Following on from the initial insight covering the top 10 most common, highest-rated risks identified through our benchmarking study, Paul Rao deep dives into the data protection and cyber security risks.
The UK's adoption of the General Data Protection Regulation (GDPR) has made us all much more aware of data compliance, but how do data risks impact the charity sector? The principle data risk relates to an event or incident such as an external data breach or inadvertent internal error resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of or access to personal data.
We often think of GDPR as something that is most relevant to private companies, but it is just as relevant to charities: voluntary sector organisations often hold substantial amounts of personal and sometimes sensitive special category data related to their donors, beneficiaries and volunteers. They also often undertake significant marketing activity.
GDPR is not just about protecting access to data, but also regulating how it is obtained, processed, transferred, and how long it is retained. It also has stipulations on the assessments and staffing that should be in place to handle data, and what to do in the event of a breach.
Data protection and wider concern over information governance are not new business concepts. Charities' awareness of data protection principles, however, has substantially increased since the GDPR was implemented in May 2018. The number of data protection regulations for fundraising that charities must adhere to is also increasing. All of these regulations are in addition to the relevant requirements within the Charities Act 2011.
There are things charities can do to effectively comply with all of these regulations so that their service-users’ data is safe, and they maintain a good reputation for looking after it.
Data sits at the heart of most processes in modern business. Technology is enabling organisations to employ even more sophisticated ways of handling it, but transparency and accountability over data assets are critical.
To minimise data storage risks, charities need to keep meticulous records of data processing activity and an information asset register, but sound data protection principles involve more proactive measures as well.
The GDPR makes organisations accountable for all data protection breaches involving data that they are legally responsible for. Even if the data breach occurs at a partner organisation, the charity responsible for the data will be liable for sanctions. Charities need to assess new and existing third-party relationships and establish appropriate data-sharing agreements with their partners.
The GDPR’s 72-hour timescale on data breach reporting greatly increased the pace at which charities are required to respond to them. Clear breach responses, effective interaction with the regulator and minimising any 'single points of failure' in the reporting process can help a charity consistently meet this regulatory requirement.
You can optimise your control of all these management considerations by ensuring that your trustees, audit committees and executives are familiar with everything they need to know about data compliance, including the GDPR and all other relevant regulations.
Cyber security protects the confidentiality, integrity and availability of information systems and data. A cyber security incident is, typically, unauthorised access to an organisation’s internal network executed by external or internal parties that compromise the confidentiality, integrity and availability of a charity’s information systems and data. This issue has been embedded in charities' risk awareness for several years.
Nevertheless, our assessments typically find a range of weaknesses in the governance arrangements and technical measures in place to reduce cyber risk. The challenge with cyber security risk is that it is constantly evolving, and therefore charities cannot afford to be complacent with their awareness and investment in cyber security measures. An appropriate cyber security training and awareness programme is one of the most effective preventive control measures against cyber-attacks. It should emphasise that cyber risk and assurance must be driven by the board. However, we find this is also a common area of weakness for charities.
Cyber security, like data protection, requires clear and comprehensive methodologies that are rigorously implemented and monitored. It usually requires specialist software and IT protocols, but human awareness will always be critical. Do you know how you can combat the main cyber security threats?
Phishing describes a fraudulent email that bypasses an organisation’s network perimeter defences. It is a common avenue for external cyber threats to illegally obtain organisational data or inject malicious software (malware). Attackers generally target recipients' naivety, so human awareness is a strong line of preventive defence against these threats. The most effective way to combat phishing campaigns is ongoing training.
Patching infrastructure and software to address known security vulnerabilities is a key control against common cyber threats. Modern charities typically employ a diverse range of software within their operating systems and digital platforms. Management needs to consider the patching requirements of all software within their IT network as these requirements are unlikely to be uniform. Some patches, particularly for operating systems, can be applied automatically.
Charities often deploy network perimeter defences, such as firewalls and intrusion prevention/detection and data loss prevention (DLP) solutions. They must remember that failure to consistently maintain these solutions and utilise the information they gather undermines their effectiveness. Management should review and test network perimeter solution configuration periodically to ensure they are still providing the level of protection required. Penetration testing is a good option.
For some charities, outsourcing their IT support is the most efficient solution, but ongoing assurance on the provider's activities and alignment with their cyber security requirements is vital.
As with data protection, ensuring that trustees and audit committees are up to speed on the importance of cyber security can make managing it much easier.
If you need to know more about particular risks to the charity sector, you can read our recent benchmarking study on the top 10 risks facing the charity sector in 2021. Future deep-dive insights will also explore the remaining risks.
For help managing these and other charity sector risk trends, contact Paul Rao.