As specialists in IT, Cyber Security and Governance, we want to help businesses and charities like yours become secure and compliant.
Based on the ICO’s audit of eight charities in 2018, we identified some common areas of weakness and have compiled some simple remediation advice on why these things are essential to become fully compliant with the GDPR and other professional standards.
We have also ranked the areas of weakness in order of how important we believe the requirement is, and how much it will improve your organisation’s overall compliance and security.
1# Lack of documented IG (Internal Governance) arrangements
Most charities audited were found to be lacking some IG arrangements, meaning they couldn’t provide an overall Governance framework.
By implementing the arrangements alongside your policies and procedures, your level of compliance and internal security is stronger, and all staff know what needs to be done to comply with the appropriate documentation.
2# Missing key IG Policies
As part of the GDPR, PECR and other regulations you have a responsibility to document and implement the key policies into your organisation.
These policies are put in place to document where your data is stored, access given to the data, security measures used to protect the data and what data is collected and for what use.
3# Business Continuity Plans
In the event of a disaster, your business or charity needs to have a business continuity plan in place. Out of the eight charities audited, only some of them had overarching plans.
If a charity or business were to experience a data loss of any kind, there needs to be an extensive plan in place so that all staff can refer to the related procedure and follow it effectively. This plan should also incorporate a way in which to recover the lost data. Under the GDPR, fulfilling this requirement could mean that any fine you receive may be less severe.
4# Communication of policies
Across the eight charities audited, the communication of policies was inconsistent amongst their staff and volunteers. This is a security issue because it means that staff and volunteers are being given access to data without knowing or following the correct policies and procedures in place to protect it.
Potentially, this breakdown in communication could result in a volunteer or staff member not following the correct protocol or, in the event of a data breach, not understanding their responsibilities or what the correct reporting process is.
5# Staff training
In the audit, it was found that some of the charities didn’t provide staff and volunteers with annual refresher training or any induction training on Data Protection, before allowing them to access and process their personal data.
Training is an essential way of monitoring, expanding and reflecting on your current team’s knowledge of a key subject. One of the most important areas, Data Protection training, allows you to test your staff and make sure they know their basic responsibilities and the correct process to follow in the event of a breach.
6# Staff inductions
At least half of the charities had no requirement to have staff or volunteers read, understand and sign polices on induction when beginning their role in the charity.
Induction is one of the main processes put in place by organisations to make sure that all staff and volunteers being taken on are up to speed and know what their responsibilities are.
In the charity sector particularly, this is critical because staff and volunteers hold sensitive personal data (i.e. medical records, disabilities, special requirements etc.). By setting a standard of how you wish staff and volunteers to treat and process data, it will reduce the chance of human error causing a breach.
7# Compliance checks
Compliance checks are an essential way of assessing the level of compliance your business/charity is currently achieving and monitor how well staff and volunteers are following procedures, so the necessary remediation can be implemented.
Overall, this will make your staff and volunteers more efficient, productive and compliant.
Contact us today if you would like any help on making your business cyber secure and compliant with the GDPR and other professional standards. We offer charities and non-profits a discounted rate on our services, and we are currently offering a free Cyber Essentials audit to all charities that contact us before March 31 2019*.
*Subject to terms and conditions.