Skip to main content

Information governance: common mistakes

Blog by Ricci Wilding, information governance manager at charity IT specialists Smartdesc.

A narrated version of this blog is available at the bottom of the page

There are many charities and non-profits that do not have an information governance structure, sufficient processes, or training in place to ensure that data is being processed correctly and securely.

Unfortunately, it is becoming more common to see information governance discussed only when something goes wrong, such as a data breach or cyber threat, rather than putting in place an ongoing, proactive, information governance structure with sufficient training.

There was a heightened awareness about data protection and information governance when the new GDPR laws were released over four years ago. Since then, we often find that the topic has drifted into the background to the point where the charity feels it is a risk, and so comes to us asking for a review or health check on their data protection maturity.

Do you have strong processes and systems to track information governance at your charity? Is your data protection officer dedicated to the role, or do they wear this hat alongside their day job? If you had a breach, how would you decide whether to report it to the Information Commissioner’s Office?

Some key points to consider:

Where should I start?

  • Audit/gap analysis of your current situation, identify strong and weak or non-existent processes, and map out the types of data you hold and in what systems
  • You will never be 100% compliant, but there will be priority data types or core systems or applications that hold “the crown jewels”; focus on those first
  • The best way to raise awareness is training; it should be every six months and mandatory for all
  • Ask your service heads and users questions such as: how do you consider data protection as part of your everyday processes? What due diligence takes place for new suppliers or third parties? Where is the data held? Is it in the UK or Europe or unknown? Is it secure (encrypted, two-factor authentication protected etc.)?

How can a charity be more compliant?

  • Look at information governance as if it were a key business support function, like HR or comms or IT
  • Use a specialist or expert to help get your framework in place – you shouldn’t have to reinvent the wheel! A little investment upfront is well worth it in the long run
  • Put in a structure for information governance that reports to the senior leadership team on a regular basis; this gives it a voice and seat at the table
  • Consider outsourcing your data protection officer to a service provider, to take what can often be seen as a crown of thorns off internal staff. Smartdesc provides this service, and there are others such as Hope & May that are also focused on charities

What is a data protection impact assessment?

  • A review of an application you use, to gauge how secure it is, and what types of data it holds. All your mission-critical applications that store any data about your staff or service users/beneficiaries should have a DPIA run against them as part of due diligence
  • Applications change, so this is an action that should be completed ideally before procurement, but if not then done reactively and repeated annually
  • A DPIA should be completed when engaging with a new process or system


There needs to be an understanding from management and the board of trustees that information governance is a service provided to the organisation that needs to be resourced as such. Giving it to staff in addition to their day job simply pushes it to the bottom of their “to do” list.  Information governance is most successful when everyone in the organisation has bought into it.

Organisations need to understand how serious the consequences can be if information governance is not implemented, and data protection policies are not followed. It is not just about large fines from the Information Commissioners’ Office, it is the detrimental effects of reputational damage to the organisation should something go wrong.  There is a loss of trust in an organisation once there has been a breach of any kind.

Outsource your information governance and data protection

Charity IT specialists and ACEVO & NCVO trusted supplier Smartdesc provide both general information governance support (either reactive advice or via retainer model for ongoing delivery) and data protection officer service. Contact to book a free consultation.

Narrated by a member of the ACEVO staff

Share this

Share this

Share on facebook
Share on twitter
Share on linkedin

Not an ACEVO member?

If you have any queries please email
or call 020 7014 4600.