A survey shows relatively few charities are prepared for new data protection regulations, highlighting several areas for improvement.
With just under a month to go until the EU’s General Data Protection Regulation coming into force, a recent survey appears to indicate that only around 1 in 20 charity organisations are prepared.
A report by the National Cyber Security Centre back in March 2018 was showing that lots of charities in particular small ones, do not realise the value of the personal, financial, commercial and other data they hold to cyber criminals.
The Cyber Threat Assessment report warned the value of data these charities hold to a broad range of cyber criminals makes them very vulnerable to attacks, typically charities do not perceive themselves as targets.
A software and services company called Advanced conducted a survey on the 25th of April 2018, 76% of more than 300 third sector organisations admitted there was still a lot of work to be done in order to achieve full compliance.
This survey by Advanced was conducted during a webinar on GDPR, it revealed 56% identified that consent was their top priority for GDPR planning and 48% of those that responded felt uncertain about the interpretation of GDPR as their biggest obstacle for progress.
At this webinar not only was there a panel of experts from Advanced, but there was also representatives from RSPB, Muslim Charity and Woodland Trust, they shared their successful journey to GDPR compliance and the challenges around management of consent and data retention, they covered areas in what they felt were the most important to their plans in order meet the deadline regulation.
Mark Dewell is the Managing Director for the commercial and third sector at Advanced, he said that the number of charities joining the GDPR webinar showed theirs a large requirement for information and advice on this subject, especially with less than a month to go before the GDPR compliance deadline.
“It is both worrying and unsurprising that only 5% feel ready for the regulatory roll-out despite the threat of significant fines and other punitive measures for failure to comply.
“Undoubtedly, the attendees are committed and focused on achieving GDPR compliance,” he said, adding that the webinar was aimed at providing guidance, top tips and best practice to help charities feel more able to meet their GDPR requirements.
As an example, The Muslim Charity has suggested getting data all in one place by undertaking a very rigorous data audit was key to enabling charities in answering questions about the data they hold.
Consent has been revealed to be the biggest GDPR concern for charities, top tips from the RSPB and Woodland Trust focused on robust and engaging communications.
RSPB’s approach to consent has consisted of a continuous and extensive programme over email and website channels to gaining relevant permissions, whilst The Woodland Trust has focused their efforts on consent message testing to identify the communications most likely to engage and drive action.
Data retention has been shown to be an important issues. The Muslin Charity says an efficient data retention policy that explains why data is being and how long for is vital, whilst RSPB links their data retention to finances so it ensures their gift aid claims stay valid and their financial audit trail is available in line with accounting standards.
“It’s obvious that GDPR remains at the top of the charity sector agenda, and although progress has been made, there is still a way to go before many are GDPR ready,” said Dewell.
“Uncertainty around consent and data retention seem to be presenting the biggest worries for the third sector, with many concerned that their potential fundraising totals will be affected,” he said.
According to the NCSC who has issued fresh cyber security guidance to small charities, due to the new EU and UK data protection laws, continuous higher levels of cyber criminality and growth in using online business practices by charities means investing in cyber security is increasingly imperative for the sector.