Charities and Data Breaches: The Continuing Importance of GDPR

4th June 2020 Media Law

We are now more than two months into lockdown and during that time I have heard a number of people talk about the difficulty of keeping track of time.

They say that the fact that so many of us are working remotely has blurred the lines between our lives at home and work.

Nevertheless, I’ve found it almost impossible to overlook certain dates.

Last week saw the second anniversary of the introduction of General Data Protection Regulation - or GDPR, for short.

Intended to “harmonise” data privacy laws across Europe, GDPR constituted something of a red letter day for anyone concerned with data rights, given that it set out a series of principles relating to the collection and processing of personal data.

As well as underlining the importance of things such as lawfulness, fairness and transparency, the Regulations brought into being the new concept of accountability for how our data is processed.

Here in the UK, the main points of GDPR were accompanied by the Data Protection Act of 2018, the lead-up to which was trailed by an extensive awareness campaign to educate the public, private and the charitable sectors about what was required of them.

Despite all those efforts, it seems that some organisations are still struggling to come to terms with their data obligations.

As I explained in my comments to Third Sector magazine, those experiencing difficulties include charities.

That much is clear from figures released by the Information Commissioner’s Office (ICO), which reveal that there have been 447 separate data breaches involving charities over the course of the 2019-20 financial year.

Furthermore, three-quarters of those were not due to the efforts of criminals but caused by administrative errors, such as failing to secure personal data in hard copy form or on electronic devices or sending material to the wrong person by post, e-mail or fax.

In my opinion, even though the statistics are presented in an anonymised fashion, they still represent a reason for concern.

Protecting personal data is not an administrative courtesy but a legal obligation and there is arguably no excuse for failing to secure that data against unauthorised, unlawful or accidental loss.

I am only too well aware from the cases on which myself and my colleagues work that data breaches can have a broad range of adverse effects on individuals, including distress and increasing the risk of fraud or financial loss.

What perhaps makes things even more concerning is the fact that the ICO figures follow the publication of a Government cyber crime survey in which charities appeared to acknowledge that they were failing to follow data protection rules.

Less than half of the 317 charities who contributed anonymously to that research either kept a formal record of incidents such as hacking, viruses or fraudulent e-mails.

Even a report produced by the Charity Commission, found that it was only informed of data loss by 13 per cent of those organisations which had suffered cyber attacks.

The law seta a high bar for all organisations and stipulates that those which fall short can could face stiff penalties.

However, charities will be conscious of the fact that they rely on people’s goodwill and support.

Being seen not to follow the rules can erode that trust and the very income which they need to fulfil their objectives.

That critical factor should make them even more focused on their data responsibilities.

We're Social

Laura Wilkinson is an Associate Solicitor located in Manchesterin our Commercial LitigationMedia Law departments

View other posts by Laura Wilkinson

Let us contact you


COVID-19 Update - Our website and phone lines are operating as normal and our teams are on hand to deal with all enquiries. Meetings can be conducted via telephone and video conferencing.

View our Privacy Policy

Areas of Interest