The privacy profession has developed robust standards and practices, and much healthy attention is being paid to these privacy programs in the commercial and public sectors. In nonprofit organizations, there's also data of great value that merits the highest caliber of protection. But the multiplicity of standards, practices and documentation can be daunting for a nonprofit to consider taking on. When resources are already lean, and funding for compliance is scarce, how can a nonprofit run a top-notch privacy program?

It is misleading to think that just because an organization cannot afford a corporate-caliber privacy program, that such a program is not justified.  Nonprofits are often stewards of extraordinary stores of the personal information of clients and very personal details concerning legal, financial and health services that they have sought. Just a few examples: information that reveals vulnerable financial status or immigration status, or that reveals the need for criminal defense support or reproductive assistance, the exposure of which would be extremely detrimental to clients who are already resource-challenged.

Market value is not the indicator of the true value of an organization’s data. This data is incredibly value to the clients themselves, hence it should be valuable to the nonprofit storing it. In addition, this information can be mined for actual value by identity and cyber thieves. This harm can also accrue to the nonprofit itself. In the nonprofit world, brand and reputation are critical for attracting clients, volunteers, board members, and funding. The public can be less forgiving of nonprofits that are perceived to have violated the public trust than corporations that are known to be profit-seeking anyway.  Sometimes, there is not a second chance for do-gooders in the way that there is for commercial entities.

Here's some advice on how to get a solid privacy program going without going bankrupt. 

Make it easy

It’s entirely possible to create a scaled-down replica of a corporate privacy program. It can be just as sophisticated, but must be leaner and less burdensome for staff. The privacy office should be known for being first an open door and then a facilitator. For example, it’s important to maintain a privacy impact assessment form and an incident response form, which staff and partners should be filling out as the need arises. In reality, however, few nonprofit workers have the time or inclination to fill out such documentation, so instead, a friendly option is to invite colleagues for a chat in which they explain the issue and then together fill out the form together. This is one way to convert what otherwise would be random emails and conversations into nice standard forms that accumulate as a repository of issues and incidences that have been addressed.

Make it short

There is no lack of resources for templates — for forms, policies, etc. — but nonetheless, many are often too long for nonprofit use. For example, I once trimmed down a 30+ page PIA template to 13 pages and was initially pleased, but over time, I realized that nobody used it … not even me. Finally, I worked it down to a 2-pager, front and back, with an easy-to-check chart instead of long-text answers.  It’s become a simple guide for my interviews and sometimes, to my delight, even staff members fill it out. Another time, we paid for a HIPAA consultant and after his constructive risk assessment, he gave me a .zip file with tons of great templates. But the HIPAA Privacy and Security Policies template was over 200 pages – too long for our legal staff to review. We could have approved it and then shelved it, but I wanted a policy document that is actually used to guide our practices. So, I struggled with it until it was less than 30 pages long – each page relevant to our operations and workforce. Data mapping and data inventories are similarly important to any organization that works with PII, but they needn’t be heavy corporate affairs either.

Make it regular

A privacy committee is a simple way to convert people to stakeholders. Although nonprofit privacy officers will not have dedicated support staff, it’s still important to include others — not so much for the sake of having them help you with your work, but to ensure org-wide commitment to privacy. It may be important to shoulder one’s own workload and not burden others, but it’s critical to engage stakeholders and raise up privacy champions. True security arises then the entire organization is engaged. So, committee membership is a way to ensure that the privacy office listens to my stakeholders once a month and to give salient persons a voice. In turn, they can represent the privacy perspective within their own functions and groups.

Make it nonstop

Remember, talk is cheap. Emails, too! Time invested in regular security messages and on-point training can reduce data fiascos that randomly overwhelm your organization.  There are so many cost-effective ways to message to the workforce: from old-fashioned bulletin board with quirky privacy cartoons to regular email alerts or newsletter, to an intranet blog. A company blog is a particularly good way to archive privacy bulletins and provide links to resources on identity theft, guidance on IT security, and common legal issues. Ultimately, a modest and consistent investment of time will save your nonprofit resources over time by minimizing disruptive, brand-damaging risks.

Every organization with PII should have an annual privacy training that covers its specific programs and operations, and explains to staff how to employ the privacy forms and processes. This is training that is educational in a high-level way, yet also compelling in a highly relevant way. However, data breaches and cybercrime have no pattern and require constant vigilance, so a smart nonprofit should not rely just on annual trainings. It’s valuable to push out news flashes, security trivia and stories when they are relevant. Messages that are immediately pertinent to the recipient are also more likely to be internalized. For example, tax identity theft was big in 2016, with new attack vectors and vulnerabilities, so rather than waiting for our summertime annual training, I wanted our nonprofit social workers to know that during tax season. If a staff member clicks on a malicious link, which disrupts systems, then right now is the best time to blast everyone else with some training on phishing, social engineering, and ransomware. When the Ashley Madison story broke, it had no relevance at all to our work, but I thought the news would be a great hook to promote the privacy program. I got great read rates on that email.

Make it pay for itself

Increasingly, grant applications are asking about client privacy and data security. Even if a grant does not explicitly ask these questions, nonprofit privacy officers can proactively offer information on how their organization takes client privacy and data security seriously. Take the initiative to impress funders and explain how the return on investment is absolutely worth it because this work decreases organizational risk. Grants can even be sought out to support privacy and security work. Ultimately, the value of the nonprofit privacy program is difficult to value, but of great value. It’s our job to convey such, from the big picture to all the nuances.  I see signs everywhere that the rest of the world is catching up and beginning to understand that privacy is priceless.