A Guide to Data Privacy for Nonprofits | Cornerstone Technologies

As a nonprofit, the trust of your supporters, donors, and clients relies heavily on how well you protect their personal information. Managing all this data comes with a responsibility to comply with privacy laws, which can feel overwhelming if you’re unsure where to start. This blog breaks down the compliance laws of data privacy for nonprofits and offers practical steps to ensure compliance with data privacy regulations. 

What Is Data Security for Nonprofits & Why It Matters

Data security for nonprofits involves protecting sensitive information, such as donor details, client health records, and even children’s data, from unauthorized access, misuse, or cybersecurity breaches. Beyond being an ethical duty, nonprofits must comply with legal requirements to safeguard this data throughout its lifecycle.

While large corporations may seem like the primary targets, nonprofits are equally vulnerable to cyber attacks. Limited resources can make you an easy mark, and a breach can result in fines, reputational damage, and loss of funding. But most importantly, data security for nonprofits is about trust. People expect their personal information to be protected, and it’s your organization’s responsibility to make sure it is.

5 Key Data Privacy Laws Nonprofits Must Follow

The first step in data security for nonprofits is learning about data privacy laws. Below are the most common laws that nonprofits must comply with:

1. General Data Protection Regulation (GDPR)

The GDPR is one of the most stringent data privacy laws globally. It is a regulation in the European Union (EU) law that governs how organizations collect, store, and process personal data.  Although the EU enacted it, any nonprofit that handles the personal data of EU residents must comply with this regulation, regardless of where the nonprofit is located. GDPR requires organizations to:

• Obtain clear consent before collecting personal data
• Allow individuals to access, correct, or delete their data
• Only collect the data they need
• Notify authorities within 72 hours of a data breach

Failure to comply with GDPR can result in substantial penalties, including fines that may be as high as 4% of a nonprofit’s global annual revenue or €20 million, whichever is greater. 

2. California Consumer Privacy Act (CCPA)

The CCPA grants California residents specific rights over their personal data, and nonprofits operating in California (or collecting data from California residents) must adhere to its provisions. This law applies to for-profit and nonprofit entities meeting specific criteria, including annual gross revenues over $25 million or collecting data on 50,000 or more consumers, households, or devices.

Key provisions of CCPA include:

• The right to know what data is collected about them
• The right to request deletion of their data
• The right to opt out of data sales

You must provide a privacy notice explaining these rights and your data collection practices. Failure to comply with the CCPA can result in fines of up to $7,500 per intentional violation and $2,500 per unintentional violation. 

3. Health Insurance Portability and Accountability Act (HIPAA)

If your nonprofit handles healthcare data, whether providing medical services, counseling, or health-related support, you must comply with HIPAA. This law governs the privacy and security of healthcare information and applies to healthcare providers, insurers, and organizations like nonprofits that handle personal health data.

HIPAA mandates:

• Strict security measures (physical, technical, and administrative safeguards) for storing and sharing health data
• Limited access to medical records
• Written agreements with third-party vendors handling health information
• Notification of individuals if their health data has been breached

Failure to comply with HIPAA can result in penalties ranging from $100 to $50,000 per violation, depending on the severity of the infraction. Repeated violations or negligence can lead to criminal charges and potential imprisonment, mainly if there is evidence of intentional misconduct. 

4. Children’s Online Privacy Protection Act (COPPA)

The COPPA is a U.S. federal law regulating how organizations collect, use, and disclose personal information from children under 13. It applies to all websites and online services (including mobile apps) directed to children or collecting information from them.

This law is particularly relevant if your nonprofit runs programs targeted at children or engages with children online. You must implement strict privacy practices if you target or collect data from children, including:

• Verifiable parental consent before collecting any personal data from children
• A clear privacy policy outlining your data collection practices and how you use the data
• The parent’s right to review and delete any personal information collected from their child

Failure to comply with COPPA can result in civil penalties of up to $50,120 - $53,088 per violation. Noncompliance can also lead to removing your nonprofit’s online services, disrupting programs that rely on child data, and potential legal action from parents. 

5. Controlling the Assault of Non-Solicited Pornography and Marketing Act (CAN-SPAM Act)

The CAN-SPAM Act is a U.S. law that regulates how organizations can send marketing emails to individuals, aiming to protect recipients from unsolicited or deceptive commercial emails.  While it was designed to reduce spam, it also applies to nonprofits that send email marketing for newsletters, fundraising, and communication with donors. 

Nonprofits must comply with these requirements:

• Email messages must clearly identify the sender and the purpose of the email.
• Recipients must be able to easily opt out of receiving future emails. The opt-out link must be functional and honored within 10 business days.
• The subject line must not be misleading and should accurately reflect the content of the email.
• Nonprofits cannot use deceptive methods to collect email addresses.

