Back to blog

A Quick Check on Your Nonprofit’s Cybersecurity Measures

If you are a nonprofit organization collecting donations online, this article applies to you. Your organization may already follow the EU’s General Data Protection Regulations (as you should!) but new 2020 laws take these guidelines to another level to protect consumers and avoid data breaches. 

There are two laws introduced in 2020:, the California Consumer Privacy Act (CCPA) and the New York Stops Hacks and Improve Electronic Security Act (SHIELD). These acts protect the data of New York and California state residents, but it’s still important to get schooled on these best practices in the world of donor management as you may have constituents who live there. 

Research shows that over 90% of nonprofit organizations experience some form of website security incident, with almost half involving the loss of confidential information. These data breaches can cause as much harm to your organization as loss of funds, so getting your ducks in a row on cybersecurity will only help your organization avoid threats to your donor base, and ultimately strengthen trust.


What is the CCPA? 

The California Consumer Privacy Act was made with for-profit companies in mind. While it does not expressly affect nonprofit organizations, this Act is relevant depending on the size of your organization and if you work with for-profit entities. 

The Act grants “a consumer various rights with regard to personal information relating to that consumer that is held by a business, including the right to request a business to delete any personal information about the consumer collected by the business, and requires the business to comply with a verifiable consumer request to that effect, unless it is necessary for the business or service provider to maintain the customer’s personal information in order to carry out specified acts.”

The CCPA also stipulates that consumers must opt-in to receive communications, and they reserve the right to opt-out of communications at any time. 

This essentially means that the consumer is in charge of their own data  and can request a business to delete any personal information about the consumer. These guidelines uphold nonprofit values and good practices anyway!

While the CCPA and the SHIELD Acts were made with specific state guidelines in mind, these laws pervade state lines. Privacy recognition (including a privacy policy and respecting your constituent’s information) affects us all, and below are simple rules-of-thumb will help your organization, assess what information you already have on hand, what you want to learn, and how you can use data to your advantage. 


1. Do a Quick Inventory Check

Appoint a member of your team to stand guard as “Data Surveyor” (any title will do but this has a certain je ne sais quoi about it, no?) Staying in compliance will require a buy-in from everyone at your organization, but ensuring someone on your team is keeping up with evolving rules and regulations will help hold others accountable.

Begin by asking the following questions of your organization: 

  • What data do we collect about our supporters? (This could be email address, home address, communication preferences, etc.)
  • What do we do with it? 
  • Where do we store it?
  • Who do we share it with?
  • Who is responsible for it?
  • What do we do when we’re done with it?
  • Do the people whose data we collect know we have it?
  • Do they know what we do with it?
  • Does it identify them personally?
  • What do we do if they want their data back?


2. Protect What You've Got

You can’t lose data you don’t have! Consider your semi-regular contacts clean-out a mandatory endeavor, and put up barriers so your donor data isn’t open for the taking. Encrypt all communication to and from your website and protect your site with a trusted SSL (Secure Sockets Layer) certification. 


3. Respect Common Courtesy 

Start by asking your supporters for consent. Know the data you collect, where it lives, who you share it with, and above all - respect it. There’s no need to ask for extraneous information from your supporters that you won’t use or bombard them on all platforms with ask after ask because you have those communication tools. Create a balance and consider asking, “Would I want my information used in this way?” 

Above all else, to stay in compliance, respect your donors, and keep your constituents information safe. 


Curious to know more about how cybersecurity can increase conversions on your donation page?


Download Our Free Donation Page Assessment