Key issues in data management and cyber security for heritage sector organisations

Data management and cyber security may seem like issues which only affect large corporate organisations. However, secure working, maintaining the quality of records and guarding against vulnerabilities created by old technology or personal devices and systems used by volunteers are all important considerations for smaller organisations. This resource outlines the main issues facing smaller organisations and what key actions can be taken.

This resource is available in English and Welsh
Tourists looking at costumes in a museum
Image courtesy of Ioan Said Photography ©

Key issues in data management and cyber security for heritage sector organisations

1. The importance of data management and cyber security

Data management

Even for smaller organisations, data is increasingly seen as an important asset. Having a focussed organisation-wide approach to data management can lead to continual improvements to the quality of data being captured and stored but also:

  • creates new opportunities for income generation
  • enables more effective marketing and with that, higher levels of stakeholder awareness and engagement
  • brings new insights into your organisation’s performance, effectiveness and impact, driven by good quality data
  • demonstrates that your organisation takes the handling of your supporters, volunteers, staff and other stakeholders data seriously
  • protects the reputation, goodwill and brand-value of your organisation
  • ensures adherence to all applicable data laws and other related compliance matters (e.g. Data Protection Act/UK GDPR, PECR and PCI-DSS etc.).

Creating a data management plan will provide your organisation with clear direction as you work to maximise the benefits of good data management.

Cyber security

Cyber threats are a real and present danger and come in many guises. The sophistication, volume and sources of cyber threats such as malware, phishing, denial of service, and password forced access are only increasing.

Having an understanding of some of the common threats is an important first step in improving your cyber security.

  • Malware – software which is designed to damage, disrupt or gain access to a computer system.
  • Phishing – the practice of sending fraudulent emails designed to persuade the receiver to divulge personal information.
  • Denial of service – an attack designed to shut down a computer network through flooding the system with traffic or sending through information that triggers a crash.
  • Password forced access – a form of hacking which uses trial and error to determine passwords, login credentials or encryption keys.

Having strong cyber defences will protect your organisation from:

  • unauthorised access, loss, transfer or deletion of data
  • unauthorised sharing and publication of data online
  • financial loss through fraudulent payments, ransom demands and potentially severe fines for breaches of data law
  • operational disruption caused by a cyber security incident
  • attacks on its reputation, goodwill and income.

Strong cyber defences will also help your organisation adhere to all applicable data laws and other related compliance matters (e.g., Data Protection Act/UK GDPR, PECR and PCI-DSS).

2. Key issues

Our expert, Craig Humphries, senior consultant at Lightful, takes you through key issues organisations can encounter on the journey to improving data management and cyber security. He suggests action you can take and provides some sources of further support.

Below are some of the key issues for organisations of all sizes:

  • There can be confusion about who is accountable for the different aspects of data management and cyber security.
  • Maintaining organisational compliance with Data Protection Act (2018), PECR and PCI DSS (where relevant) can be time consuming and requires ongoing focus and resource.
  • Organisations may not have enough knowledge, experience or resources (both financial and time).
  • It can be unclear which systems and devices are in use and where which is made more challenging since the rise in remote working.
  • There may be confusion about what data is being captured (e.g. personal, financial, special category/sensitive, commercially sensitive, etc.).
  • Organisations may not have a documented, tested and up-to-date data disaster recovery plan.
  • Managing and making changes to end-user access to systems and data may not be robust and timely enough.
  • With the rise in remote working, managing devices and security can be difficult. Implementing an MDM (Mobile Device Management) solution can help.
  • Two factor/multi-factor authentication may not be fully implemented.
  • There may be difficulty keeping all devices and systems up to date with security updates and version upgrades.
  • It is challenging to manage and protect your systems and data when staff and volunteers use their own electronic devices to receive emails or phone calls.
  • It can be difficult to find ways for everyone to keep data and security at the front of their minds in order to help identify potential cyber security threats and to escalate quickly to reduce or remove any impact to the organisation.

3. Actions to take

Now you are aware of key issues in data management and cyber security, you can take action. Here are some steps to get moving in the right direction:

  • Clarify accountability – who is responsible in your organisation for data management and cyber and system security? What help and support do they need?
  • Check that your organisation is taking all required steps to comply with data protection laws.
  • Make sure all staff and volunteers have regular, ideally annual, data protection and cyber security training and ad-hoc awareness communications.
  • Visit the National Cyber Security Centre website to learn more about cyber risks and the support materials and advice available.
  • Consider applying for the Cyber Essentials certification for your organisation.
  • Review your systems to ensure two or multi-factor authentication is enabled on all devices and systems where possible.
  • Check whether your organisation has an up-to-date and tested disaster recovery plan.
  • Create and roll out a data management plan.

Further sources of support

Below are some links to further reading and guidance we hope you will find helpful:

The Information Commissioner’s Office – Data Protection Act & PECR guidance

National Cyber Security Centre – Small/medium sized organisations cyber security guidance

National Cyber Security Centre – Cyber Essentials guidance

PCI Data Security Standard

More help here

A staircase through a cave

How to create a successful IT strategy

This resource explores what an IT strategy means and the value it can bring to your organisation. It looks at what you need to include to make your IT strategy achievable, relatable and, above all, successful. You can use this guidance to decide whether your organisation would benefit from an IT strategy. There is also a downloadable template you can use to structure your IT strategy document.

Various items such as mugs and lights on display in a museum

What are the active measures I need to put into place to address issues around data archiving and storage?

This guide is designed to help leaders of heritage organisations decide on the best storage option for archiving digital data. It looks at what you need to consider before you choose a storage solution, as well as the pros and cons of some of the main options available.


Browse related resources by smart tags:

Crisis management Data protection GDPR Risk
Published: 2022
Resource type: Articles

Creative Commons Licence Except where noted and excluding company and organisation logos this work is shared under a Creative Commons Attribution 4.0 (CC BY 4.0) Licence

Please attribute as: "Key issues in data management and cyber security for heritage sector organisations (2022) by Craig Humphries supported by The National Lottery Heritage Fund, licensed under CC BY 4.0


More help here

Digital Heritage Hub is managed by Arts Marketing Association (AMA) in partnership with The Heritage Digital Consortium and The University of Leeds. It has received Department for Digital, Culture, Media and Sport (DCMS) and National Lottery funding, distributed by The Heritage Fund as part of their Digital Skills for Heritage initiative. Digital Heritage Hub is free and answers small to medium sized heritage organisations most pressing and frequently asked digital questions.

Arts Marketing Association
Heritage Digital
University of Leeds logo
The Heritage Fund logo