Personal Data
From program directors to development associates to executives, leaders in all areas must continually ensure that the information of their clients, donors, volunteers, patients, and community members is respected and protected. All staff at your organization should be aware of the types of information that may constitute data with privacy implications, which is information that could describe, be associated with, or be reasonably linked to the identity of an individual.
If compromised, personal data could lead to a breach of sensitive personal information and could put your organization at risk. Breaches in information can also decrease public trust in your organization or incur significant legal repercussions. These effects—coupled with the fact that the most common risks to personal data occur by unintentional breach—provide clear motivation to familiarize your team members with the types of data they maintain, and to consider how the information is guarded.
Data Management
A critical component of how organizations collect and store data is a data management framework. This is a set of processes that outline how an organization deals with data in every iteration—from storage all the way to disposal. Data is just as dynamic as the individuals that it represents, and organizations should develop standard processes to ensure that all staff collect information using the same processes and with the same privacy safeguards in place.
Ultimately, many organizations may pursue a policy of data minimization, where they stop collecting any unused information. By minimizing excess data, an organization rids itself of sensitive information that if exposed, could pose a risk to the individuals to which it belongs.
For more information on this topic, please visit: Data Management
Legislation
Privacy legislation has been on the minds of social sector leaders for quite some time now. In 2018, the European Union (EU) passed its General Data Protection Regulation (GDPR), which tightened requirements for organizations operating in the EU that collect, hold, and maintain PII and sensitive data. Affecting profit and not-for-profit organizations, the GDPR established consent regulations that strengthen individuals’ rights to data privacy, including their right to be forgotten. Depending on where you operate and who you serve, your organization could be subject to compliance with GDPR.
Even for those outside the EU, legislation may be coming upstream in the United States, where California’s newly passed California Consumer Privacy Act (CCPA) will grant residents the right to know whether for-profit entities collect their personal data and provide the opportunity to opt out of data collection. It remains to be seen how this could affect nonprofits, but as we know, changes in the commercial sector tend to make their way within the social good space. Constituents continue to increase their expectations surrounding data privacy, and the nonprofit sector must follow suit.