Online security


Take seven simple, low-cost steps to reduce the risk of a data breach

How we help protect you


With the arrival of General Data Protection Regulation (GDPR), which came into force on 25 May 2018, organisations are required to have put effective security processes in place to protect personal data.

Like other organisations, charities are increasingly reliant on IT systems and software, which can make us all potentially vulnerable to a cyber attack. Losing access to operational systems, having funds stolen or suffering a data breach can be critically damaging to a charity's finances and its good name.

This guide explores what a data breach is and its possible risks, shares seven key actions that charities can take to keep personal data secure, and explains how to report a serious data breach.

What is a data breach?

The Information Commissioner's Office (ICO), the independent body which upholds information rights, defines a personal data breach as:

"A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.

"This includes breaches that are the result of both accidental and deliberate causes. It also means that a breach is more than just about losing personal data."

Examples include the loss of a USB stick or flash drive containing personally identifiable data, data being wrongly destroyed or sent to an incorrect address, the theft of a laptop or hacking of an organisation's systems.


Risks of a data breach

One in five charities were targeted by cyber criminals in the past 12 months, according to the Government's latest Cyber Security Breaches Survey*.

The most common forms of identified breach were through fraudulent emails. For example, those duping recipients to disclose security details or financial information, or concealing links to fake websites. Other common methods of online fraud include criminals impersonating senior executives or suppliers, and infecting an organisation's systems with malware or computer viruses.

While attempts to breach an individual's or organisation's systems are a criminal act, we are all responsible for keeping secure people's data that we handle. Under GDPR, the ICO has powers to issue fines to organisations of up to £17 million or 4% of global turnover for the most serious breaches. Taking effective steps to prevent data breaches will not only protect your charity's assets, it will help maintain the trust of staff, volunteers, funders, donors and beneficiaries.

* Source: 2017 Cyber Security Breaches Survey, Department for Culture, Media and Sport



Be alert to scams

Seven tips to keeping data secure

  1. Encourage a data security culture - Brief and train trustees, staff and volunteers to ensure they understand and follow your organisation's data protection and counter-fraud policies and processes.
  2. Keep Account contacts up-to-date - Inform your bank and financial service providers immediately of changes to contacts who are authorised to access and operate your organisation's accounts.
  3. Back up data - Take regular back-ups of important data files and test that these can be restored.
  4. Prevent damage from 'malware' - Carry out five simple steps to protect systems and devices from infection by malicious software or computer viruses.
  5. Use strong passwords to protect data - Protect computers and mobile devices with encryption tools. Use unique, difficult-to-guess passwords for each website, app and service used.
  6. Protect mobile devices and tablets - Keep devices and installed apps up-to-date. Configure devices to be tracked, remotely locked and/or wiped in the event of loss or theft. Never transmit sensitive data when connected to public Wi-Fi hotspots.
  7. Avoid phishing attacks - Don't be duped by fake emails asking for sensitive data or which conceal links to fraudulent websites. Learn how to spot the warning signs of a scam email.


If your organisation suffers a data breach, it's very important to act quickly to minimise its impact on the people affected and report it through the appropriate channels. Your organisation's data protection policy should advise the action to take, including who to inform internally and externally, if required.

To check how to report a serious data breach to your charity's regulator, refer to the guidance for charities incorporated in (links to external websites) England and Wales, Scotland and Northern Ireland.

Trustees also have a duty to ensure a serious data breach incident is reported, within 72 hours of becoming aware of it, to the (link to external website) Information Commissioner's Office.

CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your CAF Bank accounts have been exposed to fraud or cyber attack, call our customer service team without delay on 03000 123 456 or email

If you believe your organisation has become a victim of fraud of any kind, please report it to the (link to external website) Action Fraud helpline on 0300 123 2040.


The following links are to external websites offering further coverage of this topic. CAF has not reviewed, does not control and is not responsible for these websites, their content or availability.

Action Fraud - The national fraud and cyber crime reporting centre provides a useful A-Z guide to different types of fraud.

The Charity Commission - Guidance for charity trustees on how to spot and report a serious incident, such as a personal data breach.

Charity Finance Group [links to PDF] - A data protection guide for charities, explaining the meaning and impact of GDPR, how to be compliant and what to do in response to a data breach. 

The Information Commissioner's Office (ICO) - Guidance and tools to help charities and not-for-profit organisations comply with GDPR.

National Cyber Security Centre (NCSC) - Common forms of cyber crime and simple, low-cost measures that charities can take to protect themselves.


Deception scams

Fraudsters are masters of deception. This guide examines how common scams work and what to do to avoid being duped.

Email scams

Fake emails are a common weapon used by cyber criminals. Don't become their next victim, learn how to spot the warning signs.

Malware and ransomware

Computer viruses can have a devastating impact on a charity's operations. Reduce the risk of your organisation being infected by harmful software.

CAF Bank Limited is authorised by the Prudential Regulation Authority and regulated by the Financial Conduct Authority and the Prudential Regulation Authority (Financial Services Register number: 204451).

CAF Bank Limited Registered office is 25 Kings Hill Avenue, Kings Hill, West Malling, Kent ME19 4JQ. Registered in England and Wales under number 1837656.