In some ways, digitalisation has simplified the handling of data, but it also poses new risks, too. In the Horak/Baumüller study from 2018 (a survey carried out by the Austrian Controller Institute), 88 percent of the institutions surveyed listed ‘increased data security requirements’ as the biggest disadvantage they expected to arise from digitalisation.
Data security
On a technical level, the aim of data security is to provide data of any kind with adequate protection against loss, theft, manipulation and other threats. A company’s management is responsible for data security, while its strategic leadership is responsible for monitoring it. The appropriate organisational and technical measures need to be taken as a result.
Follow the steps below to help protect your data:
- null
- Ensure adequate access control to your premises, particularly to your IT infrastructure, and place access restrictions on your data.
- Use sufficiently complex passwords or multi-stage authentication.
- Deploy limited user rights to prevent system data from being changed, for example
- Keep software up to date
- Uninstall old, insecure and unused software
- Create security copies on a separate storage medium, in a second computer centre with redundant mirroring, or by using cloud solutions
- Use antivirus software
- Use firewalls
- Deactivate active content
- Encrypt sensitive data, particularly when it is being transmitted
However, all these measures will not help one bit if employees do not act with care. As a result, promoting employee security awareness and giving them the skills they need should be of the utmost priority. In addition to technical measures, an effective security concept should also take organisational and staff-related measures into account.
Data protection
Last year, the EU made changes to legislation relating to the way in which data is handled. The new General Data Protection Act (GDPR) came into effect in the EU on 25 May 2018. It is binding in all EU/EEA states, setting new standards in terms of data protection and data security. At present, the Swiss Parliament is considering the draft of a fully revised data protection act, based on the EU’s standards. In the future, even Swiss non-profits will have to deal with tighter requirements, and heavier punishments, in terms of providing information and documenting their activities or even in terms of more stringent information and reporting obligations.
Non-profit organisations process personal data belonging to donors, recipients, employees and contacts at partner organisations. Any processing of this data, such as gathering, forwarding or saving personal data (e.g. names and addresses), is covered by data protection legislation. All that matters is that it could be used to identify a natural person. Sensitive personal data, such as information about political opinions, health, social security or sexual orientation, is subject to particular requirements. There are additional requirements in terms of informing the person affected so that this data can be processed appropriately. In some circumstances, permission must be sought.
When a person makes a donation, participates in an event or signs up to a newsletter, this does not mean that they have given blanket permission for their data to be used for other purposes.
Regardless of whether the GDPR can be applied under Swiss law, non-profit organisations need to take action.
The following points should be considered as a matter of urgency:
- Determining responsibilities
- Nominating project owners
- Freeing up resources
- Ensuring internal and external support
- Establishing reporting
- Gaining an overview and determining priorities
- Documenting the inventory and processing of personal data, especially with a procedure log
- Estimating risks
- Undertaking and documenting technical and organisational measures linked to IT
- Deriving additional measures and determining priorities
- Establishing processes
- Issuing notifications in the event of data protection incidents
- Handling subjects’ rights (access, rectification, erasure)
- Clarifying the data protection consequences associated with new IT systems