If your Church or Charity had a data breach, would you realise?

GDPR has now been in effect for some time and many churches and charities will be compliant as a result. However, if your organisation had a personal data breach, would you realise, and would you know how to respond appropriately?

Under the EU General Data Protection Regulation (GDPR) personal data breaches that are likely to result in a risk of harm to affected individuals must be reported to the ICO within 72 hours of your organisation becoming aware of them.

In the nine months since GDPR came into force, there have been more than 59,000 personal data breaches which regulators have been informed of. Most of which have occurred in Germany, Netherlands and the United Kingdom. These range from minor breaches, such as an email being sent to the wrong recipient, to major cyber-hacks affecting millions of individuals.


6 Examples of data breaches

Here are the types of breaches that your church or charity could be affected by:

  • Personal data that you hold accesses by an unauthorised third party;
  • Deliberate or accidental action (or inaction) by a controller or processor;
  • Sending personal data to an incorrect recipient;
  • Computing devices containing personal data being lost or stolen i.e. USB, external hard drive, laptops etc;
  • Alteration of personal data without permission; and
  • Loss of availability of personal data.

Here are 5 specific scenarios

  • A volunteer or employee emails an annual giving statement to the wrong donor
  • You give someone outside your organisation access to your CRM, forgetting to limit access rights, meaning they have unauthorised access to all personal data relating to donors
  • Your church website gets hacked and the hacker has access to personal data
  • An employee leaves your organisation without returning a church laptop which contains personal information
  • You return from a Trustee meeting only to realise you have lost the memory stick with personal data about all your Trustees

The ICO checklist for a data breaches

Your charity needs robust breach detection, investigation and internal reporting procedures in place. The ICO checklist for ensuring that you are prepared for any breaches that occur and know how to respond, includes the following.

Preparing for a data breach:

  • Do you know how to recognise a personal data breach?
  • Do you understand that a personal data breach isn’t only about loss or theft of personal data?
  • Have you prepared a response plan for addressing any personal data breaches that occur?
  • Have you allocated responsibility for managing breaches to a dedicated person or team?
  • Do your staff know how to escalate a security incident to the appropriate person in your church or charity to determine whether a breach has occurred?

Responding to a data breach:

If a data breach does occur, your organisation should be able to answer ‘yes’ confidently, to all of the following.

  • Do you have a process in place to assess the likely risk to individuals as a result of a breach?
  • Do you have a process to notify the ICO of a breach within 72 hours of becoming aware of it, even if you do not have all the details yet?
  • Do you know what information you must give the ICO about a breach?
  • Do you have a process to inform affected individuals about a breach when it is likely to result in a high risk to their rights and freedoms?
  • Do you know that you must inform affected individuals without undue delay?
  • Do you know what information about a breach you must provide to individuals, and that you should provide advice to help them protect themselves from its effects?
  • Do you document all breaches, even if they don’t all need to be reported?

Make sure to keep a lookout for further articles tackling some of these individual topics, and be sure to get out to our free seminars such as our upcoming Trustee Responsibility event in Croydon on Saturday 16th March where we will be tackling this subject and more.

ICO Personal data breaches
DLA Piper GDPR Data Breach Survey: February 2019


GoodtoGive can support you with the implementation of your GDPR processes. We have a number of Charity Compliance Events & Training each month and our G-Flow software also helps churches and charities manage GDPR. Contact us to find out more


Charity Data Breach

If your Church or Charity had a data breach, would you realise?

If your Church or Charity had a data breach, would you realise? GDPR has now been in effect for some time and many churches and charities […]
10 Myths of GDPR headline image

Is your Church or Charity falling prey to these GDPR myths?

Is your Church or Charity falling prey to these GDPR myths? General Data Protection came into effect on 25th May 2018, it is an update to […]
Coins_2613612b (1)

Is Your Charity Prepared for an HMRC Audit?

Stress-Free HMRC Audit– With GoodtoGive working directly with the HMRC on your behalf, you can be confident that the process will be as painless as possible. […]
gift aid management

Gift Aid Management: Your Complete Charity Package

GoodtoGive offers Gift Aid management for faith-based charities. If you’re considering registering your organisation as a charity you’ve no doubt already done your homework.  You know […]
WordPress Appliance - Powered by TurnKey Linux