Prevalent Data Protection Mistakes Committed by Non-Profit Organisations

Typically, a non-profit organisation is set up for causes designed to benefit the wider community and is usually not profit driven. For instance, non-profits provide services to animal rights, environmental issues, and the disadvantaged in the society. These organisations are also often resource strapped.

That said, there is this common misconception that data protection requirements are less strict on them. However, the law is impartial and therefore does not allow such treatment. With that in mind, non-profit organisations can also benefit from data protection services just like most organisations.

So why is a data protection service important for nonprofits? For starters, non-profit organisations use, disclose, store, and collect a lot of personal data. That said, they are also prone to similar risks as profit-motivated and commercial organisations. This is especially true in digitised economies where interactions, transactions, and work will require personal data.

Common Data Protection Mistakes by Non-Profit Organisations

There’s a notable increase in data breaches following the COVID-19 pandemic. This can be attributed to the fact that the pandemic changed the business and organisational landscape drastically, and organisations had very little time to make the necessary mitigation and risk evaluation measures.

The organisation-wide firewalls and data security protocols have become less effective because of the sudden work-from-home (WFH) model. This resulted in calls for ransomware and more data breach cases.

Due to the evolving stage of data protection culture and the unreadiness of some organisations to implement comprehensive information-security measures, many were caught flat-footed and had to “make do” just to keep their operations going. The protection obligation is the most breached obligation of the ten obligations under Singapore’s PDPA.

Organisations also face a high level of risk when moving their operations online because many members of the team lack data protection training and awareness. To a huge extent, lack of awareness and untrained staff can lead to inattention and may present a window where possible data breaches can take place.

On the other hand, regular training will not only help minimise risks but can also help demonstrate accountability to data protection regulators.

Part of the know-how should include risk management especially in terms of vendor management. Many non-profit organisations that don’t have the in-house expertise assume the responsibility is farmed-out when tasks are outsourced. It is important to remember that with outsourcing, there are also risks that need to be managed. You can delegate the task but not the responsibility.

Possible Ramifications

The cost of non-compliance can go beyond financial penalty. From the regulator(s), the following can arise:

 

Financial penalty or fines

In Singapore, financial penalties serve as a form of deterrence and sanction against non-compliance when directions alone will not aptly reflect the seriousness of the data breach. When determining if an organisation needs to pay a financial penalty, the PDPC will consider the seriousness of the breach.

To gauge the seriousness of the breach, the following are considered:

  • Whether it was a deliberate action by the organisation.
  • Whether the organisation knew or ought to have known the risks involved as well as the measures that can help mitigate or prevent those risks.
  • Extent of the non-compliance with the obligations that are guided by the PDPA.
  • Whether a data protection officer (DPO) or equivalent was appointed to manage a DPMP and ensure accountability with the PDPA.
  • Whether it is already a repeated breach of the PDPA.

Warnings, directions, and undertakings

In Singapore, it is the discretion of the regulator. However, two key considerations will also be taken into account:

  • The organisation can demonstrate that it has accountable practices (i.e., a Data Protection Trustmark certified organisation and they exhibit willingness to implement their remediation plan.
  • The PDPC is of the view that an undertaking will achieve a better or similar enforcement outcome than a full investigation.