Data Security for Nonprofits

Data security is an important part of creating data-driven organizations. If an organization is investing in collecting and utilizing more data it must also invest in protecting that data. Unlike some data initiatives, security practices are often invisible to your employees and end-users, and for that reason can be underutilized. This guide outlines some of the important data security practices that organizations should consider developing and deploying.

Guide Details

Last Updated On

April 14, 2022


A wise person once said to only collect what you can protect. As nonprofit and social impact organizations, we often have sensitive data about the individuals we interact with. This includes financial information about our donors, personal information about the people we serve (who are often already in vulnerable situations), and data about the people we employ. We must ensure that in our desire to collect and use the information we are not increasing the vulnerability of those we work with. 

In this Guide
  • How valuable is the data your organization holds
  • Types of risks and adverse actors
  • Best practices you can deploy today
  • Resources for going deeper in data security

Elements of Digital Security

To begin, what do we mean by Digital Security? In short, it is the protection of the digital assets that your organization maintains. There is real financial value in the digital assets of your organization. For example, a stolen credit card number sells for anywhere between $5 and $150 on the dark web. Take a minute and think about how much credit card data your organization has stored in its fundraising system.

It is not just financial information that is at risk. Sometimes, actors want access to information about those that you are serving for something other than financial gain. There’s the basic stolen identity stuff like social security numbers, addresses, and birth dates. Then there are more targeted goals, like governments trying to identify opposition actors or LGBT activists. If your organization works with individuals and populations that are marginalized or exploited you must consider that those doing the exploiting might value your data.

When it comes to digital security you must assume that someone is trying to take the valuable information you have — and that it is your job to thwart their efforts.

Best Practices to Get Started

The most common way that information is leaked is through people inadvertently giving an adverse actor access to your system. This happens through tactics like baiting, phishing, and scareware where an adverse actor tricks an employee into giving up information allowing them to access your information. It also happens through gaining access to compromised passwords elsewhere and then re-using them on your system. So the first line of defense for your organization’s digital security is your people. Invest in password management apps that make it easy to create unique passwords for every log-in and two-factor authentication for your systems. Teach people throughout your organization how to identify when they might be the targets of these social engineering campaigns and you will be increasing the security of your data.

The reality is that sometimes an intruder will gain access to your system. It’s now important to identify that activity as quickly as possible. Cybersecurity tools from companies like Splunk or DataDog can identify these threats and help your team respond quickly and efficiently. If your system is compromised, it is important to communicate these breaches as clearly and quickly as you can. You have been entrusted with people’s information, and if that information is compromised they have a right to know in order to respond themselves.

The last best practice to get started with is a bit counterintuitive: it’s to destroy your data! If your organization is storing data it is no longer using, you should destroy that data. It’s a simple cost-benefit analysis. If you are no longer getting value from your data, it becomes a liability; it makes no sense to keep that information lying around! Create a policy and a practice for destroying data that is no longer being used. If you don’t want to destroy all of the information then destroy the identifiable aspects that have the highest risk associated with them.

Going Deeper

As you go along your digital security journey and if you have more amounts of sensitive information there is more that can be done to ensure the safety and security of your data. For example, investigating whether your organization should pursue cyber liability insurance to invest in better tools for monitoring threats to build out a team that is solely focused on ensuring the security of your data.


Your organization has been entrusted with sensitive and valuable data. It is your responsibility to protect that information. If you are investing in data collection and analytics, you also need to invest in protecting that information. Invest in your people. Invest in systems to help you identify and respond to threats. Invest in practices that help you limit the risks your organization faces.

Join Our Community

Make connections with other social impact organizations and receive a curated listing of community and events and opportunities.

By submitting your information and clicking “Submit”, you agree to the Privacy Policy and Terms and Conditions, and to receive email communications from