Charities – dealing with data breaches
Data breaches are a ‘hot topic’ in the media at the moment, following (amongst many others) hacker Magecart’s infiltration of British Airways, Ticketmaster and the most recent incident, Shopper Approved.
Following the implementation of the General Data Protection Regulation (GDPR), effective protection of personal data is more important than ever, with charities being no exception. For example, Cancer Research UK was also recently targeted by Magecart, but fortunately the hacker’s efforts were detected before any damage was done.
Prior to the implementation of the GDPR, the ICO had issued a total of £138,000 worth of fines to eleven charities. Since the tightening up of the rules on personal data and with public interest at an all time high, it has never been more important for charities to be familiar with their data protection and data security obligations.
Matt Walmsley, the director of marketing at Vectra Networks (a company specialising in the detection of cyberattacks) has described charities as an ‘irresistible target’, given the limited funds available to protect their systems as effectively as they might wish. Prevention is obviously key (see our previous blog posts here and here) but if the worst should happen what must you do if your charity experiences a data breach?
What constitutes a reportable breach?
Under the GDPR, a personal data breach is a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data. The Information Commissioner’s Office (ICO) has explained that it can cover anything that has affected the confidentiality, integrity or availability of personal data, whether lost, destroyed, damaged or closed. The volume of data subjects is largely immaterial, although if only a few are affected and in a minimal way, it may not be necessary to make a notification to the ICO or the Charity Commission (see below). It is a judgment call and professional advice should be sought where there is any doubt on whether a breach should be reported.
Essentially, if any incident occurs affecting personal data, your charity will need to establish the likelihood and severity of the resulting risk to people’s rights and freedoms as far as their personal data is concerned. In considering whether there is a risk, all relevant factors should be considered, such as whether there is likely to be any emotional distress, physical (eg. disruption to services or supplies), material or non-material damage, or any other significant economic or social disadvantage. If a risk is determined, you must try and take all measures to contain and mitigate the damage caused.
As an example of ‘what not to do’, in 2014, the British Pregnancy Advisory Service (BPAS) were fined £200,000 because a vulnerability in their website coding meant that the confidential personal details of ten thousand women were leaked. This was considered especially severe, given the extremely sensitive nature of the information BPAS held about pregnancies, wanted or unwanted, and submitted by vulnerable women (often in their teens). This happened prior to the GDPR coming into force, and it is likely that the penalty meted out would have been far higher under the regime of the GDPR.
Furthermore, in case they are called to task later and to promote the accountability and transparency principle, charities should get into the practice of recording all breaches (reported or otherwise) internally.
Who and when should you notify?
If you decide that there is likely to be a risk of compromising the data subject’s rights and freedoms and the affected individuals are in the UK, the supervisory authority is the ICO. If the breach affects individuals in different EU countries, the ICO may not be the correct authority and you will have to establish which European data protection agency (or agencies) should be contacted.
Whoever the relevant authority is, the notification must be made within 72 hours of becoming aware of the breach. If it is not possible to notify the ICO (in the case of UK data subjects) within this timeframe because of, for example, a lack of information, trustees should notify the ICO of the delay and inform them when they will be able to report fully.
It is likely that the Charity Commission will also need to be informed of the incident. Trustees will be required to issue a Serious Incident Report (SIR) if an event results in, or risks, significant loss of the charity’s money or assets; damage to the charity’s property; or harm to the charity’s work, beneficiaries or reputation. In the case of a data breach of a charity’s website, it is likely that a severe data breach would harm the beneficiaries and the reputation of the charity and thus, notification would be required. In response to a SIR, the Commission may need to offer regulatory advice or guidance to trustees, or in the most serious cases, the Commission may need to intervene by using its temporary protective powers to safeguard charity assets and get the charity back on the right path.
If your charity is an ‘operator of an essential service’ and stores and processes a lot of personal data, such as BPAS mentioned above, your breach may also fall under the Networks and Information Systems (NIS) Directive. This will be discussed in more detail in a future article.
What information should the notification to the ICO contain?
The GDPR has prescribed certain information which must be included when reporting a breach, including:
- A description of the personal data breach, including an approximation of both the numbers of people and personal data records affected;
- The name and contact details of the data protection officer;
- A description of the likely consequences of the breach; and
- A description of the measures taken to try and mitigate any adverse effects on the data subjects.
Telling the affected individuals
This holds a higher threshold than for notification to the ICO. In this case, if the breach poses a high risk to the rights and freedoms of the individuals (rather than a risk just being likely), the GDPR states that the individual must be informed as soon as possible. Again, all of the factors should be assessed to determine the impact and potential consequences on the individual.
Amongst other reasons, this allows the data subject to take steps to protect him/herself from the effects of the breach, such as for example, the cancellation of any credit cards affected.
Failure to report
Given the sanction for failing to notify a serious data breach can result in a fine of up to ten million euros or two per cent of an organisation’s global annual turnover, this is not an option for a party affected by a data breach. As shown by the examples above, no organisation is immune from a data breach however carefully they safeguard donations and other monies and therefore the risk of suffering a large fine from the ICO remains very real.
If the worst happens and you suffer a data breach, we can help you navigate the path between the ICO and the Charity Commission and advise you on how best to deal with breach reporting, including how to handle and notify your donees, working with IT security professionals and managing any communication you may receive from the ICO or the Commission.