through 2021 and beyond.
Following on from the initial insight covering the top 10 most common, highest-rated risks identified through our benchmarking study, Paul Rao deep dives into the data protection and cyber security risks.
Data protection compliance (including GDPR)
The UK's adoption of the General Data Protection Regulation (GDPR) has made us all much more aware of data compliance, but how do data risks impact the charity sector? The principle data risk relates to an event or incident such as an external data breach or inadvertent internal error resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.
We often think of GDPR as something that is most relevant to private companies, but it is just as relevant to charities: voluntary sector organisations often hold substantial amounts of personal and sometimes sensitive special category data related to their donors, beneficiaries and volunteers. They also often undertake significant marketing activity.
GDPR is not just about protecting access to data, but also regulating how it is obtained, processed, transferred, and how long it is retained. It also has stipulations on the assessments and staffing that should be in place to handle data, and what to do in the event of a breach.
Data protection and wider concern over information governance are not new business concepts. Charities' awareness of data protection principles, however, has substantially increased since the GDPR was implemented in May 2018. The number of data protection regulations for fundraising that charities must adhere to is also increasing. All of these regulations are in addition to the relevant requirements within the Charities Act 2011. There are things charities can do to effectively comply with all of these regulations so that their service-users’ data is safe, and they maintain a good reputation for looking after it.
Management considerations for data protection
Data sits at the heart of most processes in modern business. Technology is enabling organisations to employ even more sophisticated ways of handling it, but transparency and accountability over data assets are critical.
To minimise data storage risks, charities need to keep meticulous records of data processing activity and an information asset register, but sound data protection principles involve more proactive measures as well.
Understand and manage data-sharing with third parties
The GDPR makes organisations accountable for all data protection breaches involving data that they are legally responsible for. Even if the data breach occurs at a partner organisation, the charity responsible for the data will be liable for sanctions. Charities need to assess new and existing third-party relationships and establish appropriate data-sharing agreements with their partners.
Develop an effective method for identifying and reporting data breaches
The GDPR’s 72-hour timescale on data breach reporting greatly increased the pace at which charities are required to respond to them. Clear breach responses, effective interaction with the regulator and minimising any 'single points of failure' in the reporting process can help a charity consistently meet this regulatory requirement.
You can optimise your control of all these management considerations by ensuring that your trustees, audit committees and executives are familiar with everything they need to know about data compliance, including the GDPR and all other relevant regulations.
Questions for trustees and audit committees
Do you fully understand the GDPR and its impact on your charity’s operations, including any complexities?
Have you received adequate GDPR training? And do you have the required level of expertise to challenge the executive on the charity’s GDPR arrangements?
Have you reviewed the GDPR risk assessment (if one has been performed), and do you know how to get assurance over compliance with the GDPR?
Do you have enough visibility and understanding of management considerations on handling breaches, and are you aware of how they have been reported to external parties, such as the ICO and Charity Commission?
Cyber security protects the confidentiality, integrity and availability of information systems and data. A cyber security incident is, typically, unauthorised access to an organisation’s internal network executed by external or internal parties that compromise the confidentiality, integrity and availability of a charity’s information systems and data. This issue has been embedded in charities' risk awareness for several years.
Nevertheless, our assessments typically find a range of weaknesses in the governance arrangements and technical measures in place to reduce cyber risk. The challenge with cyber security risk is that it is constantly evolving, and therefore charities cannot afford to be complacent with their awareness and investment in cyber security measures. An appropriate cyber security training and awareness programme is one of the most effective preventive control measures against cyber-attacks. It should emphasise that cyber risk and assurance must be driven by the board. However, we find this is also a common area of weakness for charities.
Management considerations for cyber security
Cyber security, like data protection, requires clear and comprehensive methodologies that are rigorously implemented and monitored. It usually requires specialist software and IT protocols, but human awareness will always be critical. Do you know how you can combat the main cyber security threats?
Maintain organisational awareness of phishing and social engineering
Phishing describes a fraudulent email that bypasses an organisation’s network perimeter defences. It is a common avenue for external cyber threats to illegally obtain organisational data or inject malicious software (malware). Attackers generally target recipients' naivety, so human awareness is a strong line of preventive defence against these threats. The most effective way to combat phishing campaigns is ongoing training.
Develop a comprehensive patch management strategy
Patching infrastructure and software to address known security vulnerabilities is a key control against common cyber threats. Modern charities typically employ a diverse range of software within their operating systems and digital platforms. Management needs to consider the patching requirements of all software within their IT network as these requirements are unlikely to be uniform. Some patches, particularly for operating systems, can be applied automatically.
Periodically review system-based control configurations and reporting outputs
Charities often deploy network perimeter defences, such as firewalls and intrusion prevention/detection and data loss prevention (DLP) solutions. They must remember that failure to consistently maintain these solutions and utilise the information they gather undermines their effectiveness. Management should review and test network perimeter solution configuration periodically to ensure they are still providing the level of protection required. Penetration testing is a good option.
Formally review and revisit the advantages and disadvantages of outsourcing IT support
For some charities, outsourcing their IT support is the most efficient solution, but ongoing assurance on the provider's activities and alignment with their cyber security requirements is vital.
As with data protection, ensuring that trustees and audit committees are up to speed on the importance of cyber security can make managing it much easier.
Questions for trustees and audit committees
Have you reviewed the cyber security risk assessment (if one has been performed), and do you know how to get assurance over the most critical control activities to manage and mitigate the identified risks?
Have you received adequate cyber security training? And do you have the required level of expertise to challenge the executive on cyber security risk? How do you keep abreast of developments in cyber security risk?
Does the board clearly champion a good cyber security culture?
Is the board clear on its role in the event of a cyber incident? Are incident plans and protocols in place and regularly tested?
If you need to know more about particular risks to the charity sector, you can read our recent benchmarking study on the top 10 risks facing the charity sector in 2021. Future deep-dive insights will also explore the remaining risks.
For help managing these and other charity sector risk trends, contact Paul Rao.