Photo by Lianhao Qu on Unsplash

How can make sure I’m hand­ling data correctly?

Data security and data protection are two sides of the same coin. Even non-profit organisations cannot afford to bury their heads in the sand when it comes to these two questions: what challenges do they need to face up to, and what do they need to be aware of?

In some ways, digi­ta­li­sa­tion has simpli­fied the hand­ling of data, but it also poses new risks, too. In the Horak/Baumüller study from 2018 (a survey carried out by the Austrian Control­ler Insti­tute), 88 percent of the insti­tu­ti­ons surveyed listed ‘increased data secu­rity requi­re­ments’ as the biggest disad­van­tage they expec­ted to arise from digitalisation.

Data secu­rity

On a tech­ni­cal level, the aim of data secu­rity is to provide data of any kind with adequate protec­tion against loss, theft, mani­pu­la­tion and other thre­ats. A company’s manage­ment is respon­si­ble for data secu­rity, while its stra­te­gic leader­ship is respon­si­ble for moni­to­ring it. The appro­priate orga­ni­sa­tio­nal and tech­ni­cal measu­res need to be taken as a result. 

Follow the steps below to help protect your data:

  1. Ensure adequate access control to your premi­ses, parti­cu­larly to your IT infra­struc­ture, and place access rest­ric­tions on your data.
  2. Use suffi­ci­ently complex pass­words or multi-stage authentication.
  3. Deploy limi­ted user rights to prevent system data from being chan­ged, for example
  4. Keep soft­ware up to date
  5. Unin­stall old, inse­cure and unused software
  6. Create secu­rity copies on a sepa­rate storage medium, in a second compu­ter centre with redun­dant mirro­ring, or by using cloud solutions
  7. Use anti­vi­rus software
  8. Use fire­walls
  9. Deac­ti­vate active content
  10. Encrypt sensi­tive data, parti­cu­larly when it is being transmitted

Howe­ver, all these measu­res will not help one bit if employees do not act with care. As a result, promo­ting employee secu­rity aware­ness and giving them the skills they need should be of the utmost prio­rity. In addi­tion to tech­ni­cal measu­res, an effec­tive secu­rity concept should also take orga­ni­sa­tio­nal and staff-rela­ted measu­res into account.

Data protec­tion

Last year, the EU made chan­ges to legis­la­tion rela­ting to the way in which data is hand­led. The new Gene­ral Data Protec­tion Act (GDPR) came into effect in the EU on 25 May 2018. It is binding in all EU/EEA states, setting new stan­dards in terms of data protec­tion and data secu­rity. At present, the Swiss Parlia­ment is conside­ring the draft of a fully revi­sed data protec­tion act, based on the EU’s stan­dards. In the future, even Swiss non-profits will have to deal with tigh­ter requi­re­ments, and heavier punish­ments, in terms of provi­ding infor­ma­tion and docu­men­ting their acti­vi­ties or even in terms of more strin­gent infor­ma­tion and report­ing obligations.

Non-profit orga­ni­sa­ti­ons process perso­nal data belon­ging to donors, reci­pi­ents, employees and cont­acts at part­ner orga­ni­sa­ti­ons. Any proces­sing of this data, such as gathe­ring, forwar­ding or saving perso­nal data (e.g. names and addres­ses), is covered by data protec­tion legis­la­tion. All that matters is that it could be used to iden­tify a natu­ral person. Sensi­tive perso­nal data, such as infor­ma­tion about poli­ti­cal opini­ons, health, social secu­rity or sexual orien­ta­tion, is subject to parti­cu­lar requi­re­ments. There are addi­tio­nal requi­re­ments in terms of informing the person affec­ted so that this data can be proces­sed appro­pria­tely. In some circum­s­tances, permis­sion must be sought.

When a person makes a dona­tion, parti­ci­pa­tes in an event or signs up to a news­let­ter, this does not mean that they have given blan­ket permis­sion for their data to be used for other purposes.

Regard­less of whether the GDPR can be applied under Swiss law, non-profit orga­ni­sa­ti­ons need to take action.

The follo­wing points should be conside­red as a matter of urgency:

  1. Deter­mi­ning responsibilities
    • Nomi­na­ting project owners
    • Free­ing up resources
    • Ensu­ring inter­nal and exter­nal support
    • Estab­li­shing reporting
  2. Gaining an over­view and deter­mi­ning priorities
    • Docu­men­ting the inven­tory and proces­sing of perso­nal data, espe­ci­ally with a proce­dure log
    • Esti­mat­ing risks
    • Under­ta­king and docu­men­ting tech­ni­cal and orga­ni­sa­tio­nal measu­res linked to IT
    • Deri­ving addi­tio­nal measu­res and deter­mi­ning priorities
  3. Estab­li­shing processes
    • Issuing noti­fi­ca­ti­ons in the event of data protec­tion incidents
    • Hand­ling subjects’ rights (access, recti­fi­ca­tion, erasure)
    • Clari­fy­ing the data protec­tion conse­quen­ces asso­cia­ted with new IT systems

Your email address will not be published. Required fields are marked *

StiftungSchweiz is committed to enabling a modern philanthropy that unites and excites people and has maximum impact with minimal time and effort.

Follow StiftungSchweiz on