Anytime an innovative technology rises to prominence, there’s a feeling out process while positive aspects are weighed against the negative. Given that online data collection is still relatively new, you could consider data security in this exploratory stage. As unforeseen problems arise, we develop systems and rules to ensure the safe and responsible use of new technologies. With this in mind, fundraisers have been putting more emphasis on their nonprofit’s data security.
For example, as automobiles became more common, fatalities rose, and people were concerned that driving a car was hazardous. The real problem was not that cars were outright dangerous. However, the issue was the lack of a comprehensive system to ensure drivers followed the best practices on the road. This is what resulted in unsafe conditions and deaths. As a result, we started implementing speed limit laws and invented seatbelts. This ensured everyone could enjoy the benefits of the new technology while regulations and improvements minimized risk.
Developing A Sense of Responsibility
Likewise, standards have been developed and adopted at the corporate and government levels that reduce harm and minimize risk to make the most of data collection. Implementing data security best practices now will limit the damage if a data breach occurs in the future. In the case of data security, you can think of the European General Data Protection Regulation as big data’s speed limit, and the following advice as your seatbelt.
- Identify your data use goals.
- Create a privacy statement.
- Determine risk value of collected data.
- Use safeguards such as website plugins and encryption to prevent a data breach.
- If any third parties can access your data, make sure they are keeping up with best practices as well.
Your Nonprofit’s Data Security and the GDPR
While the European Union’s GDPR has a bigger impact across the Atlantic, there are some serious ramifications for American nonprofit organizations with poor data security. Any organization or company with a web presence that markets their products, services, or fundraising outreach online to an international audience must be compliant with GDPR.
If you’ve collected personal data from someone in the EU, your nonprofit’s data security policy needs to meet GDPR standards. This means you need to let users know how their data is being used, processed, and stored if your website tracks visitors with Google Analytics, collects email addresses, shows advertising, has user accounts, uses cookies, or collects donations through online payments from anyone in Europe.
That “in” is bold and underlined for a reason. The GDPR only applies to users who are in Europe when data is collected. Furthermore, the GDPR does not apply to generic marketing efforts, only those that target a data subject in the EU. For example, if a French user finds their way to your site through Google you are in the clear. However, if you engage in any targeted marketing (including email blasts) aimed at EU citizens, GDPR will apply.
Some other factors that could subject your organization to GDPR regulations include accepting foreign currency and having your website accessible through a foreign domain suffix. So, if typing in the domain actiongraphicsnj.uk brought you to the Action Graphics website, we would be subject to GDPR.
In the Event of a Data Breach…
One of the most important provisions in the GDPR is the 72-hour data breach notification rule. In the event of a breach that results in the unlawful destruction, loss, alteration, unauthorized disclosure, or access of personal data, you will need to analyze whether exposed information put the rights and freedoms of EU citizens at risk.
This includes data breaches like widespread exposure of email addresses and personal, medical or financial information. If a breach affects EU citizens, you must report it to an EU regulator within 72 hours. You must notify the data subjects in high risk scenarios like the exposure of credit card information or account passwords.
That is about all the time I want to spend on GDPR, but if you want a more detailed breakdown of all its requirements in layman’s terms, Varonis Systems has provided a good overview of the law’s specific regulations.
Am I Following Data Security Best Practices?
You should ensure your nonprofit’s data security is up to par, regardless if you’re required to comply with GDPR. Though you may not be subject to legal repercussions, following data security best practices helps your donors feel secure with their data in your hands and can prevent a disaster in the event of a breach.
It is especially important to keep up on your nonprofit’s data security, considering that many of your donors probably created an account and donated online with a credit card. A large-scale data breach could put their financial information at risk.
Following our tips and the GDPR guidelines will not only protect your donors’ information. It will also let them know that your nonprofit’s data security is a priority. Remember when we said, “nonprofits that successfully build relationships with their donors find people want to work with them and are excited about their activities”? Trust helps build strong relationships. A robust data security policy can help establish that trust. Your nonprofit’s data security plays a part in forging meaningful relationships with your donors.