When it comes to personal privacy laws, the landscape has been in a state of flux over the past few decades. However, the rate at which privacy laws have been able to adapt has historically been slow, opposite the rate at which technology changes. That is now changing since the GDPR or General Data Protection Regulation, the EU’s data privacy overhaul, has kick-started the trend, and now more countries, including the U.S., are picking up steam with their data privacy regulations.

When GDPR went into effect in 2018, nonprofit organizations in the EU were tasked with giving more power to their constituents. Not only did their constituents gain access to the data organizations collected from them, but they also needed to give their consent to store their data, while organizations were required to protect that data at all costs through implementing technical and administrative measures.

Whether it’s our U.K., Irish, or U.S. clients’ data, our goal is to always ensure our security protocols go above and beyond compliance. In our experience, this time of year means taking stock and self-auditing our technical stack, and making sure we are in compliance or taking steps to remain compliant.

Many nonprofit organizations struggle with staying compliant due to limited knowledge and resources to implement new technical controls, and failing to understanding what processes and procedures will need to be added or changed. Overall, the challenge is threefold: technology is changing all the time, governments are swifter in coming up with and enacting new privacy legislation, and resources are limited for some of the smaller nonprofits and associations to move quickly.

CCPA (California Consumer Privacy Act) started its enforcement in 2020, and is just one example of this new privacy-oriented legislation. Organizations, once again, are having to adapt their information technology infrastructure to allow for its requirements, as well as changing administrative processes to allow for streamlined pipelines for donors and members to inquire to organizations concerning their data.

This is just the beginning. More governments around the world are realizing that “old” privacy laws just don’t do enough with protecting “our data” with today’s technology.

The safety of our clients’ donor data is critical, but what needs protection exactly? CCPA and GDPR relate to PII or Personally Identifiable Information, which is basically anything that could describe or identify a person. Biometric data, first and last names, and even email addresses in some cases can all be classified as PII.

While GDPR requires defining the roles, such as data processor, data controller, and data protection officer, CCPA has less requirements personnel-wise; however, it has more technological requirements, like defining a path with which California residents can make requests regarding their data. Securing databases and other internal infrastructure is a good starting point, but protecting cloud resources and defining transmission protocols for both sending and receiving data are also necessary in today’s age, especially if you are working with third-party partners.

Organizations that work with fundraising partners, like Nexus Direct, and exchange data, should be careful with how and what data is shared. Important questions should be asked, such as:

– How will the data be handled?
– Who has access to it?
– Is the documentation about their systems up to date and will they openly share it?
– What are the security protocols for the transferring of data?
– What internal requirements are there for data files?
– Do you have a data destruction policy?
– How long will the data be stored?

For example, we require donor information to be securely delivered to us and give our clients the right tools to do that safely and securely. We send information back via encrypted methods only, and have measures in place to ensure data is destroyed in a timely manner.

We care about the data our clients trust us with, and we understand how important this is, not just to our clients but also to their donors or members. If you lack IT proficiency or a dedicated internal IT department, having a partner who is taking these extra steps could be a huge advantage to your security and privacy goals.

To talk more with our teams about GDPR, CCPA, IT security, or fundraising strategy, drop us a line. We’d be more than happy to start up a conversation. We love what we do and, in turn, we all love to talk about it. Stay tuned for our next tech blog — we have big, cloud-based plans for the rest 2021.