Charities rely on online providers for services relating
to personal data now more than ever. As a leading sector supplier
reveals that data was removed from its system, we ask, what does an
event like this mean for the charities affected?
Cyber-crime, including scenarios where ransoms are demanded to
decrypt data or destroy improperly taken copies, is a fact of life.
The recent news that Blackbaud was subject to an attack comes as a
reminder that the charity sector is not immune. The scenario, that
a cloud provider is attacked but recovers data, is a challenging
one for trustees. It is specific enough to engage a very particular
application of rules and requirements but at the same time is the
sort of scenario for which ideally they should be prepared.
Here we look at some key issues for charities to consider.
Data Protection Considerations for Charities
Under data protection law, an online provider of cloud based
services is usually a “data processor” to the
charity as “data controller”.
When engaging processors, the GDPR requires charities to:
- Ensure there is a written contract in
place that contains the mandatory provisions set out in the GDPR.
There are specific provisions governing controller / processor
relationships and these must be included for compliance.
- Choose processors that provide
“sufficient guarantees”. In practice, this
involves carrying out due diligence on the processor to make sure
that they will handle the data in accordance with GDPR standards.
Questions to ask include whether the processor encrypts the data at
rest and during transit. Is a copy of the data kept in a secure
backup? Is the processor certified to a recognised security
- Take additional steps if the
processor transfers personal data outside of the UK or the
Processors are required by the GDPR to report breaches to the controller “without
undue delay”, but in our experience this does not always
happen. If you have not been contacted by your processor about a
data incident, and if you are aware of one involving them, it is
prudent to check with them whether your data has been involved.
As a priority, charities told that their data may be involved
should establish from the processor assurances about extent of
loss, what data was involved, and whether the data is now
As the charity is the controller, it is the charity’s
responsibility to report the data breach to the ICO “unless
the breach is unlikely to result in a risk” to
individuals. If it meets the threshold for reporting, a breach must
be reported within 72 hours of the charity becoming aware. Even if
the data processor has made its own voluntary report to the ICO,
reporting, if required, remains the charity’s responsibility.
Not all breaches are reportable and charities should consider
carefully whether the circumstances warrant reporting.
If a charity does decide to report a breach to the ICO in
circumstances where the breach was caused by a processor, then the
charity should check to make sure that the three steps outlined
above were taken. The ICO is far less likely to take enforcement
action against the charity if the arrangement is compliant and
appropriate checks were carried out by the charity on the
processor. The ICO has previously fined controllers that didn’t
do enough to check their contractor’s compliance.
A charity will also need to consider reporting to affected data
subjects. The threshold here is higher than it is for reporting to
the ICO. Data subjects only need to be told if the breach
represents a “high risk”. However, it can
sometimes be prudent to inform individuals even where the legal
threshold has not been met, for example, if there is a risk that
the breach will become public knowledge then it may be better
reputationally if the charity is seen to be transparent and
proactive, rather than individuals finding out later that their
data had been compromised.
There are other points to consider, for example, whether to
notify the police. Insurers should also be involved.
Do I Need to Report Serious Incidents to the Charity
More easily overlooked is the need to report a serious incident
to the charity regulator. For non-exempt charities in England and
Wales, the majority of charities directly regulated by the Charity Commission, they will need to consider
whether to make a report to the Charity Commission. Exempt
charities should check the reporting requirements of their own
For non-exempt charities, reportable serious incidents are
adverse events, actual or alleged, involving or risking significant
harm to the charity, its work, property, assets or the people it
comes into contact with. A decision whether or not to report – the
reasoning for which should be recorded – is typically made with
close reference to the Charity Commission’s guidance on
reporting serious incidents. It will often involve exercising
judgment, guided by the guidance, about whether the threshold of
significant harm is met.
There may be no fixed deadline for reports to the Commission,
but that does not mean that it is not a priority. Reports to the
Commission must be made promptly, as soon as is reasonably possible
or immediately after the charity is aware. Depending on
circumstances, this could be more stringent a requirement than a
Where data breaches are concerned, trustees can often short-cut
deliberations about the significance of harm. A list of examples
published by the Charity Commission specifies a data breach
reported to the ICO as a reportable serious incident. If the matter
is reported to the ICO, then it follows that a report should also
be made to the Charity Commission. The importance of reporting to
the Charity Commission is underlined by extensive statutory powers
to share and receive information from other regulators – it is at
least possible that the Commission could learn from the ICO if a
report of a data breach has been made.
The Commission’s guidance also indicates that, with a few
exceptions, charities should report cyber-crime involving them.
Given the Commission’s interest in risk affecting the sector at
a strategic level, this even includes attacks blocked by security
systems if it is unusual. Significant harm includes adverse
publicity harming the charity’s reputation.
Given the ability of the ICO and the Charity Commission to share
information about charities under their mutual regulation, it is
also true that the ICO could become aware of a data breach from the
Charity Commission. Trustees who make a serious incident report to
the Charity Commission may therefore wish, even if the threshold
for mandatory reporting to the ICO is not met, to make a voluntary
report to the ICO. If the trustees decide to report to the
Commission but not the ICO, then the submission to the Commission
should set out very clearly why the trustees consider that the
threshold for reporting to the ICO has not been met.
Given the potential for the Charity Commission and the ICO to
co-ordinate, particularly where a publicised breach affects a
number of charity data controllers, it is at least pragmatic (and
in some circumstances required) to make a report to both.
The content of this article is intended to provide a general
guide to the subject matter. Specialist advice should be sought
about your specific circumstances.