Last year, 31% of businesses and 26% of charities experience breaches or attacks at least once per week (the NSCC Annual Review of 2022). As organisations increasingly rely on technology to collect, process, and store sensitive data, it becomes paramount to ensure that such information is secure at all times.
Grant management in particular involves the handling of vast amounts of personal data, including financial information, personal identification details, and project-related data. Any breaches can have devastating consequences, not only for the individuals involved but also for the organisations responsible for managing it.
This article will explore the best practices for personal data management in grant making so that funders can pursue their mission undisrupted.
The Risks of Poor Personal Data Management
Poor data management practices can have far-reaching consequences. As well as legal liability, breaches can lead to reputational damage and the loss of stakeholder trust.
One of the most significant risks is the loss of Personally Identifiable Information (PII), which can lead to identity theft and other types of fraud or – in the case of the charity HIV Scotland in 2020 – the emailing of information that identified to third parties the HIV status of patients. The organisation was said to have been aware of the risks of their methods and procured more secure methods several months prior to the incident, but had failed to start using them.
Aside from the potential consequences for the individuals whose information is shared, charities and non-profits simply cannot afford the fines involved, nor the claims for compensation from those affected. Having robust, secure data management protocols therefore contributes to the good work that funders set out to do.
Personal Data Protection Methods
Data Privacy Policies and Procedures
Implementing data privacy policies is essential, and any organisation working with stakeholders in the EU should already be following such policies due to the GDPR. Things became more complicated after BREXIT, as those operating in the UK need to follow the Data Protection Act for the processing of UK residents’ personal data, while the GDPR applies to the personal data of EU residents.
New regulations are being enforced all the time throughout the world, so it is essential to keep on top of the changes that affect your organisation and brief all personnel accordingly.
A secure data management plan should outline the procedures for collecting, using, and storing personal data, including the types of data that will be collected, who will have access to the data, and how the data will be secured.
In addition to a data privacy policy, you should also have a documented disaster recovery plan in order to mitigate the impacts, were a breach or other type of cyber-attack to occur. It should detail a clear process for reporting and investigating breaches, as well as a plan for notifying affected individuals and authorities.
In the UK, for example, the ICO recommends completing a risk assessment when a breach is discovered, which would require an assessment of what type of data is involved, the number of people affected, and the possible harm that may result. Organisations need to a report a breach to the ICO only if personal data is involved and the breach puts people at risk.
Documentation on these policies should be easily accessible to all employees, and new employees should receive training about it as part of their onboarding.
Effective Access Control Measures
You should implement access controls wherever appropriate to ensure only authorised persons can view personal data. Our grant management software contains the Role Groups & Permissions feature which lets you create different user role groups, then assign different levels of access and permissions to each role group, so you have control of who can see what information at all times.
Effective Password Management
Passwords are the first line of defence against unauthorised access, and organisations should ensure that employees use strong passwords that are difficult to guess or crack. While this may sound obvious, it’s surprising how often it’s overlooked; according to Verizon, 81% of breaches are the result of weak passwords.
Make sure your staff understand the importance of creating strong passwords, of changing passwords often, and of using unique passwords for different systems.
Keep Your Data Organised
If your organisation’s data is stored in multiple systems, it’s much harder to keep tabs on whether policies and procedures are being enforced. The more centralised your data, the better, so it’s important to review how things could improve in this regard.
Using a Customer Relationship Management system, for example, will bring much-needed peace of mind that any information your applicants and awardees has shared with you is secure. This is a much more compliant scenario than relying on separate communication channels.
The same can be said of using a grant management system on the whole, as it removes the need for printed documents to be exchanged, thereby preventing the risk of information getting into the wrong hands.
Employee Training on Personal Data Management
All employees should receive training on data privacy and security, including the importance of safeguarding personal data, the risks of failing to do so, and best practices for data management.
Training should be ongoing, with regular refresher courses to ensure that employees stay up to date with the latest practices.
As well as conducting training on data management, employees should learn about a range of cybersecurity threats, from phishing to social engineering – especially employees that have any type of ‘gatekeeping’ roles.
Use Secure Grant Management Software
No matter how well-informed your staff are, using insecure, out-of-date software is a big vulnerability. Make sure the software encrypts data while in-transit and at-rest and for Personally Identifiable Information, stronger encryption protocols should be used. Here at Fluent Technology, we are accredited to ISO 9001, ISO27001 and Cyber Essentials information security standards.
Summary
All organisations must keep a close eye on their data management practices in order to ensure compliance, and this is vital for grant funders due to the nature of the information being submitted in applications.
Failing to enforce a comprehensive data management strategy may lead to legal liabilities, reputation damage, and a lack of stakeholder trust, so taking the time to conduct a thorough audit of what’s working and what needs to improve is well worth the time.
First and foremost, funders must make sure all their staff are well-informed about the data privacy laws that apply to the region they operate in, and must make any related documentation easily accessible to them. It’s all well and good for them to undergo training but if it’s not easy for them to find the information to refer back to, it’s a wasted effort.
Other methods to ensure security include using software that encrypts personal data and has access control features. Keeping data organised and centralised is another important step, as it makes it far easier to track adherence to policy.
The most effective way to keep data protected and centralised is by using a grant management system. Flexigrant is one of the UK’s leading grant management platform. It provides a central hub for all grant management activities and is built on a foundation of secure protocols.
To discover how we can help you, contact us today to book a demo.