Charities at risk ahead of GDPR implementation

As 25 May edges closer, companies across Europe are implementing new data protection, handling, and processing mechanisms (both online and offline), in a bid to be compliant with the new requirements.

Recently released data from a Deloitte study has shown that only 15 per cent of businesses across the EMEA expect to be wholly compliant come the effective date.

One of the greatest areas of change being brought on by the new regulations surrounds cyber security, and the mandatory reporting of data breaches within 72-hours

This is alongside the need for utilising cyber security technologies to be active in monitoring. threats and vulnerabilities.

On 1 March, the National Cyber Security Centre (NCSC), published its latest threat assessment and found evidence that the third sector (charities) has a shortage of specialist staff with the necessary technical skills to cover cyber security.

It’s not so much the new legislation coming into effect that will directly impact charities, but the fact that privately funded businesses appear to be progressing a lot faster in terms of implementing cyber security measures ahead of the GDPR effective date.

Charity websites can be an information goldmine

Charity websites in their own right are bountiful sources of sensitive information, and it’s not uncommon to find any of the below on any given charities website:

• A contact form
• Volunteer application form
• Event registration form
• Donation form
• Support forums

Even a small charity website can gather information on hundreds of data subjects a year, and this has prompted the NCSC to provide a guide to charities in how to install the basics of cyber security, such as data backups, malware protection, and adding two step password authentication on all software and devices.

According to the latest data from, there are 168,237 registered charities in the United Kingdom alone, with 34 per cent (57,570), of them registering an annual income within the range of £10,000 to £100,000.

Based on these income levels, it can be assumed that these charities receive a substantial number of donations from either grants, online donations or fundraising.

This makes them prime targets for potential ransomware attacks, where computers and assets owned by charities are incapacitated until a financial ransom is paid, much like the WannaCry attack on the NHS.

Cyber-attacks can not only be devastating, but they could be deadly

Charities are not immune to the threats of cyber-crime and fraud, and having to publicly disclose turnover and surplus means hackers and cyber criminals can focus their targets.

More established charities that may have measures in place to prevent direct extortion can also fall victim to a number of other exploits such as cross-site request forgeries, or even “Zombie” attacks where a user’s browser is used to run malicious software and scripts (like the issue that affected the ICO website).

An attack on a smaller charity, or fine under the new GDPR regulations, could not only be damaging but potentially a fatal blow to operations.