Membership organisations risking major fines for data protection breaches

One-in-four suffered a cyber security incident last year but most are not prepared for tough new legislation

PKF Littlejohn’s fourth annual Survey of Membership Organisations, published today, reveals that the sector is readying itself for Brexit but neglecting to adequately prepare for major new data protection laws that come into effect next year.

The report finds that the UK’s anticipated departure from the EU is one of the sector’s primary concerns.  Over half of the respondents identified Brexit as one of their three biggest worries over the next three years, and they expect the impact to be felt primarily by their members.

With the actual departure from the EU likely to be only two years away, 82% of membership organisations are taking steps to prepare themselves and their members for Brexit.  Actions taken include adding Brexit to the organisation’s risk register (54% of respondents), working more closely with bodies that have similar Brexit concerns (50%), engaging more with members about Brexit (46%) and increasing lobbying (38%).

The 2017 Survey of Membership Organisations also finds that the sector needs to work harder to protect the data that it holds, as both the risks and the likely penalties for suffering a data loss continue to increase.  Indeed, 24% of respondents had suffered a cyber-security incident in the past 12 months, with the most common incidents being ransomware attacks and the cloning of IDs.

The Information Commissioner (ICO) stated recently that organisations need to rethink their approach to data protection and is backing up this warning with decisive action.  Meanwhile, a new EU Directive, the General Data Protection Regulation (GDPR), is due to come into force in May 2018 and increases the size of the fines that can be levied in the event of a data breach or non-compliance to up to 4% of the annual worldwide turnover of an organisation or €20 million.

Despite the clear risks and the tougher regulatory environment, the authors found that 28% of respondents do not have clearly assigned responsibility for keeping data secure; over 40% did not encrypt all devices, creating a clear issue if hardware is lost; 56% have no ongoing staff awareness programme on data protection; and only 56% have a disaster recovery plan in place (of those that do, a third had never tested it).

Ian Mathieson, head of the Not for Profit team at PKF Littlejohn, added: “Change and uncertainty are the new norms – strong leadership, effective corporate governance and continued horizon scanning for rapidly changing risks and opportunities have never been so important if an organisation is to thrive and survive. It is clear from this survey, that there are some great examples of sector organisations grasping the nettle.”

Eric Hindson, partner at PKF Littlejohn and head of membership organisations, said: “The clear message emerging from this year’s report is that the Membership Organisations sector is heading for choppy waters. 

“The most significant risk, as identified by the sector, is Brexit - particularly the economic uncertainty and potential staffing issues that it creates both for the organisations themselves and for their members.  It is therefore encouraging to see the sector working hard to ensure it is in as strong a positon as possible to represent its members and to demonstrate value to them.

“However, the sector also faces a major challenge that appears to be have slipped below its radar: data protection.  Membership organisations rely heavily on personal data relating to members, donors and other stakeholders, but many face serious challenges regarding the capture, processing and securing of this information.

“The EU General Data Protection Regulation comes into force in just over a year but a significant number of organisations are not ready for the new legislation. The fines can be punitive – a €20 million penalty is enough to put most membership organisations out of business – and the sector needs to undertake a great deal of work very quickly to prepare itself.

“The difficulty for most membership bodies is that they typically have limited financial resources and are focussed on the provision of services. But none of that will count as mitigating factors if you suffer a data breach or use personal information inappropriately.

“By raising awareness of this issue now, we hope to encourage the sector to get to grips with the new GDPR sooner rather than later.”

For more information, visit the Membership Organisations page of our website.