Governance

Tag Archives

Government Details Plans to Align Data Laws with GDPR

The UK government has outlined more details of its Data Protection Bill, which it said will update existing law to make it fit for the digital age.

The UK Data Protection Bill is the result of a commitment to align data protection laws in the UK with the European Union’s (EU’s) General Data Protection Regulation (GDPR).

People in the UK will have greater control over their personal data and will be able to ask social media channels to delete information they posted in their childhood. There will also be the right to be forgotten and crucially for charities, the reliance on default opt-out or pre-selected ‘tick boxes’, which are largely ignored, to give consent for organisations to collect personal data will also become a thing of the past. This is prompting many charities to adopt ‘opt-in only’ policies.

The Bill is a complete data protection system, so as well as governing general data covered by GDPR, it covers all other general data, law enforcement data and national security data. Furthermore, the Bill exercises a number of agreed modifications to the GDPR to make it work for the benefit of the UK in various areas.

This includes making scientific and historical research organisations such as museums and universities exempt from certain obligations which would impair their core functions.

Matt Hancock, Minister of State for Digital, said: “We are strengthening Britain’s data rules to make them fit for the digital age in which we live and that means giving people more control over their own data.

“There are circumstances where the processing of data is vital for our economy, our democracy and to protect us against illegality. Today, as we publish the Data Protection Bill, I am offering assurances to both the public and private sector that we are protecting this important work.”

Source: Charity Digital News


GDPR: An Explanation of Data Retention And Why It Is Important for Charities

After outlining what GDPR means for charities in the first of a series of posts, Andrew Cross, Data and Insights Lead at Lightful, delves specifically into data retention and subject access requests, how rules around these will alter under GDPR, and how best to prepare for it.

Data Retention is defined by the ICO as: “Data kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organisational measures required by the GDPR in order to safeguard the rights and freedoms of individuals”.

In plain English, data retention means that if data is no longer in use or required to be kept for a specific purpose then you should either delete it altogether, or anonymise all parts of the information that would give away the identity of the individual. By dealing with data in this way you are adhering to the organisational and technical safeguards stipulated by the GDPR.

What does this mean for my charity?
Non-profits are usually in possession of personal data that they gained when they were founded (which could be many years ago) and most of this pertains to historical donations or engagements with the organisation. However, if the supporter has not interacted with the charity within a reasonable time frame, then we can assume their information is probably not needed for analysis purposes and it should therefore be discarded or altered as explained above.

Unfortunately, most organisations lack clear retention polices and their CRM systems often do not have the functionality to perform these deletions or anonymisations adequately through the front end or administrative areas. Technical workarounds are an option but that either requires having the skilled staff in-house or hiring expensive consultants.

To read the full Charity Digital News article click here.


Charity Sector Entering ‘Wild West as UK Hits Peak GDPR Frenzy’

Charitable organisations and the not for profit sector must take greater care when choosing General Data Protection Regulation (GDPR) compliance partners by ensuring that the right balance of legal and technical delivery skillsets are in place. This is according to ST2 Technology who suggests that a failure to do so will inevitably lead to significant compliance failures after the new regulations take hold.

GDPR means significant changes that will affect this sector, despite organisations’ funding constraints and relatively small size. However, as charities hold some of the most sensitive and personal data in the UK, this will not go unnoticed by the Information Commissioner’s Office (ICO).

Re-prioritise spend
Richard Hannah, Head of Consulting at ST2 Technology, suggests that charities and Not for Profit organisations will now need to re-prioritise their spend. Although these companies may be tempted to believe that their charitable status means they will not be liable for fines, despite all their good work, they will be expected to maintain the integrity of their data.

He explains: “Radical changes to how charitable and Not for Profit organisations manage their information will be required if they are to be compliant when GDPR comes into force. This is creating a sense of urgency as organisations try to get to grips with their data, how it is handled, where it is stored and who has access to it. However, as a result there has been a rush from consultancies to fill the market void, leading to untested and potentially incorrect approaches to ensuring compliance. We can expect a lot of teething problems and some significant compliance failures coming to light over 2018/19.”

Non-specialists
Richard continues: “Unfortunately, there has been a sharp rise in assessment kits and non-specialist consultants offering advice to organisations on how they can ready themselves, despite not necessarily having the relevant and appropriate experience. With GDPR offering citizens compensation when a breach occurs, the regulation could spawn ‘PPI’ type agencies to pursue claims against local authorities.

“For many consultancies, customers looking for partners to help them become compliant with GDPR is the equivalent of a new gold rush – however, less speed and more haste should be the mantra as we all work with the new data landscape now coming into view.

“GDPR is not just about company records, data and processes, it is also about the law as it affects an organisation’s funding arrangements, membership management, manual and computer record keeping and its ability to transform the way it works, to both deliver its mandate and maintain compliance – doing nothing really is not an option and many of this sector’s issues are systemic.”

Source: Charity Digital News


GDPR, Charities and The Views of Donors

An interesting blog asking whether charities are giving enough consideration to how the public feel about the incoming changes from GDPR has been published by nfpSynergy.

