Cyber Crime Prevention For Charities


Over the past number of years cybercrime has become a menace to the global economy. Ireland has seen a dramatic spike in cyber crime activities in recent years. In 2014 the cost of cyber crime in Ireland alone was €498,000. By 2016 this figure jumped to €1.7 million and will rise in the coming years. Industry sectors such as financial services and government agencies have had their battle with cybercrime well documented. But charities have not been immune to this for example with the Trinity Foundation, the fundraising arm of Trinity College Dublin, suffering a cyber security attack in April 2017.


shutterstock_658001845 (1).jpg

The impact of cyber security is two-fold. When an organisation falls victim to a cyber attack the immediate concern is generally the financial impact it would have. However, the long-term damage a cyber attack can have on a charity’s reputation is of much more concern. The protection of personal data is at the forefront of the public’s concerns when dealing with companies and charities alike. E-mail addresses of donors being passed on to 3rd parties is a simple example of a breach of the GDPR that many charities could fall foul of unwittingly and show the gaps in a charities cyber security. As well as the loss of donor trust, failure by a charity to adhere to the incoming GDPR could result in fines of up to €10 million or 2% of annual turnover for serious breaches of the regulations. Cybercrime can take many forms and it is critical that charities are aware of the threats so they can take corrective action to minimise the threat.


Types of Cybercrime


Ransomware is a type of malicious software that encrypts data in a user's PC so that it is no longer accessible. Fraudsters demand a fee in order for the affected user to receive an encryption key and free up access to their data once more. Ransomware attacks most commonly occur because an unsuspecting employee inadvertently opens a mail attachment.  


Ransomware attacks have the ability to cripple an organisation's ability to operate and so preventative action must be taken in advance to avoid such a scenario:


  • Charities must securely backup their data. If such an attack was to occur the charity could restore their network from the backed up data and continue to operate.
  • Proper staff training on what to look out for. It also important to remember that a charity’s volunteers are treated the same as full-time staff members in relation to GDPR. This means that it is the responsibility of the charity to train its volunteers the same way it trains their staff.
  • Develop a comprehensive response strategy to a ransomware attack. The old saying ‘Fail to prepare, prepare to fail’ comes to mind.


Spear phishing is the use of highly personalised fake e-mails that are targeted at a specific individual in an organisation. A fraudster masquerading as the CFO or COO of an organisation instructing an employee to transfer funds to another bank account is example of how such an attack can affect an unsuspecting victim. In October 2016, Meath County Council fell victim to a spear phishing attack. Cyber criminals masqueraded as a chief executive of Meath County Council and instructed a junior staff member to transfer funds to an oversea account. In all, €4.3 million was stolen from Meath County Council. In this case the transfer was flagged as suspicious and with minutes to spare a bank account in Hong Kong was frozen that had secured the funds from Meath County Council. This was a lucky escape and should be a lesson to all organisations regarding e-mail communication of financial and sensitive information and how it should be communicated securely. This was also the tactic employed in the aforementioned Trinity Foundation case earlier this year.


Once again the best and most cost effective measures to prevent such an attack is to inform, train and educate staff and volunteers on the signs to look out for. Have a specific protocol in place and stick to it when discussing sensitive or financial information via e-mail. That way any unusual e-mails should jump right out at you, be flagged and acted upon immediately. This combined with utilizing an e-mail protection solution should have you well prepared for such an attack..

shutterstock_637827229 (1).jpg

Protecting Your Data

The implementation of the much discussed EU General Data Protection Regulation (GDPR) is fast approaching. All charities operating in Ireland will be affected. It is being enforced so that EU citizens data is protected correctly and ethically. This will ensure companies and charities alike are protected against potential cyber threats. The key thing to remember about the GDPR is that you must be seen to actively working towards being compliant. Previously you would only be inspected by the Data Protection Commissioner if they was data breach or a suspected one. Under the GDPR you can be inspected at anytime, you don’t have to be perfect but if you’re not seen to be working towards being compliant then you will be in trouble.


