deepagopi2011 - Fotolia
Only 5% of charities are ready for GDPR, survey shows
A survey shows relatively few charities are prepared for new data protection regulations, highlighting several areas for improvement
With the compliance deadline for the EU’s General Data Protection Regulation (GDPR) a month away, and the introduction of GDPR-aligned UK legislation getting ever closer, a survey indicates that only around one in 20 charity organisations are prepared.
In March 2018, a report by the National Cyber Security Centre (NCSC) said many charities, particularly smaller ones, do not realise the value of the personal, financial, commercial and other data they hold to cyber criminals.
Charities typically do not perceive themselves as targets, but the value of the data they hold to a range of cyber criminals makes them vulnerable to attack, the Cyber Threat Assessment report warned.
A month later, 76% of more than 300 third sector organisations admit there is still work to be done before they achieve full compliance, according to the survey conducted on 25 April 2018 by software and services company Advanced.
The survey, conducted during a webinar on the GDPR hosted by Advanced, also revealed 56% identified consent as the top priority for their GDPR planning, with uncertainty about the interpretation of GDPR representing the biggest obstacle to progress, according to 48% of respondents.
Alongside Advanced experts, the webinar included a panel of representatives from RSPB, Muslim Charity and Woodland Trust, who shared their successful journey to GDPR compliance and the challenges around management of consent and data retention, covering what they felt were the most important aspects of their plan to meet regulation by the deadline.
Read more about GDPR
- UK Department of Work and Pensions to spend nearly £15m on GDPR.
- UK surveillance laws a potential “sticking point” post-Brexit.
- The GDPR audit power is being outpaced by technological advances in data analytics, says ICO.
- GDPR focus shifts from the sanctions to the benefits.
- How to be prepared for GDPR by 25 May.
Mark Dewell, managing director for the commercial and third sector at Advanced, said the number of charities joining the GDPR webinar shows there is a big appetite for information and advice about this topic, especially with less than a month to go before the GDPR compliance deadline.
“It is both worrying and unsurprising that only 5% feel ready for the regulatory roll-out despite the threat of significant fines and other punitive measures for failure to comply.
“Undoubtedly, the attendees are committed and focused on achieving GDPR compliance,” he said, adding that the webinar was aimed at providing guidance, top tips and best practice to help charities feel more able to meet their GDPR requirements.
The Muslim Charity, for example, suggested getting data in one place by completing a rigorous data audit is key to enabling charities to answer any questions about the data they hold.
With the research revealing consent to be the biggest GDPR concern for charities, top tips from the RSPB and Woodland Trust focused on robust and engaging communications.
For the RSPB, its approach to consent has involved a continual and comprehensive programme across email and website channels to capture the relevant permissions, while the Woodland Trust has focused on consent message testing to identify the communications most likely to engage and drive action.
Data retention
Data retention was identified as an important issue. The Muslim Charity said an effective data retention policy which explains why data is being held, and for how long is critical, while the RSPB has linked their data retention to finances to ensure their gift aid claims remain valid and their financial audit trail is available in line with accounting standards
“It’s obvious that GDPR remains at the top of the charity sector agenda, and although progress has been made, there is still a way to go before many are GDPR ready,” said Dewell.
“Uncertainty around consent and data retention seem to be presenting the biggest worries for the third sector, with many concerned that their potential fundraising totals will be affected,” he said.
In light of the new EU and UK data protection laws, continuing high levels of cyber criminality and growing use of online business practices by charities mean investment in cyber security is increasingly imperative for the sector, according to the NCSC, which has issued fresh cyber security guidance to small charities.