OneTrust_Square Banner_300x250_DD_ROS_01_19
More IT Spending Is No Substitute for a Data Management Plan, Even for Nonprofits

As reported by AssociationsNow, a recent study of nonprofits by the Nonprofit Technology Network (NTEN) found that, on average, nonprofits have 4.4 people on staff who are responsible for technology-related issues and 1.1 data-focused staffers per organization. NTEN reports that both these numbers are up from its previous year’s survey. NTEN also reported that 52.7 percent of respondents said they were keeping up with technology trends and maintaining stable tech standards and 64 percent said they included technology as part of their operating plans. You can download the study here.

While these results are generally encouraging and help nonprofits benchmark their IT and data-security programs, information privacy controls and data governance are conspicuously absent from the survey and discussion.

Nonprofits, large and small, often possess vast amounts of data, including personally identifiable information, credit card or billing information, donor records, marketing data, biometrics, data collected via mobile apps or social media. Some nonprofits even retain information about an individual's health and other sensitive data. When you include academic institutions and research facilities in this category the risks become even more obvious. Countless universities are among the list of entities that have suffered a data breach over the last decade.

The fact is, to prevent the types of high-profile security breaches referenced in the study and that continue to make headlines weekly (see this article), it isn't simply about investing in new technology or the latest in data security software and hardware. Organizations should use technology strategically, make appropriate investments in both tools and staff and integrate technology considerations into their management practices and internal processes.

But organizations must also integrate privacy considerations and responsible data governance into their management practices as well. That often isn’t the responsibility of the tech staff at a nonprofit who distribute the laptops, push out software updates or monitor the network. The marketing team that leverages the data likely is more focused on generating contributions, membership applications or other revenue.

Nonprofits, just like commercial enterprises, need to develop a comprehensive and strategic data management plan which includes a proactive analysis of privacy issues such as retention schedules, data minimization, notice, consent, access controls, access and accountability for data.

While most nonprofits may not have the ability to retain a dedicated chief privacy officer or privacy professional, it is critical today that even small entities identify someone in the organization who has the responsibility for information privacy. This is more critical for a global organization that transfers data across borders.

If you are a nonprofit, someone in your organization needs to consider the following questions:

  • How much data about your donors, members, students and/or prospective members do you really need?
  • How are you using that data, and is that use consistent with your donor’s expectations or the permissions you obtained at the point of collection?
  • Are you honoring requests from members or donors about marketing and communications across different channels—mail, email, SMS, telemarketing, etc.?

All these issues impact your organization’s reputation, relationships and risk for a data security incident.

Thus, in addition to questions related to IT, I hope the next NTEN survey includes a question about privacy and data management. Or perhaps the IAPP or another organization should survey nonprofits to determine how they are managing not just security risks but privacy. We’d participate.

Written By

Marc Groman, CIPP/US


If you want to comment on this post, you need to login.


Board of Directors

See the esteemed group of leaders shaping the future of the IAPP.

Contact Us

Need someone to talk to? We’re here for you.

IAPP Staff

Looking for someone specific? Visit the staff directory.

Learn more about the IAPP»

Daily Dashboard

The day’s top stories from around the world

Privacy Perspectives

Where the real conversations in privacy happen

The Privacy Advisor

Original reporting and feature articles on the latest privacy developments

Privacy Tracker

Alerts and legal analysis of legislative trends

Privacy Tech

Exploring the technology of privacy

Canada Dashboard Digest

A roundup of the top Canadian privacy news

Europe Data Protection Digest

A roundup of the top European data protection news

Asia-Pacific Dashboard Digest

A roundup of the top privacy news from the Asia-Pacific region

Latin America Dashboard Digest

A roundup of the top privacy news from Latin America

IAPP Westin Research Center

Original works. Groundbreaking research. Emerging scholars.

Get more News »

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

IAPP Job Board

Looking for a new challenge, or need to hire your next privacy pro? The IAPP Job Board is the answer.

Join the Privacy List

Have ideas? Need advice? Subscribe to the Privacy List. It’s crowdsourcing, with an exceptional crowd.

Find a KnowledgeNet Chapter Near You

Talk privacy and network with local members at IAPP KnowledgeNet Chapter meetings, taking place worldwide.

Find more ways to Connect »

Find a Privacy Training Class

Two-day privacy training classes are held around the world. See the complete schedule now.

The Privacy Core™ Library Has Evolved

Privacy Core™ e-learning essentials just expanded to include seven new units for marketers. Keep your data safe and your staff in the know!

Online Privacy Training

Build your knowledge. The privacy know-how you need is just a click away.

Upcoming Web Conferences

See our list of upcoming web conferences. Just log on, listen in and learn!

Train Your Team

Get your team up to speed on privacy by bringing IAPP training to your organization.

Let’s Get You DPO Ready

There’s no better time to train than right now! We have all the resources you need to meet the challenges of the GDPR.

Learn more »

CIPP Certification

The global standard for the go-to person for privacy laws, regulations and frameworks

CIPM Certification

The first and only privacy certification for professionals who manage day-to-day operations

CIPT Certification

The industry benchmark for IT professionals worldwide to validate their knowledge of privacy requirements

FIP Designation

Recognizing the advanced knowledge and issue-spotting skills a privacy pro must attain in today’s complex world of data privacy.

Certify Your Staff

Find out how you can bring the world’s only globally recognized privacy certification to a group in your organization.


The IAPP’S CIPP/E and CIPM are the ANSI/ISO-accredited, industry-recognized combination for DPO readiness. Learn more today.

Learn more about IAPP certification »

IAPP-OneTrust Website Scanning & Cookie Compliance Tool

Scan your website for cookies, tags, forms and policies and create a custom, dynamically updated cookie policy based on the results of your scans.

Are You Ready for the GDPR?

Check out the IAPP's EU Data Protection Reform page for all the tools and resources you need.

Privacy Vendor List

Find a privacy vendor to meet your needs with our filterable list of global service providers.

IAPP Communities

Meet locally with privacy pros, dive deep into specialized topics or connect over common interests. Find your Community in KnowledgeNet Chapters, Sections and Affinity Groups.

More Resources »

Global Privacy Summit 2017

The world’s premier privacy conference returns with the sharpest minds and unparalleled programs—plus a whole new spin on Active Learning!

Canada Privacy Symposium 2017

The Symposium returns to Toronto! Take advantage of Early Bird rates before March 31 and join your fellow privacy pros for a stellar program.

The Privacy Bar Section Forum 2017

The Privacy Bar Section Forum is SOLD OUT and the wait list is closed. If you got on the wait list, we'll keep in touch about your status. Good luck!

Asia Privacy Forum 2017

Join us in Singapore for exclusive networking and intensive education on data protection trends and challenges in the Asia Pacific region.

Privacy. Security. Risk. 2017

We're bringing the best of the best in privacy and infosecurity to sunny San Diego. Early registration for P.S.R. opens in May.

Europe Data Protection Congress 2017

Your source for European policy debate, multi-level strategic thinking and thought-provoking discussion. Registration opens in early June.

Sponsor an Event

Increase visibility for your organization—check out sponsorship opportunities today.

More Conferences »

Become a Member

Start taking advantage of the many IAPP member benefits today

Corporate Members

See our list of high-profile corporate members—and find out why you should become one, too

Renew Your Membership

Don’t miss out for a minute—continue accessing your benefits

Join the IAPP»