Wake up daily to our latest coverage of business done better, directly in your inbox.


Get your weekly dose of analysis on rising corporate activism.


The best of solutions journalism in the sustainability space, published monthly.

Select Newsletter

By signing up you agree to our privacy policy. You can opt out anytime.

Nithin Coca headshot

How Data Privacy Regulations Affect Nonprofits—And What They Can Do

By Nithin Coca


This article series is underwritten by Symantec and went through our normal editorial review process. 

Even organizations focused on public benefit regularly collect and store users’ personal information. This means that rules like the European Union’s General Data Protection Regulation (GDPR) apply to nonprofits and social good organizations as much as private-sector companies. In fact, nonprofits, philanthropic groups, and foundations are potentially exposed to even greater risk in the event of a data breach or theft, as the reputations they’ve painstakingly cultivated can be tarnished overnight.

That is exactly what happened in 2016 to the National Childbirth Trust, a United Kingdom-based charity that saw a data breach leak the sensitive information of more than 15,000 expectant parents. Closer to home, the Utah Food Bank was subject to a data breach that gave an unauthorized individual access to the nonprofit’s most important data asset—the personal information of more than 10,000 donors.

One of the biggest challenges is that many nonprofits, including those mentioned above, are small organizations that focus on issues outside of the digital space and lack dedicated cybersecurity staff. When the GDPR went into effect in May, nonprofits saw a flurry of action as they tried to ensure they were compliant.

Any organization with any members or donors in Europe must comply with the GDPR. Some organizations chose the path of least resistance—dropping their small European subscribers due to the high potential costs of compliance. Most, however, chose to comply even if they had limited European membership, for the simple reason that—as is the case in the private sector—data privacy is no longer optional.

“It is my perception that nonprofits are very interested in understanding [GDPR] requirements and complying,” said Meghan Hanson, deputy general counsel and chief compliance officer at Techsoup, an international network of NGOs that provides tech support for nonprofits.

Steps nonprofits can take to ensure user privacy

Each type of communication requires explicit consent under the GDPR, meaning organizations must give European users a chance to opt-in to email, phone, mobile or any other form of communication. The simplest step nonprofits can take to ensure their opt-in for email lists, petitions or other online tools is GDPR compliant, which often means adding an opt-in checkbox as compared to the more common opt-out box.


The system a nonprofit uses to collect and store user data—most often a customer resource management (CRM) tool such as Salesforce, CiviCRM or Engaging Markets—must be sufficiently privacy-protective, as well. To aid in this, TechSoup points users to a white paper that offers cybersecurity and privacy guidelines for nonprofits, released by Microsoft.

Another thing nonprofits can consider is Cyber Liability Insurance, which helps cover the often massive costs that accompany an unexpected data breach—including legal expenses, notification costs and even post-event good faith marketing campaigns. While an organization should always do all it can do to ensure data privacy and protection, there are often incidents outside the control of a nonprofit's staff, such as breaches at third-party vendors.

Encoding privacy as an organizational value

The key, as is often the case, is to encode privacy as a core value and consider it as a factor in any project. The TechSoup team has taken it upon themselves to be a model for GDPR compliance—and responsible data management and protection more broadly—in hopes of showing smaller nonprofits how it's done.


“TechSoup applies the GDPR principles to all of its personal data processing operations,” Hanson told us. “In particular, we endeavor to process personal data fairly and lawfully; only process personal data for specified and lawful purposes; hold relevant and accurate personal data and, where practical, keep it up to date; not keep personal data for longer than is necessary; keep personal data secure; and ensure that personal data is not transferred between partners or other organizations, or overseas, without adequate protection.”

In a future where data privacy and security is on the minds of consumers and regulators, nonprofits—which are often fighting for the rights of the vulnerable and looking to improve society—will have to practice what they preach.

Image credit: Raw Pixel via Unsplash 

Nithin Coca headshot

Nithin Coca is a freelance journalist who focuses on environmental, social, and economic issues around the world, with specific expertise in Southeast Asia.

Read more stories by Nithin Coca