Commonly asked questions — protecting your data and systems

We’ve been running a few events recently focusing on preparing for the General Data Protection Regulation which comes into force in May 2018, this is a practical introduction for charities to understand key terminologies and know what tools are out there to help with preparations. At our recent Tech for Good Bath meetup Harry Metcalfe (Founder of dxw) and Ed Geraghty (technologist at Privacy International) shared informative insights into taking a responsible approach to cyber security. Here we’re sharing the questions which we are often asked during our sessions and responses which draw on guidance from experts and online resources.

Do I need to consider our charity volunteers in my approach to GDPR? Yes. The GDPR legislation applies to all those whose personal and sensitive data you hold. You need to check your process for collecting data about volunteers, make sure you are only collecting what you need and that your approach is compliant with the new regulation. Volunteers may also be responsible for handling and sometimes collecting personal data. It’s really important that they receive training on their responsibilities and only have access to the information they need to carry out their volunteer work.

What about the information I hold on paper, do I need to think about that? Yes, GDPR covers all personal and sensitive data held physically and digitally. Think first about whether you need to be holding data on paper, if the answer is no consider if you can migrate to digital storage and destroy the paper copies. Where paper copies are necessary remember that clear policies and procedures are only one part of your approach. Paper can easily be copied, lost and left on desks for people who shouldn’t have access to see. Make sure that you have regular staff training about information management responsibilities.

GDPR is EU legislation, will it apply to us if we are leaving the EU? The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU. Therefore GDPR will apply to UK based organisations from May 2018, as we are still part of the EU at this point.

We are a very small charity and I’m worried we don’t have the time or resources to put appropriate preparations in place. What should we do? It’s important that you do prepare for GDPR and seeking support from your Board of Trustees is a good first step. The ICO have a very responsive helpline for small charities and a clear 12 step guide to getting GDPR ready. Make a plan and assess what resources you have to deliver. If you can, talk to other charities about what they are doing, you might find they are in a similar position or have key learnings you can build on. Ask for support from contacts in the technology and legal sector — you’ll be surprised at how many people might want to help.

I know it’s important to have secure passwords but I’m worried I’ll forget my passwords so I tend to keep the same one. Is this ok? In short, no it’s not ok but there are easy ways to make sure your passwords are secure. It is becoming much easier for passwords to be compromised. Any thoughts you have that yours is very secure and impossible to guess are likely to be proved wrong very quickly. Use a password manager like 1 Password which sets your passwords for you easily.

We have a number of workers who work remotely — how do we make sure our data is secure? It’s a good idea to have a policy about using devices, which applies to computers, phones and any other equipment used to hold data. At a minimum you should ensure that people working from home have a password on their wifi, have malware protection in place and install ad blockers (this can be a key source of viruses). A few useful and free tools out there are Malwarebytes and U Block Origin.

How do I know if my email and/or password has been compromised? Ed and Harry introduced us to Have I been pwned? This website enables you to type in your email address and see if it has been hacked — if it has change your password immediately!

Where should I start in getting ready for GDPR and making sure my systems are secure? Head to the ICO website and take the self assessment. Then take a look at their 12 step guide to GDPR readiness. Make a plan and consult your teams and Trustees. Our training sessions provide a number of useful tools and resources which are all available online so do get in touch if you have any questions.

Originally published at on February 13, 2018.