Data Security in Philanthropy

As the saying goes “Data Is the New Oil” and charities and non-profits certainly hold a lot of valuable data. We collect contact details, build up donor giving histories, process payments, build up donor and prospect profiles and gain insights into very personal and sensitive information. And we do this for a vast number of individuals, but often these individuals are also celebrities, politicians, people in the media, the very wealthy and quite often the very vulnerable.

This volume and level of information can make our data very attractive… and we are not immune to cyber-attacks. 

The threat landscape for charities has increased with a higher number of attacks, many of which demonstrate higher levels of personalisation and targeting than before. In February 2021, 1.6% of all malware attacks were targeted at non-profits and a staggering 62% of attacks were against educational organisations according to Microsoft. This makes education organisations the number target of malware attacks right now. 

But attacks against non-profits are not really anything new. Back in 2015, 700,000 non-profits had their account data stolen by attackers who had hacked into a USA online tax filing system. Just last year, 166 UK organisations were impacted by Blackbaud’s security breach and a further 23 US organisations have since filed class action cases.

Unfortunately, non-profits have a real challenge in this area. Not only do charities have a legal and ethical duty to protect sensitive and vulnerable data, but charities are also held to higher standards than many commercial organisations. Charities need to maintain trust and loyalty amongst their supporter base with many charities relying on their reputation to raise vital operational funds.

This is offset by shoe-string budgets, a lack of IT support and/or senior data professionals who can raise awareness within non-profit organisations. This situation is further exasperated where charities rely on volunteers, short-term contractors or employees who may not receive adequate training and are unaware of the risks of using spreadsheets or emailing data without password protection.

Our industry is experiencing a textbook case of growing pains. The world needs effective and impactful philanthropy right now, but as philanthropy adopts new technical solutions, protections are also needed.

Malicious attacks can take many forms, such as phishing, hacking or ransomware. For charities, these can harm their reputation, impact their operations or seek financial gain from them. These attacks could come from random criminals, or potential employees or volunteers with a grudge.

Please do not think that every problem is malicious. Human error is a major cause behind data breaches and this is harder to deal with. A member of staff may lose a memory stick or laptop. A misaddressed email can expose unsecured data. These types of actions are the biggest cause of personal data breaches in the UK.

Of course, data does not just sit within your network. Your non-profit may have secure firewalls and faultless processes, but your operations could still be at risk from attack throughout your supply chain: cloud hosting providers, mailing houses and third-party apps can also be at risk of breaches. In addition, data could be stored on devices or shared on emails using insecure public wi-fi networks. This could result in your data ending up in other locations without your knowledge and protection.

This combination of factors can lead to data breaches, which you need to manage.

The ICO defines a data breach as follows:

“A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data.”

“Personal data breaches can include access by an unauthorised third party; deliberate or accidental action (or inaction) by a controller or processor; sending personal data to an incorrect recipient; computing devices containing personal data being lost or stolen; alteration of personal data without permission; and loss of availability of personal data.”

Any of these breaches may be investigated by the ICO, meaning you will be audited. Best case scenario: you will have to improve your processes. Worst case scenario: you could be looking at a fine and a PR disaster.

Apologies if at this stage your anxiety levels are through the roof. So, what can you do?

This list might seem long and technical, but each one of these solutions can mitigate your risk of experiencing a data breach. To avoid human error, documentation of processes and training users in safe data handling are the main recommendations – remember, most data breaches are due to human error, so by prioritising this area you may be able to gain a few quick wins.

Combating malicious attacks does require IT expertise – there are no quick solutions here. You need to pay someone, either internally or externally, to implement these solutions for you. If your database solution is cloud-based, you will want to make sure that the software provider has implemented these types of solutions.

Finally, protect your data when it leaves your organisations. Data Sharing Agreements are designed to stipulate what third parties can and cannot do with the data you supply them and ensure that they have the relevant security features in place, too. They cover you legally and they should include an indemnity clause to ensure you are compensated should they be responsible for a data breach. 

If that all sounds rather daunting, it might help to break down your approach with these four simple questions:

• Identify what data you have – you might immediately think about your main donor database, but don’t forget about other areas such as your payment processing system and HR systems.
• Where do you store this data? Again, it is not just where your database is stored, but there is also data in your email system, on your mobile devices and do not forget about paper records.
• How do you use it? Knowing how you process your data will help you identify security weaknesses and aid your development of user training.
• Finally, and I think most importantly, understand why you keep the data you have. Why is it valuable to you? What is its business value? If it serves no purpose – get rid of it. Why take the risk of exposing this data to a breach if you do not need it?

Finally, do not underestimate the impact good data governance can have. Set up a working group to bring together a range of IT, data protection, supplier and business users to help you to better understand your data systems, understand the value of the data you hold, design better processes and use the right security tools. 

Good data governance educates and raises the awareness of good data protection throughout your organisation. It helps reduces the risk of potential data breaches and therefore manages your compliance with GDPR, PECR, and PCI.

If you are interested in finding out more about data risk management solutions, data governance or need help with making a business case for more data resources, you may find the following blogs on Propper-Fundraising.com helpful.

?       Why risk management solutions are the future of charity cybersecurity

?       Data governance: 5 best practices for data governance

?       Making the business case for a chief data officer