Tagged / security

Small charities face bankruptcy for not complying with GDPR, but put clients at risk if they do

File 20180521 14974 187apcf.jpg?ixlib=rb 1.1

The way charities use and hold data on behalf of their clients and donors creates problems under GDPR. Tashatuvango/Shutterstock

By Dr Shamal Faily, Bournemouth University

You will no doubt have received the emails yourself: don’t forget to opt in, click here to stay in touch, we don’t want to lose you. The General Data Protection Regulation, or GDPR, comes into force on May 25, and organisations and businesses large and small are racing to ensure the way they collect, store and use the personal data of their customers and clients meets the new, higher standards of this new European Union privacy law.

Compliance with GDPR can be costly, requiring organisations to analyse the way they work, the data they use, how it is handled and secured. Documenting how personal data is held and processed is tedious and time consuming, as is developing procedures for dealing with individuals’ requests to see the data held on them, security breaches that involve loss of data, or assessing the privacy impact of some new product or service.

To data protection authorities across the European Union, such as the UK Information Commissioner’s Office (ICO), this is just good practice – the cost of doing business in a free and open market. But what if yours is a non-profit organisation? Several UK charities have been fined for breaking existing data protection laws. Many others are acutely aware that a single penalty for non-compliance could put them out of business.

The ICO has produced guidance for charities, and reading it you might think that the challenges charities face are the same as those facing any small business. Both have limited resources, time and money to spend on ensuring compliance. Losing or misusing personal data leads to the erosion of trust, irrespective of whether those affected are paying customers or charity donors. But scratch beneath the surface and you can see how GDPR causes unique problems for small charities, particularly those that work to help society’s most vulnerable.

Duty of care

The new privacy regulations require that personal data is “processed in a manner that ensures appropriate security of the personal data”. Any security expert will tell you that perfect security is impossible, so businesses can meet this requirement by investing in security considered “good enough” to meet the duty of care to their clients and customers.

But for charities, the duty of care they have for both their vulnerable client base and their donors is so strong that a culture of cost-cutting has formed. Because charities lack the expertise to understand the risks they face, they may wrongly believe they are avoiding risks, or accept risks without understanding the implications. Ultimately, this works against charities investing in the security they actually need. A report commissioned by the UK Department for Culture Media and Sport in 2017 found this culture even led to some charities intentionally relying on out-of-date or low technology solutions. In one case, a charity was even prepared to accept the risk of damaging data losses, in the hope that their donors would be sympathetic and appreciate that, to them, cybersecurity is a luxury they cannot afford.




Read more:
GDPR comes with teeth – here are the winners and losers


Charities care for others, but are not always able to care for their data. perfectlab/Shutterstock

Ethical tensions

The new privacy regulations are built around fair treatment, but this also fails to appreciate the ethical tensions faced by charities. Under GDPR, organisations can only collect data from individuals when they have a legal basis for doing so, for example that the individual has given their consent (such as signing up for an email newsletter), or that the organisation must do so in order to comply with a legal obligation (such as banking information required to meet money laundering regulations). However, complications arise because while an individual may give consent, they may also withdraw it.

Imagine, for example, that Bob suffers from a drug addiction. In a moment of clarity, he checks into a rehab centre for help, and gives consent for the centre to collect what personal data they require. But Bob later relapses, and – to keep this information from his family – withdraws his consent and exercises his right to be forgotten, demanding that the rehab centre deletes the data on him that it holds.

The GDPR provides some discretion for processing personal data in matters of life and death, but not if Bob is capable of giving consent. And so the rehab centre faces a dilemma: it can assert Bob isn’t capable, exposing themselves to the risk of a fine should he report them to the ICO. Alternatively, they can comply and expose Bob to future risks that may threaten his health or life, and reduce or remove the information they know that might one day help save his life.

ICO guidance for not-for-profits should answer the sorts of questions regularly raised by charities. But instead it treats small charities like any other small business. The ICO claims the is information that charities want, but it is not the information they need. If guidance fails to acknowledge the risks to small charities, what incentive do charities have to invest time and money following it?

What charities need are less platitudes on what they should be doing – they already know this – and more advice on how to do it, given the very particular challenges they face. In a speech given to the charities attending the Funding and Regulatory Compliance conference last year, the information commissioner said that getting privacy right can be done, that it should be done, and she would say how it can be done. Yet as the deadline looms, charities are still waiting to hear about the “how”.


Shamal Faily, Senior Lecturer in Systems Security Engineering, Bournemouth University

This article was originally published on The Conversation. Read the original article.

