Charity Cybersecurity Checklist: 25 Checks Every Charity Must Run

Charity Cybersecurity and Data Protection Checklist

Work through the following checks:

• Governance — is cyber risk on the trustee board's risk register with a named risk owner?
• DPL — is there a named Data Protection Lead with clear accountability for data protection compliance?
• Trustee briefing — have trustees received a cybersecurity briefing in the last 12 months?
• MFA — is Multi-Factor Authentication enabled on all Microsoft 365, Google Workspace, and other cloud accounts?
• Endpoint protection — are all staff and volunteer devices running up-to-date endpoint security software?
• Email security — is there email filtering in place that detects phishing, malware attachments, and impersonation attacks?
• Patches — are operating systems and software automatically updated on all devices?
• Backup — is critical data backed up automatically? When was the last restore test?
• Payment verification — is there an out-of-band verification process for new payees and payment detail changes?
• Staff training — have all staff and volunteers received data protection and security awareness training in the last 12 months?
• Phishing test — has the charity conducted a simulated phishing test in the last 12 months?
• ROPA — does the charity have a current Records of Processing Activity?
• Lawful basis — is the lawful basis documented for all personal data processing activities?
• Privacy notice — is the charity's privacy notice current, accurate, and easily accessible?
• SAR process — is there a documented process for responding to Subject Access Requests within 30 days?
• Retention policy — does the charity have and apply a data retention and deletion policy?
• DPAs — does the charity have Data Processing Agreements with all third-party data processors?
• Supplier security — has the charity assessed the security posture of its highest-risk technology suppliers?
• Incident response procedure — does the charity have a documented data breach response procedure?
• ICO notification — does the team know how to notify the ICO within 72 hours of a breach?
• Charity Commission reporting — does the team know when and how to report a serious incident?
• Cyber insurance — does the charity have appropriate cyber insurance?
• Cyber Essentials — is the charity Cyber Essentials certified (required for government grants and NHS contracts)?
• Access review — is there a process for promptly revoking access when staff or volunteers leave?
• DSPT — if the charity accesses NHS systems, is the DSPT completed at Standards Met?

Using Your Checklist Results

Gaps in this checklist represent priorities for your data protection and cybersecurity programme. Start with the governance items (DPL, risk register, trustee briefing) and technical quick wins (MFA, patches, backup) before moving to documentation (ROPA, policies, DPAs). Kyanite Blue provides charity cybersecurity assessment and implementation support — helping charities close gaps efficiently using the free resources available to the sector alongside affordable commercial tools where needed.