Even charities are at risk of serious cyber attacks and data protection liabilities

Scottish Association for Mental Health (SAMH) has been the victim of what it describes as a "sophisticated and criminal cybersecurity attack" which has resulted in a substantial number of files being stolen by the attackers.

Many of us will be accustomed to hearing news of cyber attacks on various commercial organisations nowadays. In particular, we are seeing a marked increase in the number of ransomware attacks where the files accessed during the attack are encrypted in order to extort cash from the organisation in exchange for their return. SAMH however, is clearly shocked to be the target of such an attack and the consequence of this has been a serious disruption to its invaluable charitable work.

This latest attack is a timely reminder that those criminals do not care about who they target or the work that their victims do; every organisation, from the smallest charities to the largest international commercial entities, need to be alert to the fact that an online presence carries a risk of cyber attacks and potential data breaches. 

The UK GDPR and Data Protection Act 2018 apply to all data controllers of personal data, with no exception for small businesses and charities. In many ways, charities such as SAMH which process vast quantities of "special category data" (such as data relating to health, race, sex life or religion) face a greater risk due to the fact that any unlawful access to this data is likely to result in far greater harm to the individuals concerned. 

As a consequence, it should be more important than ever for charitable organisations to consider data protection as a key priority to protect both the individuals that they support and themselves. Article 32 of the UK GDPR sets out the rules around security of personal data, and in particular that the controller implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. If your charity is handling special category data, then it is essential to take steps to protect that data which go beyond just the basics. While not every cyber attack can be prevented, we have seen time and time again that the Information Commissioner's Office does not give any special leniency to charities for failing to take the appropriate steps in the first place to prevent unlawful loss of data. 

While implementing state of the art IT security measures may be out of reach for some charities or small businesses, taking an organisational and risk based approach to data protection is a significant first step. Taking the time to review your processes for handling and storing personal data now can pay dividends if you are unfortunate enough to be targeted by cyber criminals in the future.