Data Privacy for Nonprofits: What to Do (and What to Absolutely Stop Doing)

Nonprofit Management

Share this article

Data Privacy for Nonprofits — Simple Tips, Strategies, and Best Practices

Back in the Internet’s infancy, we were all warned about not giving out our information to strangers on the Internet. Today, we give out ALL our information to strangers on the Internet, from what we ate for breakfast this morning to our DNA profiles. When I got my first email address, my mom warned me never to put anything personal or financial on the Internet. Today, she “likes” all my Instagram photos and I do the majority of my shopping online.

But, as we’ve all become accustomed to leading digital lives, there’s more data on the Internet… and more opportunities for that data to fall into the wrong hands.

How can you protect your donors from having their data compromised?

A few simple steps and best practices will help you keep your data safe — including your donors’. Here are some things you should start (or stop) doing.

1. Make sure your donation form is as secure as possible

Most donation forms are secure. But how secure a form is can vary from vendor to vendor. Double-check with your provider to ask about their PCI compliance, security protocols, and other measures they take to keep your information safe.

If you’re using a custom solution for your donation form (example: you’ve got your own merchant account and had someone build your form for you exclusively instead of using an online vendor), you have a little more work to do! Learn about whether or not you’re PCI compliant here, then take steps to lock up your donation process good and tight.

A quick note for Qgiv clients: if you’re wondering whether or not you’re PCI compliant, you are! We maintain the highest-possible level of PCI compliance, but, in case you have any questions or concerns at all, feel free to contact us for more information about how we keep your data secure.

2. Stop writing down your passwords

Writing down your passwords might not seem like a huge deal, but it’s a huge security risk.

Yeah, writing down passwords makes them easy for you to access them if you forget your login information. But it also makes it easy for someone else to access them, and their motives might not be as pure as yours.

Your donors entrust you with a lot of information about themselves. You get their addresses, phone numbers, email addresses, and, depending on other fields you may choose to include on your forms, even more information. Your CRM may include even more personal information, like estimated wealth and assets, family relationships, etc. If someone finds your passwords, they can easily access all that information.

Now, I know what you’re thinking. With today’s password requirements getting increasingly stringent (they all seem to require letters, numbers, capital letters, symbols, at least 8 characters, a secret handshake, and the blood of your first-born), it’s hard to keep track… especially when some sites require that you change your password on a regular basis. It’s especially difficult when you set up different passwords for each major service, which you should do. Remember, if someone can access, say, your Facebook account and you use your Facebook password on several other sites, they can get in there, too!

Luckily, there are plenty of services out there that can help you manage your passwords. I’m personally a fan of LastPass (I don’t get anything for recommending them, I just really like them). Google Chrome has a built-in passwords manager, too, as do a number of other services. The catch is, of course, that password managers have their own passwords that should be complicated (and not written down). But one password is easier to remember than the zillion different passwords you have!

3. Don’t Share Passwords

Sharing passwords is so easy that lots (and lots!) of people do it. And why not? Setting up a single login for your services (like your fundraising platform or CRM) and giving everyone the login information keeps things simple. Everyone knows how to get into the account, and, if you forget your password, you can just ask the lady in the next office over. It’s also easy to use the same password for every account you use (fundraising platform, CRM, Facebook, etc.) or to have everyone in the office use the same password for all their different accounts.

But the ease of sharing accounts and passwords is offset by the fact that doing so is a huge security risk. Why? Take a look at these scenarios:

– An unhappy employee leaves your office. You’ve deleted her user account from your services, but everyone has the same password… and she can log into anyone’s account.

– Someone’s managed to hack into your Facebook account. Because all your other passwords are the same as your Facebook’s password, they can easily access those accounts, too.

– Everyone shares a single login for one of your accounts. Along the way, someone’s made a major change to your forms… but you can’t tell who it was, because the logs aren’t useful when only 1 login is used office-wide.

I’m not throwing these examples out there to be a bummer — I promise! I’m throwing these out there because sharing accounts or re-using passwords is something we all do. It’s something we need to keep an eye on — myself included!

4. Double-check your software’s users and permissions

How often do you clean out or update user access and permissions for your different services? If the answer isn’t “super often,” you should make a point to do it more frequently.

If you watch King of the Hill (it’s one of my favorite shows), you’ll know why this is important. In one episode, a disgruntled former employee of Strickland Propane (where they sell propane and propane accessories!) takes over the store’s social media pages and slanders them all over the Internet. Because she had admin access to the page, she changed all the passwords and locked out other employees, so they couldn’t do anything to salvage their online reputation.

Go through your various services (online banking, bookkeeping, fundraising platforms, CRMs, blogs, social accounts, etc.) and remove any users who no longer work for your nonprofit. Hopefully, you never have an issue with a disgruntled employee going on a rampage and trying to ruin your reputation… but, just in case, this is an important step.

You can also add an additional layer of security by setting permissions for different users on different services. Using Qgiv as an example, you may choose to limit a volunteer’s access only to a form that includes the event they’re organizing. Or you might give your bookkeeper access to reports and statements for each of your forms but restrict them from making any changes to your donors’ accounts. Your designer might only need access to your various forms’ designs, but you don’t want them to be able to access your reports. Restricting people’s access to different tools might seem persnickety, but it’s a valuable exercise! This way, if your designer has their password compromised, your donors’ information is still safe because your designer couldn’t access their info in the first place.

5. Don’t write down donors’ payment information

Guys, I can not stress this enough. You should never ever, in any case, write down your donors’ payment information. That’s one of the simplest best practices you’ll see on this list, but you’d be amazed how frequently this comes up.

Pretend a donor calls you immediately after they receive your most recent appeal. They want to donate $1,000. Right now. On the phone. With their credit card.

What do you do?

The best way to handle this situation is to have a way to process their payment online. Depending on the fundraising platform you use, this feature may have a different name — at Qgiv, we call ours a “Virtual Terminal.” Instead of writing down your donor’s payment information, you can just pull up your terminal, type in their payment information, and process their gift. You can automatically send them their receipt, their donation is tracked (it’s so easy to lose donations in the shuffle if you write them down!), and it’s reflected in their giving history.

It’s also ideal to have a mobile version of your terminal or, at the very least, the capability to access a mobile-friendly version of your desktop terminal. That way, you’ll never have to worry about being caught unprepared at in-person meetings or if you’re on the go.

In today’s digital age, writing down a donor’s payment information is unnecessary and unwise… imagine someone finding your donor’s credit card information written down on a slip of paper on your desk or in the trash! No good.


As we live more and more of our lives online, data security is becoming increasingly important. And, while your organization might not be as big as Target or Home Depot or PlayStation, it’s important for you, too! Basic data security best practices are easy to implement, and most of the best practices don’t cost anything but a few seconds of your time. So take a few minutes to change your passwords, update users, and secure access to important accounts. It could save you a ton of trouble!

Share this

You might enjoy