As reported by AssociationsNow, a recent study of nonprofits by the Nonprofit Technology Network (NTEN) found that, on average, nonprofits have 4.4 people on staff who are responsible for technology-related issues and 1.1 data-focused staffers per organization. NTEN reports that both these numbers are up from its previous year’s survey. NTEN also reported that 52.7 percent of respondents said they were keeping up with technology trends and maintaining stable tech standards and 64 percent said they included technology as part of their operating plans. You can download the study here.
While these results are generally encouraging and help nonprofits benchmark their IT and data-security programs, information privacy controls and data governance are conspicuously absent from the survey and discussion.
Nonprofits, large and small, often possess vast amounts of data, including personally identifiable information, credit card or billing information, donor records, marketing data, biometrics, data collected via mobile apps or social media. Some nonprofits even retain information about an individual's health and other sensitive data. When you include academic institutions and research facilities in this category the risks become even more obvious. Countless universities are among the list of entities that have suffered a data breach over the last decade.
The fact is, to prevent the types of high-profile security breaches referenced in the study and that continue to make headlines weekly (see this article), it isn't simply about investing in new technology or the latest in data security software and hardware. Organizations should use technology strategically, make appropriate investments in both tools and staff and integrate technology considerations into their management practices and internal processes.
But organizations must also integrate privacy considerations and responsible data governance into their management practices as well. That often isn’t the responsibility of the tech staff at a nonprofit who distribute the laptops, push out software updates or monitor the network. The marketing team that leverages the data likely is more focused on generating contributions, membership applications or other revenue.
Nonprofits, just like commercial enterprises, need to develop a comprehensive and strategic data management plan which includes a proactive analysis of privacy issues such as retention schedules, data minimization, notice, consent, access controls, access and accountability for data.
While most nonprofits may not have the ability to retain a dedicated chief privacy officer or privacy professional, it is critical today that even small entities identify someone in the organization who has the responsibility for information privacy. This is more critical for a global organization that transfers data across borders.
If you are a nonprofit, someone in your organization needs to consider the following questions:
- How much data about your donors, members, students and/or prospective members do you really need?
- How are you using that data, and is that use consistent with your donor’s expectations or the permissions you obtained at the point of collection?
- Are you honoring requests from members or donors about marketing and communications across different channels—mail, email, SMS, telemarketing, etc.?
All these issues impact your organization’s reputation, relationships and risk for a data security incident.
Thus, in addition to questions related to IT, I hope the next NTEN survey includes a question about privacy and data management. Or perhaps the IAPP or another organization should survey nonprofits to determine how they are managing not just security risks but privacy. We’d participate.