The Ultimate Guide to Data Privacy For Nonprofits
Data privacy is a concern for everyone, not just big businesses. Nonprofits working to further certain causes are no exception. When dealing with the personal information of your donors or recipients of your services, you need to be cognizant of legal concerns related to protecting sensitive information. Effective cybersecurity will keep important information safe so you can keep fulfilling your mission!
Barely a day passes when the news does not cover privacy concerns or a significant data breach associated with a large for-profit corporation. Because of these trends, data security is likely to be top of mind with your members and visitors. The more transparent you are with how you store and utilize their data the more trust you will gain with the people who support you.
Fortunately, there are several means of nonprofit data management you can employ to keep sensitive data safe.
Here’s what we’ll go over today:
- What is Data Privacy for Nonprofits and Why is it So Important?
- Understand the Rules
- Make Sure Your Team Is Aware Of Your Nonprofit Data Privacy
What Is Data Privacy for Nonprofits And Why Is It So Important?
Although the legal definition of data privacy is difficult to pinpoint because it changes from region to region, the term generally means a person’s ability to determine what, when and how to share their personal information. The personal information may vary but is likely their name, contact information, current location, medical information, and purchase history. There is a general framework covering the importance of data privacy.
What Does Data Privacy Involve?
Data privacy concerns are the same for nonprofits as for businesses. This involves the protection of sensitive personally identifiable information that is involved in data collection, storage, and organizational use.
There are three major categories that fall under the umbrella of data protection: traditional data privacy, data security, and data privacy.
Ryan is taking a meticulous look at his organization's data protection
to make sure it is private and secure!
Traditional Data Protection
Several components make up traditional data privacy. The major aspects are:
Keeping data safe by providing backup and restore protocols
Following regulations regarding data replication
Archiving physical infrastructure protection
Implementing mechanisms to protect against data failure
Retaining sensitive data securely to avoid unauthorized access
The intention is to keep data from getting lost and from being easily spread to other locations where it could be less secure. One of the best ways to combat this is using a tool made specifically for these issues, much like club management software, association management software, or hoa database.
Focusing on protecting the data itself, this methodology involves monitoring threats, encrypting information to protect it, authentication procedures to control access of sensitive information, and data loss prevention.
In short, these are the features you employ to keep someone who is unauthorized from getting to the data itself. For example, one of the greatest ways to enhance your security is to update and train your first line of defense - your staff! Providing information on common phishing schemes helps employees recognize and diffuse potential threats that may come your way via emails and unsecured websites.
These are rules that attempt to govern data protection and involve legislation, policies, third-party contacts, and best practices that suggest methods to keep data from falling into the wrong hands.
These features vary on a global scale though, and even within a country, which can cause definitive actions to be difficult to determine. One great example in the U.S. is the Health Insurance Portability and Accountability Act (HIPAA). This regulation specifically states who can access your personal medical data, how they can use it, and who they can share it with.
Why Is It So Important?
Anytime a donor or other members give you their personal information, they are trusting you to keep it safe to protect others from gaining access to this sensitive information.
The regulation and protection of that data should be a major concern for your NPO. Failure to maintain the integrity of privileged information, like donor bank account information, can result in:
Lost resources, time, money, and donor organizations
Loss of faith from donors, volunteers, employees, and others
Understand the Rules
In order to grasp the seriousness and significance of data privacy, you need to understand the various guidelines that need to be followed in different areas.
Alvina is brushing up on data privacy laws and regulations!
There is no specific statute in place nationally to cover data privacy. The requirements in New York differ from those in California, for example, resulting in a mixture of laws designated by different sectors or states that include HIPAA, FCRA, FERPA, GLBA, ECPA, COPPA, and VPPA.
If this sounds confusing and a bit daunting, you are not alone. Luckily the Federal Trade Commission (FTC) offers business and organization guidance. In addition, Osano provides a list of privacy laws by state. Between these two sources, you will be well on your way to understanding the steps required to protect the information that passes through your organization.
There are a lot of gray areas and many nonprofits and companies can use personal information or provide it to third parties without requiring notification to the impacted individuals.
Since it’s such a messy conglomeration of rules and regulations, it is in your best interest to research your particular state and the activities you are engaged in to determine what you are and are not allowed to do with the information you collect.
Pro Tip: If you worry about, or are dealing with a sensitive type of data (like medical data) please verify the applicable regulations with your lawyer. Understanding the requirements and ensuring they are followed will help alleviate issues before a problem arises.
Activity With or Within the EU
In the EU, the priority seems focused more on "data protection" than "data privacy." Laws focus on ensuring businesses acquire permissions in advance of sharing data, and are transparent about how data is used. Both of which provide a bit more protection for individuals.
Pro Tip: Even if you are not connected to Europe, consider utilizing the Global Data Protection Regulation (GDPR) standards as a best practice. This is currently one of the toughest regulations in the world, so complying with it gives you maximum protection. Moreover, similar regulations are likely to emerge all around the world in the future.
Risks of Non-compliance
Failure to comply with regulations in either location can result in serious repercussions, depending on the compromised data, which include:
Compensation and Remediation Costs
Audits by the Government
Bank Fines (if involving user finances)
Lost Revenue and Reputation
Getting your "ducks in a row" will allow you to spend your time making the world a better place, instead of dealing with any repercussions of data breaches!
Make Sure Your Team Is Aware Of Your Nonprofit Data Privacy
Work with all members of your organization to clearly define data privacy and ensure all stakeholders with access to sensitive data are aware of your related policies.
Data Privacy is not a solo issue! Oliver is calling on his team
to make sure everyone knows what to do.
As this issue is becoming a growing concern worldwide, all entities that deal in private information are expected to take responsibility for data collection and usage (both profits and nonprofits).
You hold the responsibility to inform users of how their information will be used with total transparency and take steps to protect their data.
Some suggestions to assist with data privacy nonprofits procedure:
Add training on this topic to your onboarding process for employees and volunteers
Organize annual recurring training to keep data protection and privacy fresh in your team members’ minds.
Consider protective software for nonprofit member databases for improved nonprofit fraud prevention.
Keep a series of best practices posted where team members can see it regularly to keep privacy always in their thoughts.
Companies such as Springly or Techsoup can offer advice or services to help you better understand the responsibilities or preventative measures most nonprofits use for compliance.
You can always Google additional information and research new laws to take steps for the purpose of protecting donors from hackers or mishandling of personal data.