For charities here are a number of specific challenges you  will face when becoming compliant with the GDPR:


Resourcing challenges - For most charities they will not have the resources to employ a full time Data Protection Officer to ensure compliance with the GDPR.

Training challenge - Having access to the correct and most up-to-date data protection laws and having the staff available to mentor others in the organisation on compliance with these regulations will be a challenge for many charities.

Policies - Having the correct policies and procedures in place will be another time-consuming challenge. The GDPR will require charities to show evidence of their updated policies in order to be compliant.

Employee and Volunteer data - Charities are reliant on their employees and volunteers to ensure they can provide the services and supports they do. With this all employee and volunteer training must be correctly recorded and securely stored. All those who volunteer must be trained in data protection protocol. This will be another strain on resources.

Data breaches - Any breaches of data security must be reported within 72 hours under the GDPR. Without the resources available for a Data Protection Officer charities could potentially struggle to identify and take the necessary actions required to rectify such a breach.

Outsourcing/ 3rd Parties - Many charities use 3rd parties to recruit volunteers for fundraising activities such as door-to-door and direct mail campaigns. It will be the charities responsibility to ensure that they know where this data is stored, that they keep processor logs and that the relevant processor agreements are in place.


Getting ready for the GDPR may appear quite daunting but the key thing to remember is that you need to seen to be compliant. The worst thing would be to have a data breach and not have policies, training and proper record keeping in place when you have to report the breach to the Data Protection Commissioner. However, if you are seen to be working towards being compliant with the GDPR you will be in a much stronger position.


So how to prepare for the GDPR? LIKECHARITY have partnered with Ireland’s leading data protection service provider Sytorus to offer the charity sector a customised solution called LIKECHARITY Privacy Engine. The partnership came about as we are using Privacy Engine to prepare for the GDPR and found it indispensable.  


This tool allows charities to:

  • Maintain all mandatory logs.
  • Train staff and measure their awareness.
  • Maintain all relevant policies and procedures.
  • Identify risks and assign tasks to others.
  • Interact live with an actual Data Protection expert to answer your ‘how do I’ questions.


The deadline for GDPR is only around the corner and you need to be preparing now, not after May. Click here to find out more about the reduced charity rate we have available for Privacy Engine.




Does the GDPR affect your charity?

This a guest post from Clare Deegan of Sytorus 

To mark exactly one year to go before the GDPR becomes enforced, the Irish Data Protection Data Protection Commissioner, Helen Dixon, took the airways of Morning Ireland in May to warn companies who still believe that the GDPR won’t impact their organisation. It has been our experience that charities have felt most impacted by the GDPR yet many charities still believe the GDPR won’t impact them.  Ms Dixon stated that ‘90% of small and medium sized business’ will be impacted by the GDPR and ‘fewer than half of these businesses being aware’; many small companies who believed the GDPR did not impact them sat up and took note. Ms Dixon’s position was clear ‘doing nothing means you are automatically out of compliance’ and ‘it won’t be possible to get ready in a few months’.  If you missed the interview, click here!rii=b9%5F21178675%5F48%5F25%2D05%2D2017%5F

A number of charities have been in the firing line in recent years, and since charities exist on donations, it has never been more important to gain trust from your donors. The GDPR will impact marketing campaigns, fundraising and volunteers. If you are confident that your organisation is one of the 10% of organisations who are not impacted by the GDPR, then consider the following before you close the door:

  • Cookies: as Ms Dixon called out this example in her interview, it is worthy of being top of the list of your considerations. If your website collects Cookies, then, you are collecting personal information; therefore, you will be impacted by the GDPR.

