Charities are under-resourced by design; there is always more that can be done to help, yet resources are often limited.
Many operate across multiple jurisdictions, have donors from around the world, and rely on technology to connect workers to the people and processes in need of their support. With a decentralised working model and resources always feeling stretched, charities are under pressure to both optimise and protect their data.
This pressure has led to bad data practices in the past. In 2017, pre-GDPR implementation, the ICO fined 11 charities for misusing personal data. The charities in question set out to create more targeted profiles of potential donors, and shared data between themselves to create large common pools of donors. Those charities and fines were as follows:
- The International Fund for Animal Welfare – £18,000
- Cancer Support UK – £16,000
- Cancer Research UK – £16,000
- Guide Dogs for the Blind Association – £15,000
- Macmillan Cancer Support – £14,000
- The Royal British Legion – £12,000
- The NSPCC – £12,000
- Great Ormond Street Hospital Children’s Charity – £11,000
- WWF-UK – £9,000
- Battersea Dogs and Cats Home – £9,000
- Oxfam – £6,000
In a post-GDPR world, the fines would’ve been higher; an eventuality nobody in the data protection industry would want to see come to fruition against any charitable organisation.
In order to prevent a repeat of 2017 in a world with higher consequences, charities are seeing data privacy and data protection both as a necessity (for GDPR compliance) and as an opportunity (taking control of your data leading to improved donor targeting and performance analytics).
However, a webinar of 300 prominent charity sector leaders, hosted by Advance in April 2018, revealed that only 5% of attending charities felt they were GDPR compliant, with 75% saying there was significantly more work to do.
So, what can the charity sector learn from industry on closing the compliance gap, whilst also not draining resources needed to provide essential services?
Organisations are turning to technology to solve the data problem, and free up their time
The latest International Association of Privacy Professionals (IAPP) and EY Information Governance report showed that:
- Amongst companies preparing for GDPR, 57% were investing in technology in 2018, up from 27% in 2016.
- 68% of programme leaders now say data inventory and mapping is a priority, up from 48% in 2016.
Data Protection Officers spend most of their time trying to answer, ‘What data do I have? Where is it? Who has access to it? How is it secured?’ and in 2019 it’s no longer possible to be literally ‘hands-on’ with data. It’s therefore no surprise that organisations are turning to data discovery and privacy compliance technologies to ease their data burdens.
The era of the technology enabled DPO is here – what do I do?
3 simple steps for identifying and deploying technology to help you with your DPO role:
- Discover your data – Identify which repositories, applications and platforms hold personal data and monitor those repositories
- Define bad data practices – Define sets of rules for each area of your business processes that use personal data. Ensure those rules are configured into your technology and triggers defined for identifying bad practices/data breaches
- Communicate findings to the organisation – Let the team know about the trends you’re finding in personal data and let the organisation know where things need to be improved or where things are going well. Communication is key for data leadership.
By protecting personal data, charities can safeguard themselves from the regulators and maintain focus on the essential service they provide. Here’s to a more secure 2019!