Many charities have made a good start towards GDPR compliance, but there are more reasons than ever for taking a positive approach rather than undertaking all the hard work around information security simply out of fear.
Many might argue that fear alone is a good enough reason to get on top of data management and data protection. Word has it that the Information Commissioner’s Office (ICO) viewed the first 12 months after the introduction of the new General Data Protection Regulations (GDPR) as a kind of transition period. As such, to date they seem to have taken a softly-softly approach towards compliance. But now we are moving into the second year, that could all be about to change.
Peter McCann is managing director at DataWise Intelligence
The ICO oversees GDPR compliance and is also responsible for issuing penalties to organisations which fail to meet the stricter standards around data management and security. The ‘core principles’ behind this standard are:
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Storage limitation
- Integrity and confidentiality (security)
Recent high-profile occurrences of data breaches suggest that the consequences of GDPR non-compliance and/or loss of personal information should not be taken lightly by offenders.
The perils of poor GDPR compliance
1. Fines – For technical/organisational failures, the penalty can be as high as £10m or 2% or turnover. For ‘core principles’ failures, it can be anything up to £20m or 4% or turnover.
A fine can be triggered by ignoring an ICO instruction or order after a failure or breach has been identified.
How large the financial penalty imposed will be depends on whether the breach includes ‘special category’ sensitive data, the volume of records affected, the degree of harm caused to the subjects, and the appropriateness of the security and accountability measures in place. Negligence is poorly viewed.
2. Processing ban/suspension – This is another serious type of punishment. It effectively forces an organisation, which is found to be in breach of GDPR, to cease trading.
3. ICO enforcement orders/instructions – These are likely to include mandatory future audits, but the associated adverse publicity that goes with an ICO enforcement order/instruction is certain to be even less welcome.
So, what are the signs that are suggesting a future increase in penalties? The clearest indication is a rise in the number of ICO staff associated with regulatory activity. It’s said to be in line with the recent growing number of complaints and breach notifications. The ICO has indicated it will take the strongest action against those organisations which wilfully, negligently or consistently evade the new regulations; there’s going to be no excuses for poor or non-compliance; but, striking a more positive tone, the ICO has also said to a point it is generally in favour of a carrot rather than stick approach.
The penalties outlined above are not the whole story though. Over and above the powers of the ICO, there are other threats facing organisations found to be in breach of GDPR:
4. Criminal proceedings – It is important not to put on the ‘data blinkers’ when assessing whether organisation conduct connected to obtaining, retaining and processing data is criminal. Data is increasingly recognised as a valuable commodity, and obtaining and misusing it may attract criminal liability where, for example, there has been a conspiracy to defraud.
5. Adverse publicity leading to loss of reputation – No-one should underestimate the negative impact of adverse publicity on an organisation which has fallen foul of GDPR. The inevitable loss of customer trust and reputation is likely to have a damaging effect on the market share of an affected business and, in turn, its revenue.
6. Class action and lawsuits – Larger organisations handling big amounts of personal data are at particular risk of class (group) actions, and civil lawsuits. Many of us are aware of last year’s high-profile case involving British Airways, which fell victim to a data breach and now faces compensation claims from affected customers as well as a probable regulatory fine.
The benefits of good data management
It’s easy to dwell on the negative side of data protection rules, but it’s worth considering the possible upsides of good compliance as well. Given how much of a priority data security has become for statutory/government-led organisations, it stands to reason that any organisation delivering services on their behalf is going to need to meet stringent standards. It follows there will be rewards for any charity that invests the time and resources to get their data management in good order.
Let’s acknowledge that complying with the regulations has the first obvious benefit of ensuring your organisation avoids the risk of any of the penalties covered earlier in this article. This is fine as a basic ‘bottom-line’ approach, but it doesn’t tap into the real business benefits.
1. Competitive advantage – Charities which are on top of data management and data security are showing alignment with what is clearly a priority for government authorities and health trusts. That has to be good news if your organisation competes for public sector contracts.
2. Build trust and reputation – The general public is also becoming increasingly concerned about the sharing of personal information, and more wary of organisations that do so. Showing your customers and suppliers that your organisation takes data protection seriously and, furthermore, that you will not misuse personal information shared with you, is becoming ever more important. Being open and transparent about how you use personal information may even encourage people to share more data with you. Facebook is a good example of a company that has got it wrong in the past and now recognises a need to rebuild trust and reputation.
3. Clean customer databases improves efficiency – Charities are full of staff and volunteers struggling to keep on top of a heavy workload; nonetheless, you must now put aside time regularly to clean out old data from your database and check records are up to date. Complying with the core principles of purpose limitation, database minimisation, and storage limitation, means you can no longer be complacent about this kind of housekeeping, but your organisation will reap the rewards of improved efficiency as a result.
Cleaning/sanitising your client database can also be a useful trigger to scrutinise the personal information you are managing, and take a fresh look at it. You never know, you might spot an opportunity to build new insights into your data; look at news ways to use the information you have in order, perhaps, to improve your data mapping processes; or find a new way to group your clients for a new marketing strategy.
4. Improve security and business continuity planning – Complying with GDPR also puts a responsibility on charities to improve information security generally, whether that be around the client records we store online on our computers, or around any paper records we store in an office cabinet. You should be able to show evidence of:
- external cyber defence
- identity-control access (e.g. passwords)
- disaster recovery plan
If you are a small or medium-sized charity, these may at first seem onerous tasks to take on, but there are companies which can offer expert help in this area and specialise in supporting charities, including DataWise Intelligence and Penleaf.
Setting aside common excuses
There are multiple reasons why so many charities have stalled over the new data protection regulations (GDPR). The following lists the excuses we at DataWise Intelligence have heard most often:
“We’ve completed the basics but then been distracted by our day-to-day work.”
“So many other organisations have fallen behind, why would the ICO pick on us?”
“The ICO isn’t going to punish small charities for poor data protection compliance.”
“GDPR doesn’t apply to us: our operation is too small and/or we don’t collect personal information from people.”
“GDPR is a European initative. It will no longer apply once Britain leaves the EU.”
“GDPR is just too complex, it’s impossible to know how to begin and/or what we need to do.”
“Charities are perceived as generally ethical; people don’t really mind us having their personal information.”
If your organisation is in the majority of small or medium-sized charities hiding behind one or more of the above excuses, you are taking a risk. Funders and commissioners are already starting to include stricter stipulations around data management and security. No organisation can afford to bury its head in the sand over GDPR any longer.
The time to take action is now. If you would like to know more about DataWise Intelligence and our new ‘Optimiser4’ online GDPR evidence tracking and staff training portal, please do get in touch. We can help you fix any gaps in your compliance journey.
In Part Two, we will set out the ten steps your charity needs to take over the next 12 months to ensure GDPR compliance. For an email alert on when this is published, sign up to receive an alert from The Boiling Frog.
About the Authors – Peter McCann and Christopher Johns are respectively managing and compliance director of DataWide Intelligence. Peter is also an independent Board level and senior manager mentor/coach, with a particular interest in supporting charities. Christopher is a 30-year veteran IT manager who has led and project-managed GDPR projects.
About the Editor – Jenny Hopkins is founder and content curator of The Boiling Frog; she is also a voluntary sector adviser and strategy specialist for Penleaf Limited, helping charities respond to the challenges of a changing world.
Share this story
What does it take to run a growing nonprofit today? Find out here with these top tips.read more
When it comes to assessing good leadership in the voluntary and community sector, the qualities can be harder to gauge than for the private sector.read more
The debate over the right term for our sector goes onread more