Violating the CAN-SPAM Act can result in fines of up to $53,088 per violation. Nonprofits may also face legal action from recipients who claim that they received unsolicited emails, even if those emails were from an organization with a legitimate cause

6 Best Practices for Strengthening Data Privacy for Nonprofits 

Now that we’ve covered the critical regulations, let’s explore six actionable steps and nonprofit strategies you can take to enhance nonprofit data management and maintain compliance with evolving data privacy nonprofit regulations:

1. Obtain Proper Consent

Before collecting personal data, obtain clear, documented consent to ensure data privacy for nonprofits. Here’s how you can secure data security for nonprofits:

• Be Transparent: Clearly explain what data you're collecting, why you need it, and how you will use it. Make this information easy to find or access on your website or forms.

• Use Clear Opt-In Methods: Avoid pre-checked boxes or vague consent language. Instead, use distinct, easy-to-understand checkboxes that require users to actively agree to your data collection terms.

• Specific Consent for Different Purposes: If you plan to use personal data for different purposes (e.g., marketing, newsletters, or fundraising), ask for consent separately for each purpose. 

• Offer Opt-Out Options: Supporters should be able to withdraw their consent at any time. Include easy-to-find opt-out buttons or links in emails and on your website.

• Document Consent: Store timestamps and documentation of how consent was obtained. This could be through consent forms or digital records in your database. You could also consider using consent management tools for tracking and compliance.

2. Practice Nonprofit Data Management

A well-documented nonprofit data management process ensures compliance and improves security. Here’s how to organize your nonprofit data management:

• Data Collection Policies: Identify and document all types of personal data your nonprofit collects. For example, if you collect donor information, health data, or financial records, classify and record the nature of each data type.
• Clear Data Flow Documentation: Document where data is collected, how it’s stored, who has access, and how it’s shared. A simple flowchart can be helpful.
• Data Retention and Disposal Policies: Establish guidelines for how long data is retained and when it should be deleted. 
• Third-Party Relationships: If your nonprofit shares data with third parties, such as email marketing platforms or cloud service providers, ensure you have documented agreements (Data Processing Agreements or DPAs) outlining how third parties will protect data.
• Regular Audits: Schedule periodic security checks to identify gaps and ensure compliance with data privacy laws.

3. Implement Data Access Controls

Limiting access is one of the simplest ways to improve online data security for nonprofits. Consider implementing the following: 

• Role-Based Access Control (RBAC): Assign permissions based on roles. For example, only finance staff should access donor financial data.
• Multi-Factor Authentication (MFA): Require an extra security step (e.g., a code sent to a phone) for system logins.
• Regular Access Reviews: Periodically review access permissions to ensure employees or volunteers still require access to specific data. If someone changes roles, immediately update their access rights.
• Temporary Access: If you hire temporary staff, ensure they have limited access to data and remove their access once their work is complete.

4. Encrypt Sensitive Data

Encryption ensures that even if data is intercepted, it remains unreadable to unauthorized users. Here’s how to encrypt sensitive data:

• Encrypt Data in Transit: Use HTTPS for websites and SSL/TLS for emails to protect data as it moves across networks.
• Encrypt Data at Rest: Encrypt any personal data stored on your servers, databases, or cloud storage. This makes the data unreadable to unauthorized users, even if they gain access to your storage systems.
• Secure Backups: Regularly back up your data and store backups in a secure location. If your system is compromised, encrypted backups ensure you can recover lost or corrupted data without exposing sensitive information.
• Limit Use of Physical Storage: Avoid storing sensitive data on physical devices such as USB drives or paper records. If physical storage is necessary, use locked cabinets and encrypted devices.

5. Train Employees on Data Security for Nonprofits

Your staff is one of your most valuable assets in maintaining data security for nonprofits. Conduct regular cybersecurity awareness training sessions for all employees, especially those handling personal data. Teach them about:

• Recognizing phishing emails and cybersecurity threats.
• Securely handling personal data (e.g., using strong passwords, enabling MFA).
• Proper data disposal methods to avoid leaks.
• Compliance with privacy laws and organizational policies.

6. Develop a Data Privacy for Nonprofits Policy

A written data privacy nonprofit policy sets guidelines for how your organization collects, stores, and protects data. This document should:

• Outline security measures and compliance steps.
• Explain how donors and clients can access or delete their data.
• Be reviewed and updated regularly to reflect changing regulations.
• Be easily accessible to staff and supporters for transparency.

Strengthen Data Security for Nonprofits with Cornerstone Technologies

Navigating data privacy laws doesn’t have to be daunting. At Cornerstone Technologies, we specialize in helping nonprofits develop and implement strong data security measures. From understanding complex data privacy regulations to streamlining your nonprofit data management processes, we’re here to guide you every step of the way.

Ready to protect your nonprofit’s data? Contact us today to learn how we can help ensure compliance, enhance security, and safeguard your organization’s future!