As usual, quite a lot. Caesar famously used his cipher device to protect important and sensitive military data among his generals. So what can we learn from the famous Roman?
Various high profile charity cases and figures from the Information Commissioner’s Office (ICO) show an overall rise in the numbers of charities who have suffered data breaches. This is an area that could have huge potential consequences for charities.
Protecting your organisation data can also help you to maintain your reputation, both with your donors and the wider public. So what can be done by charities to help protect against this potential threat?
1. Be prepared and plan, plan, plan!
If your charity faces a data breach there are ways that you can potentially mitigate the harmful impact of the breach by having a plan in place for potential data breaches. You should be aware of what type of data you keep, who has access to it, and who out of staff and volunteers have been trained in managing your data. Most data breaches are straight forward or simple mistakes. Also be aware of the potential for a data breach through a third party.
A charity should be able answer these questions:
• We know the types of data we capture, where it comes from and who has access to it in our organisation.
• We know what the data is used for and have asked the subject’s permission.
• We know how to keep it safe, and how to get rid of it when it is not needed (this is especially important for physical data that is not needed anymore).
• We train our people and have put measures in place to be able to trust third parties.
• We have a plan to handle a data breach.
Data protection should be considered a top-down attitude and one where there is shared ownership of good practices. Transparency is needed to ensure that reporting data breaches will be treated professionally.
2. But won’t the ICO be more lenient if I’m a charity?
Short answer, no!
The ICO will not take into account what type of organisation suffers from a data breach, but instead how the breach is handled. The most common advice is to inform the ICO as soon as possible and to start to implement your pre-existing plan. If you can show that your organisation is attempting to do the right thing at the right time, the chances of receiving a heavy fine or other punishment is reduced.
It is now estimated that a breach in data in 2015 cost £120 per compromised record. Charities have made headlines by having to pay fines of up to £200,000 for data breaches.
Charities also have to remember that if a volunteer is handling data that they are recognised by the ICO has having the same responsibilities as permanent staff. This means that volunteers (along with staff) should also receive training on data protection policies your charity has.
3. Modern technology makes everything easier, right?
The ability to access work through numerous devices (phones, tablets etc.) has become very important for most charities. These devices still have to comply with your charities data protection policies if you’re using them to access personal or sensitive data.
While a work computer might be encrypted, this is often not the case for personal devices, meaning you organisations should be particularly careful to monitor where this data is being sent.
Another way that data is shared is through various online cloud services. Most of the data stored in cloud services is not sufficiently secured and is headquartered in the USA, which currently is not legal.
A UK charity should try and ensure that any cloud services they use will hold their data only in the EU. One way of countering this is by encrypting any personal or sensitive data that is shared in a cloud service.
4. European General Data Protection Regulation (GDPR)
The introduction of the European General Data Protection Regulation in May 2016 (to update the 1995 Data Protection Directive) will mean significant changes to data protection legislation. Organisations that have already developed an effective data policy security plan will find the new regulation easier to implement.
But wait, won’t Brexit change all this?
Yes and No. In the short term no as the legislation in the GDPR will come into force from May 2018. With the current timeline for Brexit outlined as the UK still being in the EU till March 2019, organisations in the UK will have to implement the changes from May 2018.
Even after March 2019, if the UK agrees any trade relationships that require the transfer of EU citizen’s data than the GDPR will still apply to the UK. Many countries (both inside the EU and outside) are implementing similar standards of legislation as there is an international push towards harmonising data protection to ensure the safe transfer of data across international boundaries.
What are the changes?
Under this new regulation, more data will be classified as personal data (IP addresses, URLs etc.) and anonymised data will be removed and will instead be replaced with pseudonymised data (meaning where a number can be used to identify people instead of a name). Another important difference is that the ICO will be able to audit the private sector, not just the public sector if they fear that data laws are not being upheld.
New rules will also be introduced about organisations gaining consent on collecting data needs to be unambiguous for personal data and explicit for sensitive data. Silence, pre-ticked boxes or inactivity will not constitute consent. The ICO will also have to be notified within 72 hours of a charity becoming aware of a data breach.
Fines for data breaches will range up to £20 million or 4% or annual global turnover, though again if a plan is in place and attempts have been made to prevent a data breach this fine should be greatly reduced.
5. How can the ICO help?
If you’re worried about your level of data protection for your organisation then you can apply to the ICO for an advisory visit. This visit will give practical advice to an organisation on data protection and normally involves a one day visit from the ICO to your organisation. The ICO also has information for charities on their website to help them understand data protection.
So though the type of data and the way we store it has dramatically changed since 52 BC, the idea that important data should be kept out of the hands of your enemies is still the same.