Each time someone signs up for an email newsletter, donates to your organization, or registers for an event, they are entrusting you with their personal data. Outside of the regulations you legally need to follow when handling data, there are many ways that you can further protect your donors' personal information and build trust. Some, in fact, might be required by law in your jurisdiction. Check with your legal advisor to be sure.
Here are a few ways you can improve data protection at your nonprofit — and give donors more agency over how you use their information.
Establish a Data Protection Policy
If you don't already have one, be sure to create a policy that outlines how you will use the personal information people give you when they donate to your organization. Depending on where you operate, you may be legally required to publish a privacy policy and conform to certain data privacy standards.
Your privacy policy should clearly explain why you need a person's information, what you'll do with it, who you share it with, and how long you'll store it. This document should answer any questions and concerns your donors might have, explaining your reasons at every step, and it should be easy to understand.
If you need to comply with a regulation like GDPR, your privacy policy may need to contain some specific details, like your "legal basis" for retaining and processing personal information. (We're not lawyers, so be sure to consult with competent legal counsel on how various privacy laws apply to your organization.)
Keep Your Software and Systems Current
Keeping your systems and software up to date can go a long way toward ensuring data security and donor trust. Many cyberattackers prey on out-of-date systems, so by keeping up on security updates and patches, you're stopping many potential security problems before they start. After all, avoiding attack means avoiding a hit to your reputation.
Many software products come with automatic software-update functionality, which can simplify the process. Still, some potential pitfalls exist, so it's a good idea to understand what products you use are receiving automatic updates.
Regularly updating your operating systems is a good start, but don't forget other popular software products — productivity apps, PDF readers, server solutions, and so on. These are all common targets by cyberattackers.
Consider the Information You Store — and Where You Store It
In order to build trust with your donors, it can be helpful to limit the amount of data you collect about them. With that in mind, consider what data you're storing and why you're retaining it. Be up-front about your privacy policy, and mark any non-essential information collection as optional.
You can also limit how long you store donors' information. As part of your policy, you might include a clause saying that you'll delete donor information after a certain period of time.
In addition, try to limit who has access to donor data. Provide access only to those who need it to do their job and review access privileges regularly. The fewer people who have access to sensitive data, the less likely it is to be stolen in the event of a cyberattack.
Finally, think about where you're storing donor information. Spreadsheets are not secure. They're also challenging to manage and make it difficult to track who has access to what information.
Spreadsheets may also present compliance headaches. If you need to comply with GDPR, for instance, you need to be able to delete a donor's data upon request — a difficult task if you are storing donor data in multiple spreadsheets.
So if you have the budget to do so, consider moving away from storing member information in spreadsheets and adopting a customer relationship manager (CRM), like a donor management database. With one, you'll have a much easier time managing your donor data and tracking who has access to it.
You should never share spreadsheets containing donor data via email. Email is not a secure means of communication, and, as anyone who has accidentally CC'd an entire mailing list can tell you, it's easy to leak. Don't do it.
If you must use spreadsheets, store them in a secure place and control who can access them. An encrypted cloud storage solution like Box, Dropbox, or OneDrive (part of Microsoft 365) can be useful for this sort of purpose.
Evaluate Staff Accounts and Security Practices
To further secure your donors' personal information, take a look at your protocols around staff and volunteer user accounts, as well as your security practices.
Start with strong passwords: Use longer passwords and mix in uppercase and lowercase letters, as well as numbers and symbols. Do not reuse passwords. Each of your accounts should have a different password. If you have strong passwords, you don't need to change them regularly, but security experts say to change them if you ever suspect that they've been stolen.
To keep track of your passwords, use a password manager. This creates and updates complex passwords for you while enabling autofill so you don't have to reenter them each time.
But there are things you can do beyond good passwords. To start, use multi-factor authentication wherever possible. Multi-factor authentication (MFA) requires your staff to verify their identity when they log in to your systems, usually by entering an alphanumeric code that they received via text message or authenticator app. This makes it more difficult for a cybercriminal to access your systems, even if they get ahold of an employee's login name and password. Most popular online apps and services support some form of multi-factor authentication.
Second, look into using single sign-on. With single sign-on, your staff and volunteers get one username and password that they can use to log in to many different systems. This means fewer usernames and passwords for your team to remember. It also means easier account administration and enhanced security: If a staff member's account gets hacked, you can revoke access to all your systems that use single sign-on, all at once.
Eligible TechSoup member organizations can get 50 free licenses for Okta's Workforce Identity Cloud, which features single sign-on and user management solutions.
Finally, the people within your organization are part of your defenses when it comes to securing donor data. Make sure they understand and adhere to best practices when handling sensitive data. KnowB4's Cyber Security and Compliance training is a good place to start.
Prioritizing Data Protection
Want to take the next step? Take a look at our security resources for nonprofits. From antivirus to secure data storage to training and services, we have what you need to better safeguard your donors' data.
Additional Resources
- Learn about Zero-Trust Security: The Modern Way to Manage Multiple Accounts and Services.
- Watch TechSoup Courses' free recording Get Protected: Introduction to Data Privacy and Cybersecurity for Nonprofits.
- Take TechSoup Courses' Tech Planning 201: Developing a Data Strategy.
Top photo: Shutterstock
