Data incidents on the rise?

So, Civil Society reported this week that in the first quarter of 2018/19 the Information Commissioner received 137 reports of data security incidents in charities. This represents more than a sixfold increase from the previous year.

I find this increase quietly reassuring as it suggests that as a sector we are:

  1. Getting better at identifying any lapses in data management/governance and are much more aware of possible breaches of any personal data.
  2. Becoming much more mindful of our duties and responsibilities around the effective management of data and the need to report any data breaches or security incidents.

To my mind this figure is likely to continue to go up before it (hopefully) starts to come back down again. During this time we are likely to see further damaging headlines and public commentary that suggests charities are not doing things properly. As a result, public trust could be further eroded with increasing numbers assuming that charities are ineffective at looking after and effectively managing their greatest asset – their data.

D-Day comes and goes

GDPR and the May 2018 deadline shone a huge spotlight on how organisations Worse before it gets better Thrive Consultinggather, look after and manage their data. Everyone (not just charities) was forced to sit up, listen and take action. However, now that ‘D-Day’ for GDPR has come and gone, there is a legitimate worry that the day to day issue of data governance and effective data management could fall off the governance radar and slip slowly back into the pre-GDPR shadows.

As a former CEO I know how challenging it can be to constantly juggle priorities. There are numerous balls that CEO’s and charity leaders are trying to keep in the air at any one time – the trick now is for all charities to ensure that the data governance ball continues to remain firmly in the air. Trustees and staff teams must ensure they continue to be fully aware of their data governance duties/responsibilities and that effective systems and processes are in place for monitoring things on a regular basis.

What to do?

So what can charities and other not-for-profit organisations do to ensure that good data governance remains at the forefront of their thinking? As a starter, I would suggest there are five things that any charity Board/CEO/leader need to start (or continue) to do:

  1. Ensure that ALL Trustees, staff and key volunteers  are properly trained and supported to ensure that everyone is aware of their ongoing duties and responsibilities around the gathering, management and use of data.
  2. Create a clear and simple internal process for reporting actual (or suspected) data incidents.
  3. Create a positive reporting culture. Leaders need to have confidence in the speedy recognition and reporting of  any actual (or suspected) data incidents or breaches. Far better for people to err on the side of caution and report it (even if they are unsure) rather than ignore it. Obviously mistakes do happen and there needs to be an open culture which encourages people to put their hand in the air rather than worry about getting a kick up the backside.
  4. Report regularly to the Board on data governance and any issues that emerge around compliance.
  5. If you are unsure what to do or unclear how to do it, seek the help from experts. One company I have worked with in the past was Proctecture whom I was impressed with. Easy to understand briefings and a useful critical friend to have around (N.B. – in the interests of transparency I can report that no monies or benefit have been received for this mention of Protecture in my blog!)
Societal norm?

Data security incidents are sadly now part of our everyday society. We are seeing on a daily basis business and organisations globally reporting that there have been security breaches, data mishaps, failure of internal systems or in some cases simple pure ignorance of management. And charities are no different.

The ICO makes clear that changes in data protection rules (bought on by the implementation of GDPR in May) are likely to drive an increase in reporting of incidents. We should not therefore be overly concerned with this current increase. However, we do need to ensure that as charities we do not slip back to an era where data security was simply seen as something that the IT team were responsible for.

We all have a responsibility to ensure that our respective organisations are fully compliant and constantly monitoring how we are collecting, managing and using data. That begins with charity leaders who must ensure that the next thing on the ‘to do’ list does not overshadow the ongoing day to day responsibilities for ensuring their organisation is doing all it can to properly manage data and in doing so protect its greatest asset.


Former charity CEO passionate about helping charities and not for profit organisations across the UK to Thrive. With over 25 years experience I support people and charities to be the very best they can be. I recently set up Thrive Charity Consulting offering a wealth of insight, experience and expert advice. We help people to solve problems, overcome challenges and maximise individual and organisational effectiveness.

Contact us to find out how we could help your charity.


Leave a Reply

Your email address will not be published. Required fields are marked *