  • Volunteers are employees: if you have even one employee on your books, then, you are a Data Controller; therefore, you will be impacted by the GDPR. In terms of training and access to personal data as held by the charity, volunteers must be adequately trained to handle and protect personal data. In many organisations, we have found that volunteers are amongst the highest risk, as they have excessive access to personal and sensitive personal data coupled with not having sufficient training on the handling of personal data. It is widely documented that 80% of breaches occur from the ‘intentional, non-malicious actions of a member of staff’. In charities, these actions are likely to be by volunteers. If you have volunteers processing personal data on your behalf, then you are impacted by the GDPR.

  • Service Users: If you are supplying a service such as counselling or house visits, then, you are processing personal information; therefore, you will be impacted by the GDPR. In many cases, this service involves the processing of sensitive personal information such as religious information or information relating to health or even criminal convictions, which requires even tighter control.

  • Financial information: If you are in receipt of donations from individuals through an on-line facility, then, you are processing personal information. Have you thought about the security measures, how easy would it be for an outsider to hack your system? The GDPR calls out for tightened security measures; therefore, you are likely to be impacted by the GDPR.

  • Opt-in versus opt-out: Out of all the new provisions of the GDPR, we have found this provision has caused the most concern amongst charities. Under the current E-Privacy Directive, it is not lawful to automatically opt-in a donor to receive marketing communication electronically. The GDPR reinforces this by stating “silence, pre-ticked boxes or inactivity should not constitute consent”.

  • Profiling: If you are profiling your donors, then, you are collecting personal information and you are obliged to comply with the requirements. Profiling is a conscious process of segmenting or extracting a data sample using automated means. If a decision is being made about an individual (either manually or automatically) then, at minimum, a Fair Processing notice will be required. If a decision is being made using sensitive personal information, then, explicit opt-in is required prior to the process being performed. There are new provisions surrounding consent; therefore, if you are profiling then you are likely to be impacted by the GDPR.

  • Timescales for Subject Access Requests: Under the GDPR, the timescale that an organisation has to respond to a Subject Access Request reduces from 40 days to one month. Emails relating to an individual are within the scope of a Subject Access Request. If a client or an employee has a history spanning years with your charity, then, you need to consider how you will retrieve each piece of information relating to this individual within the new tighter timeframe.

  • Third Party agreements: Most, if not all, organisations will engage third parties at some point. When this engagement involves the third party processing (which includes having the potential to access) personal data as held by the Data Controller, then, a Data Processing Agreement must be in place. However, GDPR places new requirements upon Data Controllers regarding allocating responsibility between the Controller and the Processor. Whilst the GDPR will prompt many organisations into reassessing their Data Processor Agreements, it will also prompt many Data Controllers to put Data Processor Agreements in place where they did not previously exist.  The GDPR will require that certain mandatory clauses are included in all contracts with your third party data processors as previously reported by Sytorus    Some third parties are less obvious than others; have you considered IT Support, CCTV providers, Hosting companies?

  • Consent to process personal data: If you solely rely on consent as a means to process personal data, then, you may be impacted by the GDPR. Whilst consent remains a valid basis for processing data, it will be more difficult to rely on as a sole means to legitimately process data. Under the GDPR, where the Data Controller is collecting personal data, the Data Controller must be able to reference which lawful processing condition (as described in Article 6 for personal data and Article 9 for sensitive personal data) that they are referencing for processing personal data.  

  • The requirement for a DPO: According to Article 37 of the GDPR, it will be mandatory to appoint a DPO if the processing is carried out by a public authority; or if the core activities or the controller or the processor consist of processing operations that involve regular and systemic monitoring of data subjects on a large scale; or if the core activities of the controller or processor consist of processing on a large scale special categories of data as listed in Article 9 of the GDPR. If your charity is based on providing ‘medical services’, then you are processing special categories of data; therefore, you may be impacted by this requirement in the GDPR. It is worthwhile reviewing the data your charity processes and whether it qualifies as ‘large scale’. If so, then your charity is impacted by the GDPR.

