The introduction of General Data Protection Regulations (GDPR) in May 2018 has greatly influenced the way in which all businesses – including charities – handle their data.
As we all know under these new regulations, all public authorities and charities must now appoint a data protection officer (DPO). An in-house or outsourced expert in data protection who has a certain level of independence from the charity’s primary purpose for data collection.
But alongside this need for a DPO, GDPR also highlighted another key thing – the importance of sensitivity in the way every charity handles personal information. Given the amount of personal information most charities hold, it is unsurprising that many were concerned about how to best comply and appropriately safeguard this information.
On top of this, some charities – especially those working in a healthcare capacity such as Severn Hospice with our three wards and 26 shops – also need to ensure compliance with other operating requirements like the NHS tool-kit which is focused on information governance. So one year on we thought we’d share the process we went through and what we learnt for others who might be in the same boat.
Charity concerns surrounding information governance
When all the changes came into place we at Severn Hospice, found ourselves faced with the challenge of having to find a pathway through both information governance and GDPR that really worked.
We knew several charities which had already been fined for breaching GDPR – which goes to show that, no matter how noble your cause, no organisation is exempt from GDPR’s jurisdiction. So clearly It was important to ensure the hospice was handling its data in accordance to best practice with both GDPR and the NHS tool-kit.
At Severn Hospice, we hold large quantities of personal data including that of patients, staff and donors. It all needs to be protected with a high level of security both internally and via electronic means. Some of the complexities surrounding information governance and how best to appoint an external data protection officer were problems we knew we needed outside support to solve and so we worked with Aristi – a cybersecurity firm, based in Birmingham – who specialise in this area, to devise a plan of action.
GDPR tips for charities based on our experience
- Identify all essential personal data you hold, where and how it is stored and your reasons for holding it. If it is not essential then do not keep it. The more information you have, the more you need to do to keep it secure.
- Ensure you know where your data is, who you are sharing it with and who has access to it. Only those who have an organisational need to access information should be able to access it.
- Ensure your systems have adequate security to safeguard this data effectively. One of the most simple and effective ways of securing systems is a strong password policy. Individual user accounts, complex password rules and password lockouts after a number of incorrect attempts, are essential. Use multi factor authentication where possible to reduce the risk of passwords being guessed, especially for cloud based systems and where you are allowing privileged access to information.
- Test your ability to detect, respond to and recover from a data breach. Ensure that the reporting procedures are easy for staff members to access and understand. Know who needs to be notified and ensure that they have the relevant training and resources to be able to effectively mitigate any impacts caused by any data breach.
- Embed best practice information governance into your charity’s culture – minimising reputational risk and securing your charity’s future. Senior management team really need to drive this for it to be effective.
What happened next? Alleviating concerns
To ensure our fears were put at ease, several steps were taken:
- A GDPR review was conducted to highlight any inconsistencies with compliance and an improvement plan developed.
- A Virtual DPO service to gain access to specialist GDPR expertise.
- Monthly audits to assure compliance and identify next key priorities.
- You can’t fix problems that you don’t know exist. A penetration test was conducted to discover any possible vulnerabilities in security of data and systems – providing remediation guidance. The main area of concern was staff members using weak passwords. Severn Hospice passwords are now reset quarterly and a lot of work has gone into helping the team become more acutely aware of the importance of using a strong password.
- Cyber Essentials certification was gained to demonstrate Severn Hospice’s commitment to good cyber security.
How things changed
For us the imperative was finding a partner who responded quickly, to help us understand and comply with good information governance. Resulting in us gathering confidence and momentum when examining and changing how we handle data in a way that brought about fundamental change.
Our independent provider (Aristi) were great because their advice was timely, valuable, genuine and independent.
Some of the changes were quickly implemented eg stopping domain administrator accounts from web browsing and or emailing. Others were part of a longer-term plan such as a phishing email campaign to raise staff awareness. But everything we did helped us become more confident we are where we need to be in terms of GDPR obligations and Care Quality Commission compliance requirements.
Peace of mind is precious. Being a charity, our reputation is so important and this process has helped minimise our reputational risk. However keeping on top of GDPR is something that takes effort and we are continually perfecting our systems to keep us one step ahead of cyber attackers.