Hackers Want Your Donor Data: How to Ensure Your Nonprofit Isn’t at Risk

Nonprofit organizations collect data — names, mailing and email addresses, birth dates and more. In fact, most nonprofits collect more data than they truly need, and many organizations do not have one employee in charge of data privacy and security. 

This can lead to a perfect storm of data breaches and systems hacking that can ruin even the most reputable nonprofit organization.

What Is Data Privacy?

When an organization collects data, it must do so transparently, securely and obtain consent — that’s data privacy. 

You must share with people what information you’re collecting from them, why you are collecting it and what will happen with the information.

It can be easy to confuse data privacy and security because they share overlap. While security is 90% covered by data privacy, data privacy encompasses more than just security. Data privacy broadly governs how data is collected from members and used while security focuses on protecting that data from unauthorized access. 

Why Focus on Data Privacy? 

First and foremost, there can be legal consequences to ignoring data privacy. The U.S. does not have one comprehensive data privacy law, but the European Union does—the General Data Protection Regulation (GDPR). If your organization processes any data from individuals located in the European Union, you may be subject to its strict data privacy laws and regulations. 

While some data privacy laws exist at the federal level in the U.S., they also vary by state. Nonprofits processing data from individuals located in multiple states can be subject to the privacy laws across all those areas. While some of these laws carve out exemptions for nonprofits, the definition of “nonprofit” can vary depending on the jurisdiction. 

For nonprofit data privacy compliance, it’s generally best to set one high organizational standard across the board that conforms to the jurisdiction with the strictest data privacy laws. You’ll have a better chance of complying everywhere if you are following the most rigorous laws. 

Why Most Organizations Have Issues With Data Privacy

Most nonprofits do not understand all the ways they are gathering data, as well as the time, effort and resources needed to keep that data secure. They put a privacy policy and cookie banner on their website and think they’re set. But they don’t know what they’re collecting, how it’s being collected, where their member data is or even how to access it. 

Several U.S. states have laws — such as the California Consumer Privacy Act (CCPA) -- that allow consumers to request that a nonprofit delete their member data. If you don’t have all the pieces in place when your organization receives the request, you’ll be scrambling against a ticking clock of the legal timeframe for execution. 

And the consequences can be severe. In addition to the state and federal financial penalties that can be imposed, civil cases for violating data privacy laws can also be brought. State laws not specific to data privacy can also be brought to court for negligence in the event of a data breach or compromise. 

Tools to hack into websites and databases are easy to find and execute. From disgruntled employees to outside actors trying to uncover and expose member data, it no longer takes a hacking pro to compromise a nonprofit and do significant damage. 

How to Take Action on Data Privacy

Donations and support require trust and transparency regarding data privacy and security. If your organization collects data, you are expected to take certain steps to maintain its security and integrity. Don’t ignore data privacy — it can be a costly mistake. 

Here are a few ways to take data privacy action now:

• Work with reputable tech platforms. Keep all systems up to date and maintain permissions lists. 
• Start with an audit. Work with a knowledgeable team to discover what data your organization is gathering, where it’s being collected, and how it’s being used and stored. 
• Know your landscape. Identify each input point for data, from a physical sign-up sheet to online donation forms. Ask, “What data are we collecting here, and why are we collecting this?” Knowing this information can save significant time when working with data privacy and security professionals.
• Determine if you truly need all the information you’re collecting. Many organizations are capturing masses of data without any real need for it. In general, the less personal information you can make do with, the more it decreases your level of risk. 

If you determine you need to work with an external data privacy and security team, look for someone with the ability to meet your organization where it is. Many digital firms have a one-size-fits-all process that does not often lead to data privacy success. Every nonprofit is different, and the number of variables does not work well with a rinse-and-repeat format. 

Compliance doesn’t need to be complicated. Find someone that understands your unique situation and can help navigate complexities to equip your nonprofit with the knowledge and security you need to achieve success. 

The preceding content was provided by a contributor unaffiliated with NonProfit PRO. The views expressed within may not directly reflect the thoughts or opinions of the staff of NonProfit PRO.