The Pitfalls Of GDPR & Cyber Security For Micro Organisations

Uploaded on 2018-05-22 in NEWS-Cybersecurity News, FREE TO VIEW, BUSINESS-Services-Law

When we think of charities, what usually springs to mind are the grand challenges and associated fundraising drives. We’re asked to help cure cancer, end poverty, or fight injustice. What's less visible are the thousands of micro charities, non-profits and private clubs enriching people’s lives by building and maintaining communities. 

Whether they’re a charity, helping people build a support network, a non-profit helping people gain work experience, or a small club, whose members pay a subscription to share a hobby, the problem is the same. Their funding comes with the expectation that they'll do something that GDPR and Cyber Security both make harder. 

Often these organisations' volunteers are also business owners, volunteering their skills in their spare time... But the risk of decisions made in business and as a trustee are different. 

Is GDPR dividing opinions so much that charities feel they have to stop fulfilling their purpose? 

Decisions made by committee are inherently conservative, so the lowest risk decision a small charity or club can make is to stop doing the thing they're scared of. 

As you're reading this, millions of small community-led organisations are deciding whether to stop providing services such as membership directories and support networks because they’re unclear about how their responsibilities have changed. The prospect of fines divides committees, resulting in a loss of the skills and knowledge needed to fulfil the organisation’s purpose. What's worse, is that the services that they're considering withdrawing are the things that help people connect with their communities. 

What do they need to know? 

GDPR isn’t intended to stop us sharing data, and Google and Facebook share far more information about us than micro charities will ever collect. What is expected is more transparency and documentation of what’s happening, identification of the lawful basis to carry out this activity, and the processes and security measures they will use to manage the risk of a breach. 
Not collecting data is a legitimate cyber security measure, but good security isn't intended to be obstructive. In the case where they have to have a database of personal information whatever happens, but are considering reducing the services is used for, their cyber risk remains almost the same. 

Cyber risk relates to the value of data to hackers – as you collect information you collect risk. Adding some more security to reduce the risk would probably let them continue their projects. Keeping data subjects safe is either a question of protecting or of not collecting data. 

The choice not to use data is reducing an entirely different risk – the risk that the charity hasn’t understood the regulation, or that their members disagree with how their data is being used. Here’s what Piers Clayden had to say about the legal aspects of helping people stay in touch: 

“Small charities face a number of challenges when trying to work out how to comply with GDPR. The problem being that compliance will require the 2 things that small charities don’t have in abundance – time to drive through the necessary changes in practice and policy and money to take external advice (because the available guidance may not provide the answers you are looking for).

“Organisations who handle (‘process’) personal data can only do so legally where they have ‘lawful grounds’ for that processing. For charities trying to stay in touch with members and potential donors, the lawful grounds will most likely either be on the basis of the member/donors’ ‘consent’ or that the processing is necessary for the charity’s ‘legitimate interests’. 

“If a charity can mount an arguable case for using the ‘legitimate interests’ grounds (and it does require some analysis) then it may save the charity from having to seek new consents from its existing database.”

So, any charity or club collecting personal data might have to rethink what they're doing. If the data is collected purely for marketing or fundraising then it's unlikely to be a legitimate interest, but charities and clubs have a huge advantage over businesses... They're already required to be transparent. They have constitutions or they've had to register with the charities commission.

So if you're responsible for making decisions about a charity’s data use, or questioning whether you can even afford to send every member a letter asking for their consent... what did you already promise your donors and members that you would do?

This is an editorial article containing opinions that are not intended to replace advice. If you need support developing cyber security processes please follow the links below.

By Emma Osborn, independent cyber security consultant, OCSRC Ltd, with Piers Clayden, technology lawyer, Clayden Law Ltd.

Emma Osborn is an independent cyber security consultant, specialising in the support of smaller organisations and non-technical business leaders as they develop their cyber security processes.  OCSRC

If you’re looking for specialist legal advice, Piers Clayden can be found here: Clayden Law 

You Might Also Read:

GDPR For Dummies:

GDPR: It’s A Marathon, Not A Sprint:

« Hacking The Vote
A Guide To Preventing Charity Cybercrime »

CyberSecurity Jobsite
Perimeter 81
Cyrin

Real Attacks. Real Tools. Real Scenarios.
Schedule a demo

Go Cyber

Training that transforms behaviours

Sign Up: Cyber Security Intelligence Newsletter

Directory of Suppliers

CSI Consulting Services

CSI Consulting Services

Get Advice From The Experts: * Training * Penetration Testing * Data Governance * GDPR Compliance. Connecting you to the best in the business.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Syxsense

Syxsense

Syxsense brings together endpoint management and security for greater efficiency and collaboration between IT management and security teams.

Practice Labs

Practice Labs

Practice Labs is an IT competency hub, where live-lab environments give access to real equipment for hands-on practice of essential cybersecurity skills.

BackupVault

BackupVault

BackupVault is a leading provider of automatic cloud backup and critical data protection against ransomware, insider attacks and hackers for businesses and organisations worldwide.

Exodus Intelligence

Exodus Intelligence

Exodus Intelligence are an industry leading provider of exclusive zero-day vulnerability intelligence, exploits, defensive guidance, and vulnerability research trends.

Cloud Credential Council (CCC)

Cloud Credential Council (CCC)

The CCC is a leading provider of vendor-neutral certification programs that empower IT and business professionals in their digital transformation journey.

Radiant Logic

Radiant Logic

Radiant Logic is a market-leading provider of federated identity solutions based on virtualization, and delivers simple, logical, and standards-based access to all identities within an organization.

SecurityScorecard

SecurityScorecard

SecurityScorecard provides the most accurate security ratings & continuous risk monitoring for vendor and third party risk management.

ENLIGHTENi

ENLIGHTENi

ENLIGHTENi are the platform to develop next-gen talent in Technology, Risk, and Cybersecurity. Our mission is to develop next-gen talent through challenge-based learning and team collaboration.

Blu Venture Investors (BVI)

Blu Venture Investors (BVI)

Blu Venture Investors is a venture capital firm that supports early stage companies with a focus on technology in diverse domains including cybersecurity, IoT, defense and homeland security.

BlackCloak

BlackCloak

BlackCloak provides Concierge Cyber Security for high-net-worth individuals and corporate executives to protect them from cybercrime, reputational risks, hacking and identity theft.

Citizen Lab - University of Toronto

Citizen Lab - University of Toronto

Citizen Lab focuses on research and development at the intersection of cyberspace, global security & human rights.

Nagios

Nagios

Nagios is a powerful tool that provides you with instant awareness of your organization’s mission-critical IT infrastructure.

Dawgen Global

Dawgen Global

Dawgen Global is an integrated multidisciplinary professional service firm in the Caribbean Region providing a range of services including Risk Management and Information Systems Assurance.

CyberXpert

CyberXpert

CyberXpert is your cybersecurity partner for the public and private sector in Belgium.

North Infosec Testing (North IT)

North Infosec Testing (North IT)

North IT (North Infosec Testing) are an award-winning provider of web, software, and application penetration testing.

Cynch Security

Cynch Security

Cynch Security are passionate about building a world where every business is resilient to cybersecurity risks, no matter what their size.

AppSOC

AppSOC

AppSOC is a leader in Application Security Posture Management (ASPM) and Code-to-Cloud Vulnerability Management.

StackGen

StackGen

StackGen (formerly appCD) automatically generates Infrastructure from Code (IfC) based on application code with golden standards applied.

Syteca

Syteca

Syteca is specifically designed to secure organizations against threats caused by insiders. It provides full visibility and control over internal risks.