Charities might have fewer resources than the average for-profit organisation, but they still have an obligation to keep information secure. Anyone who signs up for a charity hands over their personal details, including their name, address and usually their payment card details. Charities also keep information on employees, the people they help, and present and future projects. If any of this data was breached, it could be disastrous.
Breached charities face lasting reputational damage, with people much less likely to donate to a charity if they believe their personal data could be exposed. Additionally, breached charities could face strong disciplinary action. The Information Commissioner’s Office came down hard on charities last year, issuing eleven fines totalling £138,000.
Fines are no doubt frustrating for charities, but they are often accompanied by enforcement action. This involves the charity being investigated by the ICO and given a list of measures to achieve regulatory compliance. Failing to follow through with these steps will lead to further punishment.
The disciplinary process will be even stricter as of 25 May 2018, when the EU General Data Protection Regulation (GDPR) takes effect. The GDPR strengthens individuals’ rights relating to their personal data and introduces many requirements for keeping information secure. The Regulation gives supervisory authorities the power to issue much stronger punishments and, as with current data protection laws, there are no exemptions for charities.
GDPR compliance is paramount for all organisations that collects EU residents’ personal data, but it shouldn’t be their only focus. They should also implement ISO 27001, the international standard that describes best practice for an information security management system (ISMS). Whereas the GDPR provides a comprehensive framework for protecting personal data, ISO 27001 covers every kind of information an organisation holds, including financial records, research and intellectual property.
ISO 27001 is highly compatible with the GDPR, and implementing its requirements will give charities a head start when preparing for the Regulation.
If you are interested in certifying to ISO 27001, take a look at our gap analysis service. It’s ideal for any organisation that wants help getting started with ISO 27001 and provides detailed advice on the areas that need most focus.
One of our experts will conduct an in-person review of your information security posture and assess whether you are ready to begin an ISO 27001 implementation project. They will provide you with:
- A proposed scope of your information security management system;
- An overview of your internal resource requirements; and
- A potential timeline to achieve certification readiness.