Charity Digital 2020 Data Protection Checklist

Data breaches can be hugely costly to charities, in purely financial terms and also in terms of disruptions to service delivery and in loss of trust from those whose personal data or confidential information may have been stolen.

The risk of a data breach is also very real: 25% of charities reported at least one cyber attack during a twelve-month period, according to the government’s Cyber Security Breaches Survey 2019. When these attacks lead to a data breach the financial cost alone can commonly exceed £100 per record stolen, according to IBM’s 2019 Cost of a Data Breach report.

But good data security is not just a good idea: when it comes to data about people it’s a matter of digital ethics, and it’s also the law: The General Data Protection Regulation (GDPR) which came into force in May 2018 obliges organisations including charities to take reasonable steps to protect "personal data," although it doesn’t give any specifics on how exactly data should be protected.

That’s why it is vitally important for charity leaders to keep the data they store as secure as possible from cyber attacks, and to ensure that only those that are authorised to access it can do so. Our 2020 data protection checklist highlights five important areas that should not be overlooked:

1.) Use strong authentication

Passwords provide staff with convenient secure access to all kinds of data, but it is important to ensure that they don’t provide cyber criminals with the same easy access. That means changing any default passwords that come with new hardware and software, and ensuring that all passwords in use are long and difficult to guess.

Whenever possible, passwords should be used alongside some other form of authentication such as a PIN sent to a smartphone as part of a two-factor authentication (2fa) system.

Some security experts recommend that passwords are changed regularly, and it is important to ensure that accounts and passwords are deactivated when staff or volunteers stop working for the charity.

2.) Encrypt important data stores

Valuable information such as credit card numbers, as well as personal data and other confidential records, should be encrypted to make it hard for cyber criminals to use any data that they manage to access. (The GDPR does not expressly mandate the use of encryption, although it does say that organisations should use "appropriate safeguards, which may include encryption.")

Any data which is taken outside an organisation, for example on a USB stick, should also be encrypted in case it gets mislaid or stolen as a basic data protection measure.

Operating systems including Windows 10 and MacOS have encryption systems, called Bitlocker and FileVault respectively, built into some versions.