hand gesturing at a screen full of donor data

3 Tips to Protect Your Donors' Data

Each time someone signs up for an email newsletter, donates to your organization, or registers for an event, they are entrusting you with their personal data. Outside of the regulations you legally need to follow when handling data, there are many ways that you can further protect your donors' personal information and build trust. Some, in fact, might be required by law in your jurisdiction. Check with your legal advisor to be sure.

drawing of a woman and man examining data along with a padlock symbol and a light bulb

Here are three tips to help you improve data protection at your nonprofit — all while giving donors more agency over how you use their information.

1. Establish a Data Protection Policy

If you don't already have one, be sure to create a policy that outlines how you will use the personal information people give you when they donate to your organization. Depending on where you operate, you may be legally required to publish a privacy policy and conform to certain data privacy standards.

Your privacy policy should clearly explain why you need a person's information, what you'll do with it, who you share it with, and how long you'll store it. This document should answer any questions and concerns your donors might have, explaining your reasons at every step, and it should be easy to understand.

If you need to comply with a regulation like GDPR, your privacy policy may need to contain some specific details, like your "legal basis" for retaining and processing personal information. We're not lawyers, so be sure to consult with competent legal counsel on how various privacy laws apply to your organization.

2. Consider the Information You Store — and Where You Store It

When building your policy, think about what data you're storing and why you're retaining it. In order to build trust with your donors, it can be helpful to mark any nonessential information as optional.

You can also limit how long you store donors' information and who has access to it. As part of your policy, you might include a clause saying that you'll delete donor information after a certain period of time.

In addition, try to limit who has access to donor data. Provide access only to those who need it to do their job and review access privileges regularly. The fewer people who have access to sensitive data, the less likely it is to be stolen in the event of a cyberattack.

Finally, think about where you're storing donor information. If you have the budget to do so, consider moving away from storing member information in spreadsheets and adopt a customer relationship manager. Spreadsheets are not secure. They're also challenging to manage and make it difficult to track who has access to what information.

Spreadsheets may also present compliance headaches. If you need to comply with GDPR, for instance, you need to be able to delete a donor's data upon request — a difficult task if you have a donor's information stored in multiple spreadsheets. If you're storing it in a central database like a donor management database, you'll have a much easier time managing your donor data and tracking who has access to it.

If you must use spreadsheets, store them in a secure place and control who can access them. An encrypted cloud storage solution like Box can be useful for this sort of purpose.


3. Evaluate Staff Account Security

In order to further secure your donors' personal information, take a look at your protocols around staff and volunteer user accounts.

Start with strong passwords: Use longer passwords and mix in uppercase and lowercase letters, as well as numbers and symbols. Each of your accounts should have a different password, especially those that hold sensitive data. If you have strong passwords, you don't need to change them regularly, but security experts say to change them if you ever suspect that they've been stolen.

To keep track of your passwords, use a password manager like Dashlane. This creates and updates complex passwords for you while enabling autofill so you don't have to reenter them each time.

But there are things you can do beyond good passwords. To start, use multi-factor authentication wherever possible. This requires your staff to verify their identity when they log in to your systems, usually by entering an alphanumeric code that they received via text message or authenticator app. This makes it more difficult for a cybercriminal to access your systems, even if they get hold of an employee's login name and password. Most popular online apps and services support some form of multi-factor authentication.

Second, look into using single sign-on. With single sign-on, your staff and volunteers get one username and password that they can use to log in to many different systems. This means fewer usernames and passwords for your team to remember. It also means easier account administration and enhanced security: If a staff member's account gets hacked, you can revoke access to all your systems that use single sign-on, all at once.

Eligible TechSoup member organizations can get 50 free licenses for Okta's single sign-on and user management solutions.


Prioritizing Data Protection

Learning about and implementing robust data protection measures at your nonprofit is one of the best ways to build trust and reduce the risk of data loss in the event of a cyberattack. Consider how you store your donors' information and how you protect it, and ensure that you have a clear policy detailing how their data will be used.

Additional Resources

Top photo: Shutterstock