Protect your beneficiaries — and your organization
Originally published: January 2017 | Last reviewed: January 2017
Does the information you process count as personal data? Do you have a data protection policy, and do staff know how to access it? Who's accountable for data protection compliance in your organization?
If you're unsure about any of these, you may need to invest time in understanding the ins and outs of data protection.
Requesting, keeping and using personal information may be vital to your charity's work, whether that's targeting your fundraising to potential donors or contacting volunteers for an event. But whatever you're doing, the law requires you to use any personal information responsibly and to keep it as safe as possible.
What are the risks?
Data protection legislation in the U.K. aims to keep individuals safe from potential harm and prevent sensitive information landing into the wrong hands. That's not only relevant for nonprofits working with vulnerable people. It also affects supporters, volunteers, trustees and donors.
Mishandled data may have significant repercussions for your organization, resulting in large fines or other penalties. For example, in 2014 the British Pregnancy Advisory Service (BPAS) was fined £200,000 by the Information Commissioner's Office (ICO) after a hacker managed to steal personal data from the charity's website. BPAS had been unaware that its website was storing data of those who contacted them, and their oversight meant the data was exposed to theft.
Aside from material damage, tarnished reputation and loss of trust are major risks. With public interest in data security growing, charities can't afford to slip up. A mislaid laptop or memory stick could have serious repercussions.
And it's not just large nonprofits with extensive databases at risk. As the Charity Finance Group (CFG) points out, "even the smallest organizations are likely to hold personal data ... These organizations, which often rely on their existing reputation, can stand to lose just as much from a breach as those who spend millions on IT, if not more."
What can you do?
The risks are real — but there are ways to limit them. Take control with these steps:
Understand the law and the principles
To protect both your organization and those people whose information you hold, the simple answer is to understand and comply with data protection laws — currently defined by the UK's Data Protection Act (DPA) of 1998. To understand these in detail, take time to review the ICO's guide to data protection, which takes you through the eight data protection principles.
- Process personal data fairly and lawfully
- Obtain personal data only for specified and lawful purposes
- Limit personal data to what's relevant for the intended purpose
- Update personal data as needed
- Store personal data only as long as needed
- Process personal data in accordance with the DPA
- Take appropriate measures against unlawful or unauthorized processing (or accidental loss) of personal data
- Don't transfer personal data to a country or territory that doesn't ensure an adequate level of protection
Understanding the implications of the legislation can seem overwhelming. But as CFG says, the law aims to allow organizations to "strike the right balance" — meaning that while you need to comply, you still maintain some flexibility in determining how to do so.
For example, keeping hold of personal data after it's needed (including in back-ups) may cause a breach of data protection policies, but the law doesn't recommend an actual minimum or maximum length of time to retain data. It's up to you to define the appropriate time period.
Understand how the laws and principles affect you
Consider these top tips for small and medium sized charities from ICO:
- Tell people how you're using their data. Explain what you're doing with it, and how it'll be shared (you can do this with a privacy notice: see the ICO's checklist for what to include). Beyond best practices, this is a legal requirement.
- Provide adequate training for your staff. Require data protection training for new hires to ensure they know how they should be storing and handling personal information. Offer regular refresher training for existing staff.
- Choose strong passwords. Keep personal information secure by using passwords that contain upper and lower case letters, a number and ideally a symbol.
- Encrypt all portable devices. This includes memory sticks, laptops and any other devices used to store personal information.
- Retain personal information only as long as necessary. Then, follow a consistent process for securely deleting information that's no longer needed.
Pay particular attention to marketing and fundraising laws
While the law is more open in some aspects of data protection, rules related to direct marketing are fairly strict. Similarly, any organization doing electronic marketing must comply with the Privacy and Electronic Communications Regulations (PECR).
The Institute of Fundraising recommends the following as a starting point:
- Obtain the required permissions before contacting supporters
- Use, share and retain personal information only in a manner that the supporter or prospect would approve
- In general, use others' data only in ways that you'd like other organizations to use yours
The ICO also provides more detailed direct marketing guidance for charities, while the Institute of Fundraising has a checklist for direct marketing and data protection.
Create a data protection policy
A written policy, tailored to your particular context, will help keep your organization focused and guide staff and volunteers in their everyday use of personal data. New Philanthropy Capital also recommends nominating one staff member to have responsibility for data security (for example, a data protection officer) who reports on this to senior management.
Ensure everyone's on board
It's no good being well informed if the rest of your organization isn't equally up to date. More than half of fines caused by data breaches in the U.K. in recent years were caused by insufficient staff training on handling personal data, according to data watchdog Breach Watch.
As well as training new staff (with refresher training for long-term employees), make sure data protection remains front of mind for those dealing with personal information. ICO has a toolkit of printable resources that charities can use to promote awareness among employees of their responsibility to manage data carefully. In addition, remember to extend awareness and regular training to employees or volunteers who work outside the office —especially those using their own equipment.
As well as providing the latest information on data protection laws, the ICO offers free one-day advisory visits to small and medium-sized charities, resulting in a report and practical recommendations for improvement. In addition, both the Directory for Social Change and NCVO offer training (at a cost) on data protection for voluntary sector organizations.
This article draws on the expertise of YourPeople, a U.K.-based firm that provides outsourced human resources services across all sectors.
The General Data Protection Regulation will replace the U.K.'s current Data Protection Act 1998 in May 2018. Find out how you should be preparing for the new legislation.