Challenge Project – Home Office

money and cogs

The Home Office, through the Joint Security and Resilience Centre, invites responses for its call on challenge project. This aims to capture strategical and tactical barriers which inhibit the security sector and develop project work against proposed solutions. Projects must provide demonstrable effort towards at least one of the following:

•deliver a joint response to the UK’s national security challenges;

•drive the delivery of the right solutions;

•growth of the security sector.

Suggestions for future areas of research are welcome.

10 awards, each worth between approximately £25,000 and £50,000, are available.

Click here for more information including how to apply.

Closing deadline is 22 January 2017.

If you are interested in submitting to  this  call you must contact your  RKEO Funding Development Officer with adequate notice before the deadline.

For more funding opportunities that are most relevant to you, you can set up your own personalised alerts on Research Professional. If you need help setting these up, just ask your School’s/Faculty’s Funding Development Officer in  RKEO or view the recent blog post here.

If thinking of applying, why not add notification of your interest on Research Professional’s record of the bid so that BU colleagues can see your intention to bid and contact you to collaborate.

 

MOD establishes defence innovation initiative

innovation_591

The UK’s Ministry of Defence has set up a project intended to help government researchers collaborate better with colleagues in industry and academia and to transform how the armed forces deal with future challenges.

Defence secretary Michael Fallon announced on 12 August that the initiative would include an Innovation and Research Insights Unit to anticipate emerging trends in technology and analyse the implications for UK defence and security. The unit would “informing critical decisions to maintain our military advantage and protect the UK”, he said.

Innovation awards – Partnership for Conflict, Crime and Security Research (PaCCS) – new call to be announced

esrc logo

 

Innovation awards under PaCCS focusing on Conflict and International Development

The ESRC and AHRC will shortly be launching a further call for interdisciplinary innovation awards under the Partnership for Conflict, Crime and Security Research (PaCCS) focusing on Conflict and International Development. (Pre-call.)

Find out more information including the proposed call timescale here.

AHRC information.

If you are interested in submitting to this call you must contact your  RKEO Funding Development Officer with adequate notice before the deadline.

For more funding opportunities that are most relevant to you, you can set up your own personalised alerts on Research Professional. If you need help setting these up, just ask your School’s/Faculty’s Funding Development Officer in  RKEO or view the recent blog post here.

If thinking of applying, why not add notification of your interest on Research Professional’s record of the bid so that BU colleagues can see your intention to bid and contact you to collaborate.

Security Research & Innovation Event 2016

cyber eye

The 2016 Security Research and Innovation Event​ will take place at the World Forum in The Hague on 1 and 2 June. The event aims to provide a forum for discussion between European Policy Makers, industry and knowledge institutions on the key security challenges for Europe.

The programme includes the Security Research Event (conference) organised by the European Commission, thematic workshops, an innovation room and a matchmaking programme​. The topics for discussion cover:

  • Cybercrime and Law enforcement technologies​
  • ​Financial Investigations and Fraud​​
  • Space and Security​
  • Forensics​
  • Integrated border management​
  • Terrorism

The event is free of charge to attend but registration is mandatory.

(Source: www.ukro.ac.uk – Sign up to set your own personalised alerts.)

 

Synthetic Biology Applications in Defence – Multi-million pound competition

MOD’s Centre for Defence Enterprise (CDE) is launching a multi-million pound competition for research proposals for highly innovative synthetic biology approaches applicable to the defence and security sectors.

 Synthetic biology has the potential to address several difficult challenges facing UK defence and security. It could provide new ways to protect both the armed forces and civilian populations.

The purpose of this CDE themed competition for short-term, proof-of-concept research proposals is to reach out to all sectors for cutting-edge, multidisciplinary research through the application of existing synthetic biology tools and techniques, but using novel research approaches.

The scope of this competition is deliberately broad and non-prescriptive to encourage novel ideas applicable to land, air or maritime environments.  Areas where synthetic biology could contribute to defence and security include, but are not limited to:

  • protection of personnel or equipment
  • sensor technologies to detect chemicals, such as explosives, forces, such as gravity, or to indicate physical status, such as integrity
  • materials exhibiting unique properties or added functionality
  • decontamination approaches
  • camouflage solutions including noise and emission reduction.

For further details visit the website.

 

Fancy applying for FP7 Security? Need some Partners? Then you need this!

If you have been having a scan over my summarised Security Work Programme and a call has caught your eye, you can find people looking for Partners on this fantastic Security Research Projects Database, developed by the European Commission National Contact Points. A total of 251 legal entities from across Europe have so far registered on the Database, which includes 15 organisations from the UK, so it is a great opportunity for you to get your foot in the door for a FP7 Cooperation call!