The blog, written by Jo Fischl, head of public audiences research at the think tank, argues that while a number of reports have been released on the legal ramifications for charities, alongside conferences and events aiming to support charities to be GDPR ready, relatively little has been questioned about how the public might feel about this incoming change to how their data is treated.

Based on the latest findings from its quarterly Charity Awareness Monitor, the organisation says that, of donors surveyed:
• 47% said they’d opt in to hear from the charity about what they did with the money donated
• 16% opted in to be asked to donate to future appeals
• just 5% said they’d be willing to have their data shared with carefully chosen charities

“There’s no getting away from the fact that GDPR is going to have a significant impact for charities,” wrote Fischl. “With donors reluctant to opt in to contact, we’re likely to see charities’ databases shrink and, as a consequence, incomes fall.”
Fischl went on to outline what charities should be keeping in mind, to give them the best chance of navigating these challenges, namely:

• Those donors who do choose to opt-in are very likely to be you most committed advocates. You have the opportunity to build better, more personal relationships with these donors – alongside considering ways to diversify income streams as methods reliant on personal data are diminished by opt-in.
• Develop a culture of transparency with the public – many people currently approach their relationship with charities with suspicion and unease – if we are going to encourage the public to actively agree to communications from the charities they support, we need to be active ourselves in creating a cultural shift in this mindset.
• Be creative in your opt-in ask – now is the time to stand out if you want your supporters to opt in. You are competing against a myriad of other charities (as well as businesses), so your creatives and messages need to shine to help you meet your retention goals.

nfpSynergy’s report, GDPR – The Change That Charity Donors Want, will be fully released in September.

Source: Charity Digital News Article.


Charities Must ‘Better Plan to Mitigate Cyber Risks’

It’s no surprise that cybersecurity is a priority for most charity-technology leaders today but does the wider charity workforce understand the need to invest in it?

With more digital threats today than ever, it’s important that charities put plans in place to mitigate potential risks and address any skills shortfalls, regardless of perception.

Although it can take significant time for an organisation to improve its capacity to respond to cybersecurity challenges, existing resources can help – for example the Government’s Cyber Essentials Scheme. There is no charity-specific standard for cybersecurity; charities are expected to use the same, well-established, risk-based approach to cybersecurity management that other organisations use.

Common Vulnerability Trends
When thinking about establishing digital security, the first step is to familiarise yourself with the most common threats today – two of which being ransomware and data breaches.

  •  Ransomware attacks in recent years have begun using fear to compromise organisations – encouraging the victim or organisation to hand over money to deter the assailant from stealing and deleting vital data. Although these attacks could be described as reasonably “low tech”, few organisations have plans to deal with these situations if they do occur – or know how to protect their systems from such a hijack in the first place.
  • Data breaches, for example the massive breach reported by Yahoo in 2013, have underscored the critical need to actively protect against cyberattacks on information technology systems and thefts of sensitive information. In the charity sector, such information can vary from details of fun run volunteers to highly-sensitive information on human rights investigations.

Tackling Organisational Awareness
One of the most significant challenges that data protection law poses to charities is around broader organisational awareness of how data is managed. For instance, how many databases do you have containing donors’ personal information? Where is this stored? Do your volunteers or employees ever share sensitive data on USB sticks?

To read the full Charity Digital News Artcile click here.


What Is GDPR and How Will It Affect My Charity?

In the first of a series looking at GDPR and what it means for charities, Andrew Cross, Data and Insights Lead at Lightful, one of the only GDPR Certified Practitioners in the beyond profit sector, explores the basics of the new regulations.

If you’ve not heard of the General Data Protection Regulation (GDPR), which comes into force on 25 May 2018, then where have you been hiding? OK, so maybe you’ve heard of it but not actually done anything about it yet. Don’t worry, it isn’t too late to read up and start on the road to compliance.

GDPR is a replacement to the Data Protection Act (DPA, 1998). It aims to standardise the way Personally Identifiable Information (PII) is dealt with in terms of Data Controllers (i.e. organisations that collect personal data) and Data Processors (i.e. a third party you share data with) and that exist within the EU or countries operating outside of the EU that process data on EU nationals. If you are processing personal data within the UK, we advise that you register with the ICO as soon as possible.

Ultimately it gives back control and ownership of data to the individual. In terms of compliance, this should be what you adhere to now; however, it does not come into enforcement until the 25 May 2018.

Data controllers vs processors
Let’s take Charity A as an example. This charity will generally be considered a Data Controller, collecting the data of supporters in order to engage and communicate with them in a variety of ways. One of these ways may be to send out direct mail via a fulfilment house (which would take on the role of a Data Processor). The vast majority of charities will fit into the Data Controller category and will be ‘processing’ some data even if it that means just ‘storing’ the information.  And it isn’t just supporter data; it also applies to staff data, service user data, trustee data etc.

I hate to break it to you but…
GDPR doesn’t just affect the charity sector. It’s sector-wide. It affects every organisation- no matter your size or whether or not you have a ‘data person’, so decide now who is going to lead on GDPR compliance in your organisation. And… if you fall foul of the law, you will face consequences, which could include a fine from the ICO, enforcement notices, audits and even possible prosecution. Read more about the action the ICO could take.

