Donor data is the lifeblood of many nonprofit organizations. Your mailing lists help you request donations and maintain donor relationships. They also allow you to contact volunteers when you need them. Even more important than contact information is the financial details you collect from donors. Without this data, your organization couldn’t reach its fundraising goals.
This data is valuable to your organization and even more precious to the people who provide it. They trust you with their personal information, and you have a legal responsibility to protect it. Here are a few steps and best practices to secure your donors’ private data.
1. Evaluate Your Network’s Risks and Weaknesses
Every nonprofit is susceptible to hacking, data breaches, and human error. Between contact information, segmented donor data, and payment details, your data could be a valuable target. Therefore, your organization has inherent cybersecurity risks.
The first step to protecting your donors’ data is understanding the weak links in your system. Start by taking inventory of all your nonprofit’s data. Your data likely includes personally identifiable information (PII) about employees, volunteers, and donors. If data isn’t anonymous, it’s legally protected as confidential, and you must do your due diligence to safeguard it. A data breach could damage your donor relations and leave you with legal liabilities.
As you evaluate your nonprofit’s data, separate it into three categories:
- Data you can’t afford to lose
- Data that can’t be exposed
- Nonessential data
For each type of data, ask yourself what could happen to it, how likely each scenario is, and what the consequences would be. Maybe a virus on a company computer could render your data inaccessible. A ransomware attack could encrypt your donor data or send it to third parties. A keystroke logger could pick up credit card numbers or email addresses.
Next, look at where you store your data, both the physical computers and the programs. Is your software secure and up-to-date? Is the computer password protected? Consider which employees or volunteers access this data and how knowledgeable they are about data security.
You may want to work with a managed IT provider to understand your risks better. They can conduct a nonprofit cybersecurity network assessment for your organization alongside proactive monitoring to uncover unexpected weaknesses. For example, when users install unapproved software on your computers or access data they shouldn’t, you can be at risk.
2. Stay Compliant With Rules and Regulations
Nonprofits are subject to a few different data security regulations, depending on the data they collect. Those requirements might include:
Personally Identifiable Information Laws
As of 2020, all 50 states have laws regarding data security breaches. These rules require an organization to notify individuals affected by a PII data breach. Some data considered PII which your nonprofit might collect include:
- Full names, including maiden names or mothers’ maiden names
- Personal identification numbers such as taxpayer-identification numbers, financial account numbers, or credit card numbers
- Personal address information, either a street address or email address
- Personal telephone numbers
- Internet Protocol (IP) or Media Access Control (MAC) addresses that link to a particular individual
Also, while some data is not considered PII on its own, it is if it links to pieces of PII, such as a name. These data points include:
- Dates or places of birth
- Business telephone numbers
- Business mailing or email addresses
- Geographical information
- Employment information
- Medical information
- Education information
- Financial information
Many of the examples above are likely crucial to your organization. Whether it’s email addresses or credit card numbers, you must treat the information as confidential. In at least 34 states, nonprofits must safely destroy or dispose of PII after it’s no longer needed.
General Data Protection Regulation (GDPR)
Global charities must follow the General Data Protection Regulation (GDPR), enacted in the European Union. Any organization that collects donations or serves European citizens and collects PII on them must follow the GDPR.
3. Create and Maintain a Culture of Privacy
One of the best things you can do as a nonprofit is to educate your community on data privacy. When employees and volunteers practice good data hygiene, your organization reduces its risk. When your team recognizes their responsibility for protecting donors’ data, they act ethically and cautiously. Here are a few ways your organization can bolster its privacy culture:
Train Your Employees in Phishing Prevention
Nearly 60 percent of nonprofits do not provide cybersecurity training for their staff. It only takes one person to fall for a phishing scam for a network to become compromised. Sophisticated phishing scams may appear to come from a board member or even a high-profile donor. When someone clicks the link, they may install viruses or ransomware. A convincing email might persuade someone to hand over their passwords.
Training your team to recognize phishing emails can keep your data secure. When you work with a managed IT service provider, employees can forward suspicious emails to a designated address. Then, an IT manager can investigate the issue and prevent it from compromising donor data.
Protect Employees’ Personal Devices
Many nonprofits have employees or volunteers working on their own devices, which are vulnerable to data breaches. Your team members must understand how to treat organizational data on their own devices. A few policies can help your organization protect its donor data.
First, make sure employees password-protect their devices. Add another layer of password protection for accessing the organization’s software or network. Also, consider mobile device management services, available through a managed IT provider.
Require Strong Passwords
Requiring your team to set strong passwords protects data from prying eyes. Consider a policy requiring a certain length or special characters and have team members update passwords regularly.
A Few Day-to-Day Tips
Working with a managed IT provider, like Consolidated Technologies, Inc., can help you develop a framework for securing donor data most effectively. A few internal policies and practices can also help. Here are the best practices needed to promote and support data security at your organization:
- Keep software and hardware up to date: Your software and devices release regular updates to patch known security issues. Updating your systems, or setting them to update automatically, helps you shore up security risks right away.
- Use antivirus and anti-malware technology: Anytime your team uses the web, they’re vulnerable to viruses and malware. Antivirus and anti-malware software significantly reduces this risk. They can also protect team members who are less aware of the dangers they face online. With this tech blocking suspicious downloads and scanning for threats, your organization can browse the internet safely.
- Use a secure database: A database that encrypts PII offers superior protection. Even if a computer gets hacked or stolen, the information remains unreadable. Larger organizations often encrypt their data in an on-site server. If you cannot afford a physical server, invest in secure cloud-based storage.
Our Managed IT and Security Services
Consolidated Technologies, Inc. offers nonprofits an affordable way to manage their IT services. We conduct security assessments to identify risks before they compromise your data. Then, we resolve issues or make suggestions for cybersecurity upgrades.
Our approach combines proactive monitoring with expert back-office IT management. Our software continually scans your network and devices for malfunctions and security issues, and we step in to resolve any problems immediately. We also offer mobile device management software, an excellent solution for small nonprofit organizations. Let us manage your IT environment so you can get back to doing what you do best. Reach out to us to learn more about our services and how we can help you safeguard your sensitive data.