GDPR six months on: what have charities learnt?
Philip Anthony, Managing Director, Coopsys talks GDPR and data security and what charities are learning six months in.
We cornered Philip Anthony, founder of experienced non-profit IT specialist Coopsys to ask him about his experiences helping charity clients navigate data security in the brave new world of GDPR compliance.
Anthony’s insight from the perspective of someone who has been closely supporting charities up to and beyond the implementation date prove that there is life after GDPR – but there are still some major lessons for the sector to take on board.
CDN: Now that we’ve been under GDPR for six months, has the new regulation environment changed the way charities think about data security, as well as consent?
PA: The simple answer is yes! We’ve also found more acceptance of the need to comply with the UK government’s Cyber Essentials programme. not only does this programme improve security, but embracing Cyber Essentials helps charities demonstrate that they have undertaken appropriate due diligence.
For many, the process has reminded them that electronic and paper records are equally important. Few organisations would store sensitive information in an unsecured computer file, but many hold sensitive data in filing cabinets with shared keys. One organisation explained that until now they had locked all the cabinets and keep the keys in an empty margarine tub which is put away in the fridge!
GDPR compliance has also forced organisations to justify to themselves the reasons for processing data and many have found the pendulum has now swung away from keeping everything because you can, towards only holding data if it genuinely adds value.
CDN: What would you say are the biggest mistakes charities are making when it comes to data security under GDPR?
PA: Not always taking it seriously enough. To be fair, the challenge is often not idleness but limited resources – every pound spent on GDPR is one less towards the charity’s aims.
Email may be cheap and effective but charities were often breaking the pre-GDPR (PECR) rules to begin with.
Management of paper records, weak or shared passwords are still an issue, as is the failure to encrypt or protect data in transit whether that’s email or physical media. Not classifying company information according to its sensitivity is also a problem.
Charities often make the mistake of thinking of data security as an IT problem and not a business or organisational one – but actually data security should be an intrinsic part of all projects and align security concerns with business goals.
CDN: What does best practice data security under GDPR look like?
PA: In the best organisations, the adoption of best practice has been cultural rather than procedural. They have taken the opportunities presented by compliance, not just to avoid financial penalties but to improve the relationship with customers and others in the data supply chain.
Crucially, they also consider data governance and security at the start of every project and not just as an afterthought as it once was.
They have a top-down, consistent approach, backed up with the necessary resources and training to make compliance stick, and their performance is measured against established goals.
CDN: What are the main GDPR hurdles left for charities to overcome now?
PA: Those organisations that are not yet fully compliant must ensure that they define a roadmap to compliance. For those with the foundations in place it’s really important to ensure that ‘GDPR fatigue’ doesn’t set in and they don’t allow the good work they’ve done to slide back to business as usual. Charities must recognise that GDPR is not a one-time fix but needs to be embedded in organisational culture.
They’ve got to gain budget approval for the costs of maintaining the compliance obtained and the resources necessary to operate the systems implemented, and establish processes for continuous improvement.
They will also have to keep working to regain the trust of data subjects. GDPR has exposed many unwitting individuals to the scope and nature of the data held about them, so looking forward organisations must demonstrate that they can be trusted to operate ethically and fairly with the information they process, and keep subjects informed.
CDN: Looking ahead to the next six months, what’s in store for charities under GDPR?
PA: It’s difficult to know how the ICO will enforce GDPR, but there has already been a reported increase in breach notifications. It’s hoped that the ICO will use the information obtained to provide further guidance to organisations on how to maintain their security and compliance.
Charities and other organisations now have access to a wider variety of tools to process data, while cloud-based AI solutions like Google Cloud Machine Learning, Tensorflow and MS Cognitive Services will provide many opportunities for charities to derive information from their supporters and members. They’ll have to ensure that their data subjects remain informed and consent to such automated processing.
CDN: What’s your main advice to charities around lessening their remaining GDPR pain points?
PA: First of all, it’s about acceptance that GDPR isn’t going away. They need to recognise the need to put in resource and take responsibility for it, and have someone head up a working group or similar on an ongoing basis.
They’ve got to recognise, above all, that it’s not just an IT or fundraising issue. So far we’ve seen organisations that have issued GDPR declarations but have done little to ensure actual alignment, versus the ones that have made proper compliance happen.
At the moment there is still time to make good, but in the mid to long-term there is a real risk of reputational damage if these things aren’t properly addressed. Consultants like ourselves have effective roadmaps and experience that can assistant in making the process less time-consuming and give confidence that all the bases have been covered.
Coopsys are currently offering free consultations on a range of quick IT wins for charities. Click here for more information.