How well does your nonprofit protect the privacy of donors, staffers, clients, and volunteers? It’s an important question because failure to protect personal data can expose your organization to costly lawsuits, regulatory fines, and reputational damage.

Initial assessment

There are two main types of risks associated with inadequately protected personal data. One is cybercriminals hacking your IT network and stealing data to perpetrate identity theft or other fraud. Another is dishonest employees or contractors having inappropriate access to data such as donors’ credit card numbers or colleagues’ HR records. At a minimum, you must protect against these threats. Depending on your mission, you may need to safeguard additional sensitive personal information.

Start by reviewing your current operating practices to understand how, where, and why personal data is collected, used, disclosed, and retained. A thorough review that includes HR and IT managers should highlight ways you may be putting information at risk. For example:

• Are you retaining unnecessary or outdated personal data?
• Are you adequately restricting access to confidential details, such as the financial information of supporters or medical records of patients (in the case of a health care charity)?
• Do you store both physical and digital data in a secure location and properly dispose of them when you should?

Answers to such questions can help you identify areas for improvement.

Enhanced efforts

Your organization needs robust cybersecurity software that you update as soon as new versions become available. You also need to educate staffers about phishing scams and other techniques fraudsters might use to gain entry to your network. To further enhance your privacy efforts:

Always use encryption. When collecting, storing, or transferring sensitive data, employ HTTPS and SSL/TLS encryption protocols to keep unauthorized eyes from viewing it.

Collect only what you need. Many nonprofits capture more data with their various apps than they actually require. If, for instance, your analytics software retains extensive tracking data from website visitors, review the data to ensure such collection is necessary. If not, turn off that feature or use aggregated or anonymized data tools. Be sure to disclose what data you collect and enable visitors to opt out.

Properly destroy it. Establish a policy that outlines how long you’ll store certain data. The Privacy Management Framework of the American Institute of CPAs suggests keeping data only “for the time necessary to fulfill the stated purposes” of any agreement. Paper records should be shredded, and digital records should be “erased” or “wiped” using reliable software.

Develop a donor policy. Post a privacy policy prominently on your website and in solicitation materials that explicitly states you won’t sell or trade a donor’s personal information without their consent. Even in cases where it’s legal or acceptable to share donor lists, for the sake of trust and goodwill, offer supporters a simple method to opt out.

Take other steps. Your nonprofit may need to consult legal counsel to ensure compliance with state-specific and international data collection laws. And, depending on your nonprofit’s niche, you may be subject to other laws, as in the case of health care organizations and HIPAA.

Financial costs

The stakes couldn’t be higher. If your nonprofit is found to have irresponsibly handled private information, it could result in regulatory fines, litigation, and withdrawal of donor support.

© 2025