A survey carried out by specialist charity insurer, Ecclesiastical, revealed that while awareness of the new data protection regulation is almost universal among charities with a turnover over £1.5m – only 4% are unaware of the forthcoming changes – that figure stands at an alarming 36% for charities with a turnover of less than £500,000. A quarter (24%) of mid-size charities are unaware of GDPR.
The low level of awareness of GDPR by charities was also recently highlighted in a Cyber Security Breaches survey by the Department for Digital, Culture, Media and Sport (DCMS).
Among wide ranging changes to data protection legislation that cover how personal data is processed, the GDPR introduces a duty on all organisations to report certain data breaches. When enforcement of the GDPR starts on 25 May, not only could charities face major fines for data breaches, they will be required to notify the Information Commissioners Office (ICO) within 72 hours following a breach that puts personal data at risk. They will also need to notify individuals, including potentially donors and service users, if there is a high-risk breach.
Worrying lack of awareness
David Britton, charity director at Ecclesiastical Insurance, said: “The lack of awareness about GDPR by smaller charities is worrying because it is precisely these organisations who are the least likely to be able to deal with the fall-out of a data breach; from paying the potential fine to resourcing the legal notification of those whose data has been breached and recovering from the long-term reputational damage.
“The charities I have spoken to that are aware of GDPR are taking steps to prepare but many are unsure where to focus first and what essential information they need to inform trustees about. There’s also low awareness of some of the specifics, such as the new data breach notification requirements.”
In Ecclesiastical’s survey, a third of smaller charities admitted they have very little or no knowledge about the impact GDPR will have on their charity (compared to 5% of mid-sized and 4% of large charities), and 47% of all charities feel they still need to know more about how the new regulation will impact on them.
Larger and mid-sized charities are much more confident they will ready to comply when GDPR becomes law in May – 92% and 97% respectively, compared to 80% of smaller charities.
Although many of the GDPR’s main concepts and principles are aligned to the current Data Protection Act (DPA), charities should not automatically assume their current processes are robust enough to comply with the new legislation.
To read the full Charity Digital News article click here.