As part of this series on data, fundraising, and donor privacy, you don’t want to miss these 5 Powerful Data Levers for Effective Fundraising.
For many nonprofits to achieve their fundraising goals and create powerful donor marketing, they must share data about their donors, and their giving, with their fundraising partners. Because this information contains PII (Personally Identifiable Information), the partners must take stringent measures to keep it 100% secure and satisfy compliance standards like SOC 2 (Type 2), PCI-DSS, and HIPAA.
Here are the best practices for donor marketing data security when working with external fundraising partners like TrueSense Marketing.
Safely handling sensitive data starts with collecting only necessary data and avoiding storing sensitive information unless absolutely required. Whether they receive data in a file uploaded via an FTP or an API call, your fundraising partners should ensure the data is encrypted while being transmitted, using strong, up-to-date encryption. The encrypted data should then be split into different databases based on the type of information it represents.
Where possible, your data should be anonymized as well, meaning distinguishable data points that may identify an individual donor are hidden or removed. The next step is to institute role-based access control (RBAC), meaning only authorized personnel can access sensitive data and critical systems via multi-factor authentication (MFA).
Donor and gift data can be processed in different ways, including campaign reporting, campaign selection, and audience modeling. This data must be processed on secure and compliant systems, so we regularly update and patch systems to protect against vulnerabilities.
At TrueSense, we maintain detailed access logs and monitor them for unauthorized access or unusual activity and have implemented automated, AI-powered alerting systems for real-time monitoring.
TrueSense requires all employees to take monthly security training review courses and HIPAA training every other year. They only have access to the data necessary for their roles, which we review regularly. Documented data-handling policies are monitored and enforced.
As part of our compliance efforts, we’ve established a robust Incident Response Plan to address potential data breaches. We regularly update that plan, which includes steps for immediate containment, investigation, notification, and remediation.
To ensure compliance with SOC 2, PCI-DSS, and HIPAA standards, we conduct regular third-party audits and assessments to identify gaps and address them promptly. Our data centers comply with industry standards for physical security, including biometric access controls and surveillance. Third-party vendors must comply with relevant security standards and conduct regular reviews and audits of their security practices.
We conduct regular third-party audits and assessments to ensure compliance with SOC 2, PCI-DSS, and HIPAA standards, addressing any identified gaps promptly. Our data centers comply with industry standards for physical security (e.g., biometric access controls and surveillance).
Numerous security measures for workstations, including endpoint protection, secure configurations, and regular updates have been implemented. Our internal compliance team ensures third-party vendors comply with relevant security standards and conduct regular reviews and audits of their security practices.
Protecting your precious donor data requires diligence, rigor, and unfailing attention to detail. It’s a heavy lift but one that cannot be skipped or even lightened.
In this increasingly dangerous world, where privacy and data integrity are regularly threatened, it is more important than ever for nonprofits to protect their donors’ critical information. Ensuring its security is vital to maintaining the trust donors place in us all to steward their support wisely, conscientiously, and effectively.