To read the full Charity Digital News Article click here.


Keeping Your Charity’s Finances in Check

Trustees have a legal duty to look after their charity’s money and other assets. They need to understand and keep track of their charity’s income and spending to spot any issues as early as possible to prevent them from affecting the charity’s success.

Here are some key tips from the Charity Commission’s wide ranging guidance on financial issues.

Charities should:
• be able to recognise at an early stage when the charity is no longer viable and plan for what will happen to beneficiaries, staff and assets
• develop a policy on reserves which establishes a level of reserves that is right for the charity and clearly explains to its stakeholders why holding these reserves is necessary
• recruit trustees with time and the right skills and experience to understand their finances and plan strategically for the future
• hold regular trustee meetings to keep track of income and spending
• put internal financial controls in place to make sure all spending is properly authorised
• review sources of income – are there any new opportunities?
• regularly review planned and proposed expenditure – can they do anything better or stop doing something altogether?
• regularly review their risk and risk management policy


Safer Giving For Charities

 When fundraising it’s important to familiarise yourself with fundraising best practice to safeguard donations and charity integrity:

1. If you give fundraisers official charity material such as identity badges, tabards and tins, make sure you collect everything back as soon as possible and check that nothing is missing or has been tampered with.

2. Ensure that people who fundraise for you by conducting street or house to house collections have a licence to do so.

3. Consider providing your volunteers with a basic information pack on what they must do and not do when collecting on your behalf.

4. If your charity doesn’t use cash or street collections, let your supporters know this and make it clear on your website.

5. If you suspect collectors are collecting fraudulently in your name, contact the police and Action Fraud.


Less Than A Third Of Charities Aware Of New Cheque Clearing System

Just under a third of charities (30%) know about the introduction of cheque imaging, which will go live with some banks and building societies from 30 October 2017.

This is an increase from 23% last year. Awareness of the new system amongst consumers (15%) is at a similar level to last year, as is business awareness at 20%.

The roll-out of cheque imaging will be complete in the second half of 2018, when all of the UK’s banks and building societies will clear all cheques via the image-based system to the faster timescale. The precise date as to when this will happen will be announced by the industry in due course. Until then, two clearing systems will operate in parallel, which means that some cheques that customers write or pay-in will be cleared more quickly via the image system, and some will clear to the existing, six weekday timescale through the current, paper-based system. Banks and building societies will be advising their customers of their individual roll-out plans as appropriate.

James Radford, Chief Executive Officer of the Cheque and Credit Clearing Company, said: “Although the findings from our research indicate that awareness levels of cheque imaging are highest amongst businesses and charities, it is important that all organisations such as these – that write or receive cheques – speak to their bank or building society if they want to find out more. They can then adapt their processing systems accordingly, prior to the phased roll-out of the new system, which begins on 30 October 2017.”

The new system will mean that if a customer pays in a cheque on a weekday they will be able to withdraw the funds by 23.59 on the next weekday (excluding bank holidays) at the latest, with many banks and building societies likely to allow access to the funds earlier than this.

Introduction of the new process will also mean that when a cheque is paid in, not only will the recipient receive the money in their account more quickly; the money will leave the account of the person or business that wrote the cheque to the faster timescale too.
Customers will still write cheques as they do today and give or post them to recipients in exactly the same way as they always have. Cheque recipients will still be able to pay in cheques in the normal variety of ways, such as at a bank or building society, by post or at an ATM. This continuation of regular customer practice is particularly important for charities, 29% of whom say they receive half or more of their donation income by cheque.

To read the full Charity Digital News Article click here.


Bored and Distracted Employees Are Biggest Security Risk, Poll Reveals

Employees who become distracted at work are more likely to be the cause of human error and a potential security risk, according to a poll conducted by Centrify – prompting charities to consider how automating processes or varying job roles could avoid potentially damaging data breaches.

While more than a third (35%) of survey respondents cite distraction and boredom as the main cause of human error, other causes include heavy workloads (19%), excessive policies and compliance regulations (5%), social media (5%) and password sharing (4%). Poor management is also highlighted by 11% of security professionals, while 8% believe human error is caused by not recognising data security responsibilities at work.

According to the survey, which examines how human error might lead to data security risks, over half (57%) believe organisations will eventually trust technology enough to replace employees as a way of avoiding human error in the workplace.

Despite the potential risks of human error at work, however, nearly three-quarters (74%) of respondents feel that it is the responsibility of the employee, rather than technology, to ensure that their organisation avoids a potential data breach.

“It’s interesting that the majority of security professionals we surveyed are confident that organisations will trust technology enough to replace people so that fewer mistakes are made at work, yet on the other hand firmly put the responsibility for data security in the hands of employees rather than technology,” commented Andy Heather, VP and Managing Director, Centrify EMEA.

“It seems that we as employees are both responsible and responsible – so responsible for making mistakes and responsible for avoiding a potential data breach. It shows just how aware we need to be at work about what we do and how we behave when it comes to our work practices in general and our security practices in particular.”

Source: Charity Digital News


Page 1 of 5123...Last