That is the damning conclusion of a new report by law firm JMW Solicitors, which analysed Information Commissioner’s Office figures over the past year. It shows that there were 447 data breaches involving charities in the year to the end of March 2020, equivalent to nearly 40 incidents a month.
Although there have been few – if any – high profile data breaches, three-quarters (76%) were blamed on “administrative error” or internal mistakes, with the remaining (24%) being “cyber security incidents”.
Among the cock-ups reported, 90 were cases in which electronic devices or documents containing personal data were either lost, stolen or left in an unsecure location, while a further 75 cases involved data being sent to the wrong person by post, email or fax.
Charities reported 152 data security incidents to the ICO in the year to March 2018.
JMW Solicitors associate solicitor Laura Wilkinson said the figures showed that some charities were still not fully aware of their responsibilities under GDPR.
“Ensuring that personal data is properly protected is a legal obligation, not just an administrative courtesy. However, it would appear that many charities are still struggling to come to terms with their responsibilities under GDPR and the Data Protection Act.
“Whatever the reason, failing to follow the rules can undermine public trust in charities, which is a critical factor for organisations that rely so heavily on people’s goodwill and support.”
The report flies in the face of claims made by Fundraising Regulator chief executive Gerald Oppenheim, who late last year said he believed most charities were complying well with GDPR.
In a speech at the Westminster Social Policy Forum conference on the Future for Charity Fundraising, he said: “It’s a bit like Sherlock Holmes’s dog that didn’t bark in the night time. There is very little evidence that the GDPR is not being respected by charities.”
Oppenheim said the regulator received the “occasional complaint” about charities that had continued contacting people despite being asked not to, but he insisted the systemic issues over the misuse of data, which had triggered the charity sector’s “annus horribilis” of 2015 had been eradicated.
“Overall, charities have got to grips really well with the issues the GDPR presented and are managing their data and consent regimes pretty effectively,” Oppenheim concluded.
Most don’t know charity regulator – or the FPS – exists
‘Toothless’ charity preference service under new attack
Nearly 60 charities reported to the ICO for FPS failings
‘Unsustainable’ FPS sees sharp fall in opt-out requests
FPS branded ‘a waste of time and money’ as users fall
Charity regulator forced to clear up confusion over FPS