Some pitfalls worth noting:

  • Policies in place but…:  The GDPR bases itself on getting companies to produce evidence of compliance.  Many organisations obtain a suite of policies, insert company name and get the staff to sign a training record; however, this is not complete evidence of compliance. Instead, this is the scaffolding that you generate your evidence of compliance from. For these policies to be evidence of compliance, you need to be generating logs or completing forms out of them. You also need to review policies regularly for currency and effectiveness, such review generates further evidence of compliance.

  • Getting company buy-in: Appointing a DPO will be a mandatory requirement for some organisations as described in the GDPR. When the DPO has been appointed, they do not operate in isolation from the company. Just like an organisation may appoint a Safety Rep from each area, so too should a Data Protection Champion be appointed from each area within the organisation. Such individuals take ownership of data protection risks as listed in the company risk profile. This promotes Data Protection as being a company-wide responsibility and not merely just the DPO’s responsibility.

  • Excel spreadsheets: There will be a requirement within the Irish jurisdiction that your logs be in ‘electronic format’ and ‘available for sharing’ with the Commissioner. Excel spreadsheets have limitations and some security risks depending on how they are configured. In particular, there is no audit trail on an entry to an Excel Spreadsheet; it would be too easy for an entry to be accidentally deleted and there is no record of who, what, where, when, why. Your logs should, ideally, have an audit trail for every entry. Even if you only restrict the usage to one single individual, entries could still be deleted by mistake. Secondly, since the GDPR is heavily risk-based, it is ideal if the electronic logs evaluate the risk of your activity, yielding a go/no-go decision.  Furthermore, as you are logging your activity, the user should be able to select which lawful processing condition they are relying on to process the personal data, etc. Whatever electronic format you use, it should either have a risk-assessing capability or prompt the user to calculate the risk manually.

LIKECHARITY and Sytorus have teamed up to help charities comply with the new requirements of the GDPR. If you are concerned that your charity might be impacted by the GDPR, get in touch at (01) 557 24 25 or

What to Know About Data Protection

We all are somewhat afraid of the commissioner knocking on the door of non-profits and asking to see how the organisation is keeping donors’ sensitive personal data ethically protected which is why LIKECHARITY have teamed up with SYTORUS to help you with the overwhelming task of becoming a GDPR compliant.

First we have to talk about what the GDPR is; it stands for the General Data Protection Regulation, it is a document that will enforce data protection policies on organisations all over the EU. The GDPR will be implemented on the 25th of May 2018 by the EU parliament. Here are some of the key changes that will occur:

1. Increased Territorial Scope: Regardless of the location or what kind of company you run, if you process any kind of personal data through your organisaiton, the GDPR applies to you. If you provide goods and services to EU citizens then you are required by law to implement this regulation in your organisation..

2. Penalties: If there is a breach of GDPR your organisation can be fined up to 4% of annual global turnover or €20 Million. For example potential actions classed by the commissioners as an serious infringement for non-profits is not getting the proper consent from a potential donor to use their personal data in analysis, in tracking trends, or to transfer their personal data to other organisations.

3. Consent: you will no longer be allowed to use long ambiguous terms and conditions, now your organisation are only allowed to give a coherent and accessible form of terms and conditions so that your donors have the proper agency to consent. Your terms and conditions should be transparent and in language that can be easily understood.

4. Breach Notification: When there is a data breach in your charity it is required that donors and controllers be notified within 72 hours of the breach.

5. Right to Access: Completely changes the manner of transparency between the donor and charity. The donor can request access to their personal information to discover the charity’s intentions and purpose for holding personal data. While also providing transparency of where the data is being stored or used.

6. Right to be Forgotten: the right of the donor’s personal information to be erased from the database of the charity and to halt the distribution of this information publicly. This right can be enacted when the information is not relevant anymore or that the consent of the customer is withdrawn.

7. Data Probability: this is the right of the client to receive personal data about them from the charity transfer another charity of the client’s choosing.

