From collecting contact information to processing their payments, your nonprofit has access to much of its donors’ private data. Hackers and data breaches can cost nonprofits time, money, reputation, and even donors. Plus, organizations like yours have a legal obligation to be good stewards of donor data, including financial information. You must ensure compliance with various bodies providing oversight and donor protection.
Most importantly, nonprofits must maintain the trust that has been placed in them by donors—so protecting donor data is a critical mission for nonprofits. Here are four tips any nonprofit can use to safeguard against vulnerabilities.
1. Use a Robust CRM
A robust constituent relationship management (CRM) system will aggregate donor data, making it easy to derive insights that could influence your marketing and fundraising strategies. However, this also means it hosts vast amounts of donor information, including:
- Full name
- Date of birth
- Demographic information
- Payment details
- Contact information
- Engagement history
- Wealth indicators
Because a comprehensive CRM holds so much data, it’s a good place to start understanding basic security protocols and locking down your processes. Safe platforms use data encryption to store information, and your team can implement its own security measures by limiting access to the CRM.
Consider your payment processor, as well. CharityEngine recommends looking for a provider with PCI certification, which means “a third party has evaluated and tested the provider to ensure their security meets the highest standard possible.”
2. Implement Strong Access Controls
Beyond considering what data your nonprofit collects, it’s also important to note who can access that data. Anyone who can use your fundraising platform likely has access to donor data, as well.
Your CRM will allow you to set permissions, so controls can be placed over different sections and types of data. Limiting access to information such as bank account numbers can protect against that data being hacked or used without authorization. Data such as addresses or other demographic information should also be accessed only by those who need it.
Placing controls on data protects your donors, your team, and your nonprofit. There are two primary ways your nonprofit can limit access to sensitive information:
- Two-factor authentication (2FA): Two-factor authentication requires two different activities, or factors, to verify identity. It protects against external threats, such as cyberattacks, fraud, and unauthorized access to data.
- Role-based access controls (RBAC): Role-based access controls restrict access to data based on a person’s role within your team. This makes it easier for administrators to manage access by assigning roles rather than assigning individual access.
Regardless of which security protocols you implement, it’s important to periodically review access to donor data and adjust permissions as necessary. Set a schedule and ensure that access is as limited as possible, making it easy to manage.
3. Keep a Clean Donor Database
Let’s say your nonprofit has a donor named Susan Smith. Last year, Susan got married to Bob Brown and took his last name. Together, they continue donating to your organization.
In your database, how is Susan listed? Is there an entry for Susan Smith, Susan Brown, Mrs. Bob Brown, or all of the above? Furthermore, Susan’s marriage could lead to other changes in her data. Did Susan change her email address to reflect her new last name? If she and Bob moved into a new home after the wedding, her physical address may have changed.
In situations like this, your nonprofit could be working with outdated or incorrect information, leading to emails that bounce, direct mail sent to the wrong address, or even duplicated engagements, including fundraising appeals. Each scenario can compromise data security, waste resources and time, and lower the chance of a successful donation.
To avoid this, focus on data hygiene. Maintaining an accurate and updated donor database will minimize the risk of errors, duplicate records, and outdated information, all of which can compromise data security and lead to less desirable fundraising outcomes.
Best practices include:
- Regular data audits: Systematically review and analyze your data to ensure it’s complete and accurate. Audits will help you identify potential security breaches, ensure sensitive information is gated and permissions are appropriate, and maintain data integrity.
- Data entry standards: Establish guidelines for inputting data to ensure consistency, accuracy, and completeness of information. For example, 360MatchPro explains that this could include requiring phone numbers to be entered with parentheses around the area code or deciding on a uniform approach to abbreviating common words like “Road” to “Rd.” When data entry is standardized, the potential for errors that could cause security vulnerabilities is reduced.
- Automated tools: Software applications or programs that can perform tasks automatically take human error out of the picture. These help ensure consistency in security processes and allow for real-time monitoring and threat detection.
While the security benefits of a clean database are numerous, it also facilitates closer donor relationships through more accurate data-driven insights. You can use clean data to make informed fundraising decisions that appeal to donors and motivate them to give.
4. Train Staff on Data Security Practices
More team members interact with your donor data than you may think. For example, how many members of your marketing team have access to your CRM? Have you given access to external parties, such as a fundraising consultant?
While you continually monitor access to data, it’s also wise to conduct regular training sessions for your team. Training and preparing your staff is an excellent defense against any vulnerabilities.
For example, your staff should be prepared to:
- Identify phishing scams: Fraudulent emails designed to look like they’re coming from a reputable source are considered phishing scams. To avoid falling for the scam, staff should ignore emails asking for sensitive information without verifying it’s legitimate. They can hover over links and inspect email addresses for slight errors. Be sure they don’t click on links or open attachments, and always report phishing scams to the IT experts.
- Create secure passwords: Using complex, unique passwords for each account will help prevent unauthorized access. Passwords should be at least 10 to 12 characters long and avoid using personal information or common words. Instruct your team to use a phrase or a sentence and mix uppercase, lowercase, numbers, and symbols.
- Report security issues promptly: Notifying senior staff about any security issue, regardless of how small, will keep the problem from expanding in scope and severity. Have established protocols for reporting security concerns.
- Regularly update software: Keeping all operating systems and applications up to date means you will always have access to the latest security features. Your staff should enable automatic updates and regularly check for and install updates, on work devices and any personal device used for work.
Incorporate this training into any onboarding sessions or regular workshops your nonprofit hosts for team members. For example, while a team member learns how to navigate nonprofit fundraising software, they’ll need to know proper procedures for inputting, accessing, and analyzing data within the platform.
These security measures can be implemented immediately! But remember, it’s not enough to put measures into place unless you’re continually reviewing your data protection strategies and taking steps to keep data clean and secure. Constant attention will ensure security for your nonprofit as well as improved donor experiences, which will help increase engagement when your constituents see how hard you work to keep their data safe.
About the Author
Philip Schmitz
Phil Schmitz is the founder and CEO of CharityEngine, a complete fundraising platform powering some of the nation’s largest nonprofits and associations. Phil has developed patent-pending anti-fraud tools and industry-leading recurring payment technology that allows nonprofits to retain more sustainer revenue than the industry average; clients have raised nearly $5 billion using these tools. Phil’s passion for leveraging technology to empower nonprofits is supported by more than 20 years of experience in building successful technology and e-commerce companies.