2020 did not lack for headlines, but one topic was an unnamed undercurrent beneath it all: data privacy. Surprising? Consider these major events over the past year:
- Anti-vaxxers are worried that vaccine requirements will inspire new, digital passports that countries use to control their borders.
- Anti-terrorism task forces in Europe and the US have identified personal data as fodder for political extremism on social media channels.
- #DeleteFacebook trended among US nonprofits in response to concerns about rising white supremacy.
- Andrew Yang included “data dividends” in his presidential campaign platform while competing in the Democratic primary (Yang withdrew his candidacy on February 11, 2020; Biden secured the nomination on June 9, 2020. I agree it feels much longer ago.)
- CCPA legislation became enforceable, which empowers California residents to take back ownership of their personal data from tech companies.
- SHIELD legislation also became enforceable, for the first time putting the onerous on organizations of any size to report breaches not only within their own data stores, but also at any third party vendors they use.
- The above two pieces of legislation pushed the National Institute of Standards and Technology (NIST), a US government entity, to publish their first privacy framework.
- UK GDPR went into effect on December 31, 2020.
And, oh yes, the global pandemic has led to more online activity than ever before, meaning a corresponding increase in the amount of digital data being generated. But how does all of this affect nonprofits? Let’s begin with the understanding that data privacy is a both a legal and ethical issue.
Ethical and Legal Concerns
Nonprofits’ ethical concerns are heightened because nonprofits often work with especially vulnerable populations who could experience serious harm should their identities become public. Financial information is sensitive for anyone. And don't forget to consider the impact on donors or employees if their personal phone number, email or home address were leaked. In a recent webinar, we shared an exercise to help you evaluate your nonprofit’s level of risk given the volume and type of information you collect.
Legal concerns are complex because the laws that apply to your nonprofit are not determined by where your organization is based, but rather where your audience is a resident and/or citizen. As is the case with fundraising regulations, the internet makes this difficult because your supporters, and frequently even your beneficiaries, could be based anywhere.
A Calculation of Risk
Privacy is also similar to charitable solicitation registration in that compliance is not a single check box but rather a calculation of risk. Both require effort, incur expenses, and are imperfect systems, but they also lay the framework for the many benefits that nonprofits receive because of their legal status and build public trust in the nonprofit sector. Two stats included in the 2020 PA clip for NIST's privacy framework particularly highlight public concerns about privacy:
While trust in your nonprofit organization is hopefully higher than in the private sector, a public data leak could flip this dynamic. A common obstacle faced by many nonprofits is that privacy compliance is more cultural than technical: GDPR and SHIELD provide mandates for the end result (data protection) but leave how to comply up to the organization. This means that volunteers and staff must be trained to think differently about personal information.
Which types of personal information are protected under data privacy laws?
Personally Identifiable Information (PII) is an acronym you’ll see a lot in privacy discussions. PII encompasses any data you have stored that, combined with other information, could be used to identify someone. Sound broad and vague? Indeed, this really depends on how PII is defined by each law. It can include:
- A username in combination with a security question and answer that would permit access to an online account
- Photographs, voice recordings
- Union membership, political leaning, religious affiliation
- Sex, gender, sexual orientation, ethnicity, race
School reports; medical information (for personal health information as it relates to HIPAA, Luxsci shares some great tips).
- Customer reference numbers; customer reviews
- Visitor logs (i.e. at historic sites, clinics, prisons)
How do we start becoming data privacy compliant?
Once you have identified which regulations and ethical concerns apply to your unique organization, you can begin a data privacy audit by following these steps:
- Make a list of all the types of personal information you have (i.e. phones numbers, logins etc).
- Define a valid reason for why you are storing each data type (if there is no valid reason, securely destroy it).
- Determine everywhere PII is being stored: use search functions on smartphones, computers (including archived files), and email folders to find personal information, just as you’d normally do when looking for a particular file. Think creatively. You might need to check external hard-drives, tablets, portable memory sticks, voice recordings, social media posts, security camera recordings, etc. Keep looking until you’re satisfied there’s nowhere else to look.
- Secure the data. (Our recent webinar also shares tips for securing your data.)
- Decide for how long it is appropriate to store the data.
- Enact a process for identifying and then securely destroying info that has outlived its purpose.
- Create a plan for how you will respond in the event of a data breach.
- Commit to building a data culture—similarly to how you approach diversity or accessibility—and to staying informed about legal changes.
Remember that data privacy compliance is a journey. Like maintaining a building, it will be achieved in fits and starts and need to be revisited periodically. But if your nonprofit has yet to even think about the topic, you are at significant risk.
Data privacy is a growing issue, not a vanishing one!