8. Privacy by design: all systems and protocols call for data protection. Everything the company does with any kind of data needs to include a formula for data protection, not just an added service.

Given all of these changes, charities have to be prepared to enforce them in order to avoid fines and remain compliant.

To be a GDPR guru, it’s important that you understand the regulation rhetoric used in the document. Here are some policy jargon that may come up:

  • Processing: to complete operations involving data through the means of computers, letters, to classify information

  • Restriction of processing: limits what a data controller can do with personal data.

  • Profiling: automated processing of personal data, that helps analyse and predict, behaviors, interests, work conduct, and economic situations.

  • Pseudonymisation: a form of processing of personal information that doesn’t allow the connection between the data and the data subject without additional information from them.

  • Filing system: personal data can be accessed only with specific criteria,on a functional or geographical basis.

  • Genetic data: personal data related to heredity, genetic characteristics, unique information about their physiological state, and health status.

  • Biometric Data: specific technical processing of physical, physiological, and natural behavior of a person. ie. Facial images.

  • Cross-Border Processing: processing of personal data specifically of activities of a member of state in a controller establishment or a processor establishment, while being in either in a single or multiple enterprise(s).

  • Main Establishment: for a controller in enterprises in more than one members of state, the central establishment is considered the main establishment, until another the controller has made the decision of making another establishment the main one. For a processor in establishments in more than one member of state, the central administration is considered the main establishment, unless there is no central administration, then wherever the data is being processed is considered the main establishment while they are also subject to specific obligations are under this regulation.

  • Representative: a person that is designated by the controller or processor to represent the establishment with their various obligations under the regulations.

  • Binding Corporate Rules: personal data protection policies when personal data is transferred between a controller and a processor or transferred between controller and third party or processor and third party or transferred between groups that are engaged in joint economic activity.

  • Supervisory Authority: independent public authority

LIKECHARITY and Sytorus had come together to offer LIKECHARITY Privacy Engine, which is a new data protection engine that will prepare for the GDPR that will be implemented next year. It provides data protection support, guidance, and training all in one. This allows your charity to thrive while being conscious of how your data is protected. If you would like to learn more about LIKECHARITY Privacy Engine, please click here .



Upcoming LIKECHARITY Training Workshops

Last week LIKECHARITY ran two very successful days of training for charities; covering fundraising and Data Protection.

On Tuesday the 11th of April, Hannah and Deirdre ran another text-to-donate fundraising workshop. They gave advice and training on how best to use the text-to-donate platform. They covered ComReg compliance, how to pick the best keyword, text-to-donate on social media, case studies and how to build a successful text-to-donate campaign. It was a relaxed but productive morning with plenty of discussion, we’re already looking forward our next workshop in May!

The following day, LIKECHARITY were joined by John Ghent of Sytorus to speak about charities and the GDPR. Sytorus is a recognised leader in pragmatic Data Protection deployment with their services and products, including assessments, implementation, training and support and are experts on the GDPR. Sytorus and LIKECHARITY are partnering together to help charities to be compliant with the GDPR. While The GPDR is receiving lots of coverage in the media, there still remains a lot of confusion around what it means for the charity sector in Ireland. It comes into effect next year and, will bring the most significant and far-reaching changes to how charities approach the protection of citizen’s data in recent history, with the burden of proof now on charities to show how they manage their data. John lead us through a practical charity centred presentation on what the GDPR is, how it will affect charities and what they need to do to prepare for it. He explained the rapid change in data in recent times, how much much different data charities have, from addresses of donors to medical records of service users. He brought us through the new role of Data Protection Officer that most charities will need to bring in and practical solutions to implement the GDPR. Many of the charities commented afterwards they had a much clearer idea of what the GDPR means to our sector and what they need to do get get ready for it. As charities found it so helpful we’re running another two sessions next week.

Here’s a link to our next Data Protection Session and if you’d like information on upcoming LIKECHARITY training events please contact