 

You can also sign up to attend the free Infoday in Brussels in September on the EC website.

 

Social Sciences and Security in Horizon 2020

Horizon 2020 will replace FP7 and is currently under development. Several stakeholder groups have been meeting with EC officials to help influence and shape the Programme.

Feedback is available on UKRO from the informal Security Theme meeting and also the Societal Challenges Theme meeting. I really urge you to read these if you have an interest in either of these areas!

EPSRC/ESRC Invitation for Outlines: Consortia for Exploratory Research in Security

                                                                                                                                                                                                         

As part of their contribution to the RCUK Global Uncertainties Programme, EPSRC and ESRC are jointly inviting proposals for research consortia (PDF 79KB) to explore current and future cyber security challenges.

CEReS consortia are encouraged to work across or between established disciplines and to draw on expertise from multiple research organisations wherever necessary. They particularly welcome proposals with significant novel mathematics and/or social science content.

Initially, outline proposals will be assessed for their novelty and fit to the aims of the call. Successful outline applicants will be invited to submit full proposals later in 2012.

EPSRC and ESRC have made available up to £4M available to fund full proposals funded through the CEReS call. They expect to support a range of projects which is broad in terms of scale (likely to be between £500k and £1M for each consortium), duration (two to four years), mix of disciplines (with single discipline proposals being the exception rather than the norm) and subject matter (although all must focus on cyber security-related challenges in the broadest sense).  Activities funded through CEReS are limited to those currently allowed on EPSRC grants. As a result they will not be able to accept applications which request funding for PhD studentships, even if they are outside EPSRC’s remit.

CEReS is a call for exploratory research. Consortia should identify ambitious goals with far-reaching impacts on future research and, potentially at least, practice in cyber security. Projects which continue or extend current work in a straightforward or obvious way will not be supported. Collaboration between disciplines is strongly encouraged. Although it is not essential that all projects include cross- or intra-disciplinary working it is likely that the assessment process will select positively for consortia which adopt this approach.

Although it is being managed by EPSRC the CEReS call is also open to researchers eligible to apply for targeted funding from ESRC. There is no quota of applications or funding based on Research Council remits. It is possible for the same researcher(s) to be associated with more than one consortium application.

For further information visit the call website: http://www.epsrc.ac.uk/funding/calls/open/Pages/ceres.aspx and read the call documentation: http://www.epsrc.ac.uk/SiteCollectionDocuments/Calls/2012/CEReSCall.pdf. Outline proposals should be prepared and submitted using the Research Councils’ Joint electronic Submission (JeS) System (https://je-s.rcuk.ac.uk/).

The RKE Operations team can help you with your application.

The closing date is 14 June 2012.

FP7 Security Partner Brokerage Event

Potential applicants to the 2013 FP7 Security call are invited to attend a brokerage event organized by the Security Mission Information & Innovation Group (SMI2G) on 22-23 May in Brussels.

 The meeting will be an opportunity to exchange information on the 2013 call of the FP7 Security programme and to stimulate networking for the creation of potential ideas and consortia. All stakeholders interested in the participation in a topic for this call as co-ordinator or partner are invited to this meeting.

The goals of the  meetings are to:

  • provide information on the 2013 Security call (6th call) and provide potential partners with information on what is expected by the European Commission;
  • exchange information on specific contributions to proposals as partners or co-ordinator; and
  • provide a networking opportunity to find partners in proposals.

I have a top secret FP7 Security document – oh the irony!

Yep, I have summarised the draft FP7 Security Work Programme to save you having to read the mammoth work programme and try to find the info you need (and I am proud to say we are the only uni who does this!). I have placed the summary document on our I drive as it is highly confidential and absolutely not for dissemination outside of BU. You will find hyperlinks taking you to each of the themes, and the calls expected to be released within this. The final work programme will be released in July, so this gives you a great headstart. Find the Security and other draft work programmes at I:\R&KEO\Public\RDU\Draft Work Programmes for 2012-13

FP7 Security Theme Call Partner Sought

A project based at Cardiff University is seeking partners for the FP7 Security Call SEC-2012.4.4-2 ‘Means of decontamination of large groups, urban/wide areas and large, complex and/or sensitive object’.

In particular they are seeking partners who can take the lead in determining the feasibility of establishing a Europe wide bio-decontamination capability which would be based in part of the technology solutions developed during this study and would offer the potential to respond to a chemical, biological, radiological, or nuclear event. A key part of this package would be the ability to access input from first responders such as fire fighters and civil disaster planners. Any solution proposed should be cheaper than the current military options.

Please contact Professor Les Baillie at the Welsh School of Pharmacy, University of Cardiff, for further information: