Data protection and privacy best practice guidance for charities and nonprofit organisations
CC8 - Internal financial controls for charities
Financial sustainability in a cost-of-living crisis
Charity Workshop newsletter | September 2023
As we continue to navigate through the challenges that charities continue to face, it’s not all doom and gloom. This edition of our newsletter looks at some of the key news you should be aware of.
In this issue:
- Data protection and privacy best practice guidance for charities and nonprofit organisations
- CC8 – Internal financial controls for charities
- Financial sustainability in a cost-of-living crisis
- Time to review your VAT recovery method
- New charity partnership St Giles Trust
If you would like to discuss any of the articles in more detail or would like to discuss another matter, please get in touch.
Data protection and privacy best practice guidance for charities and nonprofit organisations
By Richard Jackson, Partnerships Manager, Moore Clearcomm
“All charities ultimately rely on public trust and continued public generosity. So, the impact of any cyberattack on a charity can therefore be devastating, not just for the organisation and those who rely on its services, but also in undermining public confidence and support. Taking steps to stay secure online is not an optional extra for trustees, but a core part of good governance.”
Helen Stephenson, Chief Executive, Charity Commission for England and Wales
Charities and nonprofits operate in a world where the regulatory overheads and obligations (in respect of data protection and cyber security) have been evolving, and increasing steadily for many years. The malicious threat to the data processed in the third sector has increased dramatically in the last 2-3 years, with covid-19 acting as an accelerant to an already alarming cyber attack trend on charities and nonprofits.
In my previous article, Cybercrime – charities under attack, I focused on the reasons why cyber criminals deliberately attack this sector. Not least because of the huge volumes of data it collects and processes, along with the often sensitive nature of that data.
In this follow up, I consider the latest data in respect of charities and data protection/cyber security, the ways the sector differs from the profit-based private sector, and how charities can work towards data protection legislation compliance.
The UK and our passion for giving It is fair to say that the concept of charity and giving is embedded in UK culture, 66% of us donating to charity (at least once) in 2022 (source: Statista).
The way we give varies, however the data below (NPT UK study on philanthropy and giving in the UK) provides an essential oversight into how we donate – and in turn highlights the risks in terms of data protection and cyber security, in respect of donor’s data:
- 62% of people who gave money in 2020 did so via donation or sponsorship;
- Cash giving was much lower than usual during the whole of 2020, and the trend continued into 2021;
- Donations made via contact-free or digital methods increased substantially during the pandemic;
- The proportion of people being asked to donate online had already been steadily increasing over the past few years, but in 2020 it jumped to 30% from 24% in 2019;
- Across 2020 around 3 in 10 (28%) people were regular givers, with 3% giving weekly and 25% giving monthly;
- 51% of adults reported giving from time to time while one in seven (14%) give rarely;
- 3 in 10 people are regular givers;
- Women are more likely than men to give regularly; and
- Fewer people volunteered than usual in 2020, but levels have remained relatively low during 2021 even as restrictions were lifted.
When we donate, by design we often provide our personal data as part of that standard process – therefore cyber criminals understand that the data processed by charities and nonprofits is a veritable goldmine.
- England and Wales: 169,029 registered charities, combined annual income of £83bn;
- Scotland: 24,020 registered charities, combined annual income of £13.6bn;
- Northern Ireland: 6,691 registered charities, combined annual income of £2.3bn;
- UK = £98.9bn industry;
- Sector collects huge volumes of personal data from customers, donors or stakeholders;
- Charities often share data with external organisations such as marketing companies; and
- Cyber criminals and other groups may be able to gain access to charities’ networks and/or information through these companies (supply chain risk is key in cyber security).
The National Cyber Security Centre (NCSC) Cyber Security Breaches Survey in 2022 shows the % of organisations over time where cyber security is seen as a high priority for directors, trustees, and other senior managers. Below are some of the key findings:
- 31% of businesses and 26% of charities estimate they were attacked at least once a week;
- One in five businesses (20%) and charities (19%) say they experienced a negative outcome as a direct consequence of a cyber attack;
- One third of businesses (35%) and almost 4 in 10 charities (38%) experienced at least one negative impact;
- Just over 4 in 10 charities (44%) allow people to donate to them online;
- Around 4 in 10 (42%) have beneficiaries that can access services online; and
- Charities are less likely than businesses to benefit from managed service providers.
The key takeaways from this data are:
- The board of a charity is responsible for making sure a charity is taking appropriate measures to protect itself from a cyber attack – not the IT department, or third-party providers.
- Board members do not need to be technical experts, but they do need to know enough about the importance of cyber security, to facilitate educated discussions and collaboration with key staff.
Charities have different legal structures including incorporated charities and unincorporated charities.
Responsibility, and potential personal liability, depends on the legal status of the charity. However, all charities that process personal data will be ‘controllers’ in terms of both the UK GDPR and DPA18 (The DPA 2018 controls how your personal information is used by organisations, businesses or the government), no matter what their status.
Key factors to be aware of:
- In the UK, there are some exemptions for nonprofit organisations in terms of paying the notification fee to the Information Commissioner’s Office (ICO);
- Charities still need to comply with the requirements of the relevant data protection legislation – even if they are exempt from paying the fee;
- Limited exemptions also apply to some of the compliance requirements such as the need to maintain a Record of Processing Activity (ROPA) in accordance with Article 30 of the UK GDPR; and The UK GDPR sets out overriding principles which underpin the framework for compliance.
- ensuring that any processing of personal data is fair, lawful, and transparent;
- that personal data is only used for the purpose for which it was collected;
- that only relevant and necessary personal data is processed;
- that personal data is accurate and not kept for longer than necessary; and that there are adequate security measures in place to protect the personal data that’s being processed.
Many charities have focused on ensuring compliance with relevant data protection legislation and, as a result, have adequate data protection measures in place.
Some charities will however be less mature, and need to address the following:
- Ensure senior level responsibility for data protection within the charity;
- Ensure that trustees are aware of their responsibilities and have been adequately trained on privacy and data protection related matters;
- Consider whether a Data Protection Officer is required, or, if not, whether there is sufficient knowledge of data protection legislation and practices within the charity to be confident that all processing activities e.g., fundraising, are compliant;
- Undertake a data mapping exercise to understand and document what type of personal data is being processed, the purpose of the processing, the legal basis for the processing, who it is shared with and how long it is kept for;
- Ensure that all the relevant policies and procedures are in place and that staff/volunteers/trustees are aware of them; and
- Ensure that processes and procedures are in place to comply with data subject rights requests such as right to be informed and right to access personal data.
Based on the data and trends shown below, it is fair to say that the charity sector is 6-7 years behind the private sector, in terms of cyber security focus.
The NCSC has followed up their research recently by producing a useful cybersecurity toolkit for charity boards.
The toolkit has been designed with larger charities in mind, to encourage essential discussions about cyber security between the board, trustees and wider staff. While trustees or board members do not need to be technical experts, they should however be aware of the risks associated with cybercrime, and to know how, why and who to approach externally – to reduce the risks their charity faces.
Moore ClearComm is part of Moore Kingston Smith, delivering data privacy, cyber security, business continuity and information security solutions to organisations worldwide.
Find out more at Moore ClearComm.
CC8 - Internal financial controls for charities
By Marcus Lees-Millais, Manager (Finance), Moore Kingston Smith Nonprofit Advisory
At the end of April 2023, the Charity Commission updated CC8, the guidance that relates to internal financial controls for charities. It is now more concise and covers areas that have become more prominent since the original version.
First published in 2012 these updates will no doubt be welcomed with open arms and are long overdue.
What has changed?
One of the most significant changes is the internal controls checklist which provides a comprehensive list that shows you where there might be potential gaps in your own financial controls. It is a very thorough starting point and can be used to compare how your charity’s financial controls compare to the guidance – you should aim to complete it annually.
What the checklist does not do, is assess the quality of the controls. For example, there is a checkbox that asks whether your charity conducts regular bank reconciliations. However, it does not include the thoroughness, accuracy, timeliness, or quality of those reconciliations. The quality and effectiveness of your internal financial controls could be the difference between the prevention of fraud or error, and the failure to prevent fraud and error. So, while the checklist is a very good starting point, it should be accompanied by an assessment of the quality and effectiveness of those controls, not simply whether or not those controls exist.
It should be completed by a member of staff responsible for finance processes and reviewed at board level. Not all the controls on the checklist are relevant for all charities, and the systems and processes operated by larger charities will typically go significantly over and above the processes set out on the checklist.
The guidance sets out the risks associated with cryptocurrencies and emphasises the importance for charities to understand those risks before accepting cryptoasset donations. If this type of donation is accepted, there is a range of recommendations including having a policy in place on the acceptance of cryptoassets, the need to ensure that any platform used is compliant with UK regulations, the requirement to keep accurate records of donations, and the importance of following HMRC guidance around the taxation of cryptoassets.
Cybercrime continues to be a current threat and charities are often seen as a soft target. This section has some basic tips and then links to more in-depth guidance which covers everything from protecting your charity, how to report fraud or cybercrime, through to a cyber security toolkit for charity boards and what to do if you are experiencing a live cyber attack. Typically, charity boards tend to be relatively hands-off when it comes to dealing with cyber security and so the toolkit is especially useful. It provides a comprehensive range of best practice policies and templates as well as e-learning videos and a list of counter fraud questions that trustees should ask of their organisation.
Other areas which have become relevant since CC8 was first published and are now a focus area for the Charity Commission, include the use of mobile payment systems (e.g., Google Pay or Apple Pay), a refresh on advice for more traditional fundraising risks and holding collections, making payments to related parties, and operating internationally.
What should you do?
CC8 is a very useful and broad starting point for improving your financial controls and we recommend that all nonprofit finance teams read it and complete the checklist. It is an excellent tool for identifying financial control gaps and you should always review the guidance if and when new issues arise.
Financial sustainability in a cost-of-living crisis
By Dan Fletcher, Director and Marcus Lees-Millais, Manager (Finance), Moore Kingston Smith Nonprofit Advisory
There are typically three main business models that charities follow. Clarity on this is the first step in ensuring your charity can be financially sustainable.
1. Fundraising charities rely on philanthropic support to provide services that create social value.
2. Service delivery charities are commissioned to provide services under contract.
3. Social enterprise charities generate income through selling goods and services, often at a premium because their customers are happy for them to invest any surplus back into delivering social value.
Charities can of course operate as hybrid versions of two or all three options, and this often creates challenges due to the differing priorities across the models. Whatever model, it is crucial to know the actual costs of delivering each service and decide how general costs and overheads are fairly apportioned. These apportionments can be somewhat arbitrary, and strategic decisions need to be made about how to recharge costs and how to be transparent.
Mind the (cost-recovery) gap
To be sustainable, this transparency must apply both internally and externally. Charities need to be clear about their funding gap to either sign it off or change their course of action and reduce it. Charity leaders also need to be transparent with funders about the true cost of their work. We often find that charities struggle to do either. This may be due to a lack of clear financial data or an inconsistent approach from one funding bid to the next.
Once the costs are clearly defined and allocated, it is possible to measure the cost-recovery gap between income and expenditure and to plan how to close and fund the gap. How you do this depends on your business model:
- A fundraising charity needs to understand the value of subsidy required to cover the gap so it can make a clear case for support.
- A service delivery charity needs to know what level of costs to include in tenders to decide how viable a contract is, or whether it will cost more to deliver a contract than will be received in income.
- A social enterprise needs to be sure that its sales prices are sufficient to create a surplus so that it has resources to spend on doing good.
For hybrid models, it is even more important, as a surplus from social enterprise activity may, for example, be used to supplement shortfalls in contract income. Being able to talk transparently and factually about a funding gap is important both internally and externally. It is crucial to closing that gap and being more financially sustainable.
Don’t forget about impact
But we can’t just talk about the money side of charity programmes without considering the impact they create. While any gap between income and expenditure does need to be closed, you can’t base a decision about investment in, or divestment of, charitable activities purely on the financials. We use a decision-making tool that plots the level of impact of each service against its financial sustainability.
In an ideal world, every service area would create high impact and be financially sustainable. Some services, however, are high impact with poor financial sustainability. Others may have had their day and be low impact and poor financial sustainability. There may even be some services that are financially sustainable but create low impact. Plotting your portfolio using the pictured 2×2 grid, with an indication of how this may change over time and relative importance, will create a visual decision-making tool to help you prioritise where to make changes.
A practical viewpoint
At the end of May 2023, we delivered a training session in partnership with Civil Society on financial sustainability. It was reassuring to talk with attendees about their own efforts to manage cost-recovery. However, they still faced challenges around minding the gap. One learning nugget was the importance of being more rigorous around defining direct support costs – those overhead items that arguably belong above the line as direct costs of delivering a service thus making them more fundable to a commissioner, grant-maker, or individual donor. Another takeaway was that a number of charities worked out the day rate for staff when compiling budgets by dividing their costs over 260 days, when in reality the number of actual chargeable days will be between 180-210. This simple shift can give your charity a much better and more realistic day rate and may even mean the difference between breaking even or making a loss.
We also spent some time discussing how to use return on investment (ROI) ratios for fundraising activities. While inter-charity comparisons are fraught with issues, it can be helpful to look at ROI when comparing performance over time. It can also be a useful tool to develop a cashflow plan of what level of investment may be needed to increase income over time.
In summary, understanding your underlying business model is critical for future financial sustainability. But to make the best decisions about future financial strategies, it is essential to consider impact and to think with both your financial head and your social heart when assessing the viability of your services.
Time to review your vat recovery method
By Debbie Jennings, VAT Director, Moore Kingston Smith
Autumn can offer a good opportunity to clean up your VAT affairs in preparation for the second half of the year. Indeed, for the purposes of good governance, it is good practice to have regular reviews and a strategic overview of your charity’s VAT affairs, both to manage potential risk, and identify efficiencies and planning. The world is ever-changing, and this can have implications for all areas of the organisation, especially tax and VAT.
Starting from the basics
Charities often have complex VAT accounting, normally because they undertake activities that do not fit neatly within the fundamentals of a VAT system. VAT is a self-administered and simple turnover tax, which is applicable to taxable supplies made in the course of business. However, this is not usually the main activity or primary purpose of a charity. Hence, this is why charities and charitable activities do not sit comfortably within a VAT system.
Charities may undertake a range of activities that attract different VAT treatments, or be outside the scope of VAT. This can determine:
- whether there are any positive VAT liabilities to pay to HMRC;
- how VAT incurred on costs should be treated: fully recovered, partly recovered, or fully disallowed; and
- whether there is an opportunity to avoid paying VAT from the outset by utilising available reliefs and efficient structuring.
It is important to recognise the difference between non-business activities/income and VAT exempt business activities for VAT purposes. In principle, both can lead to VAT incurred on related costs not being recoverable, but they are covered by different rules. Generally, the approach to VAT recovery is a two-stage process unless the charity has agreed a Combined method with HMRC. That said, the fundamental test as to whether VAT incurred on costs is recoverable is: can it be shown as having a direct link with a taxable supply, or intended taxable supply, made in the course of business? Essentially, is it a cost component or cost of sale of a taxable supply?
It is necessary to first carry out a business/non-business apportionment of VATable costs before moving on to partial exemption apportionment. The second step involves looking at the taxable and exempt supplies made, and then to calculate the impact of these on VAT recoveries.
Non-business restriction is not partial exemption, so is not covered by these particular VAT regulations.
Business/non-business apportionments have far less regulations and requirements, with the key objective being to give a fair and reasonable VAT recovery. That said, the overall impact requires the same test to be applied; how are activities, be they non-business, business taxable or business exemption, consuming or using VATable costs?
It is worth remembering that certain non-business income can act as deficit funding, or passive income, and this means that it could be ignored when making a potential restriction in VAT recovery.
Partial exemption is covered by specific VAT regulations, and these dictate what method can be used to calculate recoverable VAT. The partial exemption regulations also require that an annual adjustment is carried out at the end of the VAT year, and this is for the purposes of smoothing out any potential seasonal fluctuations. The VAT year is usually the end of March, April or May, but it can be different if a partial exemption special method has been agreed.
The majority of partially exempt organisations use what is known as the default standard method, and this is based on a comparison of turnover figures. However, use of the standard method is not mandatory, and an organisation can apply to HMRC for use of a special method. Use of the standard method does not require approval by HMRC.
Any method needs to give a fair and reasonable recovery, and this needs to be based on the income and activities. The application for a partial exemption special method should be supported by indicative figures and example calculations. Any special method also has to be agreed with HMRC in advance and cannot be backdated.
Commonly used special methods include those based on staff numbers, floor space, purchases or transaction counts, or a combination of these or other methods.
When carrying out a review of your VAT affairs, it is always prudent to consider whether a change in method may be required or desirable. This could be because activities and income sources, or expenditure may have changed.
The VAT year end gives an opportunity for considering the following practical points:
- When was the overall basis for VAT recovery put into place?
- What activities were being carried out at that time, and what income was being received?
- What has changed (if applicable) since that time, e.g., new, or different income sources; the expenditure profile; significant capital expenditure, etc?
- Does the current VAT recovery method(s) provide for a fair, reasonable and realistic VAT recovery?
- Would a different method give a better outcome, and provide for a more accurate reflection of how costs are being used and consumed?
Conclusion and takeaways
VAT is a self-assessed tax, so the onus is on the taxpayers to both comply and maximise efficiencies. Charities and their VAT recovery is often regarded, as a complex area, so it is worthwhile to take a high level practical and pragmatic view. The objective is to keep up to date with your activities, income, and expenditure, and to accurately and effectively identify a method that reflects how VATable costs are used by the charity.
Very simply, the rhetorical question to ask is: “What am I buying, why am I buying it and what will I use it for?”
New charity partnership St Giles Trust
We are thrilled to announce that our people have chosen St Giles as the firm’s new Charity Partner, by a firm-wide vote. St Giles provides support across a broad range of issues with services designed to make a genuine, long-term impact on social mobility, an issue that is close to the heart of a number of the firm’s people. Social mobility is also the priority area of focus for the firm’s Equity, Diversity and Inclusion and Charity Committees for 2023.
We have a number of videos ranging from webinars, panel debates and short discussions to help navigate you through the issues facing the charity sector.