Overall success looks like:
Charities will be confident and experienced in identifying risks and mitigating them.
Both established and emerging digital technologies offer opportunities to charities to improve sustainability, impact and income. Charity leaders should manage this by ensuring that they have sufficient skills and knowledge to make informed decisions about any ethical issues.
Managing risk in digital
- Charity leaders and trustees should have the necessary skills and oversight of their charity’s digital activities in order to determine risk (e.g. when managing data or using social media to manage reputation). This should be aligned with the charity’s risk management policy and process. Any risks should be identified and assessed accordingly.
- When procuring, appropriate due diligence must be taken on suppliers, and legal and commercial advice sought on the terms and conditions of contracts. Any ongoing costs related to the agreement should be understood and evaluated.
- Charity leaders and trustees should periodically review their existing systems and processes, understanding what is in place, how they work together, whether they are obtaining value for money, and anticipating and evaluating any risks such as the ability to keep services secure, up to date and working as intended.
- Charities may require support from someone with good technical skills to help them evaluate risk, which could be a member of staff, a trustee or a volunteer (provided the appropriate accountability is in place). Where the risk is potentially significant, all possible actions to manage it should be evaluated and a plan put in place to deal with different scenarios.
- Risks should be reviewed, monitored and assessed periodically. Where relevant, they should be recorded on the risk register.
- Charities should read this principle alongside the Charity Commission guidance on charities and risk management.
Charities should have a board level awareness of the risks posed to their organisation from cyber attacks. The following 5 steps, taken from Cyber Security: Small Charity Guide, will help any charity protect themselves from the most common cyber attacks:
- Ensure you take regular backups of your important data.
- Ensure you keep your devices, antivirus and software, including apps, up to date.
- Ensure any smartphones and tablets are kept up to date and can be remotely wiped.
- Avoid connecting to unknown Wi-Fi hotspots while away from home or the office.
- Ensure all devices are password protected and staff know how to set secure passwords.
- Help staff avoid phishing emails, ensuring they know how to report something that looks wrong.
Please refer to the National Cyber Security Centre’s charity guide.
- Data must be captured, managed securely and shared as directed by legislation (such as the GDPR, including ICO's data protection guide) and codes of practice.
- Charities should not collect more data than their needs require or can reasonably use. Due diligence should be undertaken on any suppliers or partners who have access to charities’ data. Charities should agree how suppliers or partners plan to use their data, ensuring these plans are compliant with legislation.
- Charities should plan for the requirements of users with accessibility needs, or those who may be digitally excluded, and address any accompanying ethical issues.
- Charities may wish to lobby for improvements to digital platforms, such as increasing accessibility for their beneficiaries, or on ethical issues, where relevant and appropriate.
- We support the guidance on diversity set out in the Charity Governance Code. Charities should ensure that a diversity of backgrounds, life experiences, career paths and diversity of thinking are represented on their digital teams.
- Charities should publish how they use data on their websites, annual reports and other channels.
- Charities should use digital channels to share their impact and to demonstrate their openness and accountability.
- Charity leaders and staff should understand and plan for how new technologies could change how they work, from crowdfunding to automation, ensuring that they remain relevant to their audience.
- Charities should monitor ethical issues revealed by technological developments (e.g. data breaches by platforms, bias in algorithms, lack of ethical design or user advocacy) to assess whether these fit with their organisational values and what the implications of unintended consequences might be. They will need to understand the implications for their users and the charity’s work and any actions they may need to take as a result.