On Friday June 24, 2022, the Supreme Court overturned the landmark Roe v. Wade ruling, ending nearly 50 years of safe, constitutionally-protected access to abortion. While the fallout from Roe v. Wade being overturned is still unfolding, members of Seer’s Analytics & Insights (A&I), Community Impact, Paid, and SEO divisions put their heads together to share some best practices for organizations to follow in the weeks and (potentially) years ahead to protect sensitive personally identifiable information (PII).
PII is user information that can be directly or indirectly (when connected with other data) used to identify a person. Organizations owe it to donors and volunteers to protect their PII.
We understand that this can feel somewhat overwhelming and you may not know where to start. But don’t worry! We’ll walk you through it. At Seer, we owe it to our non-profit organization partners to use our knowledge and help you protect your donors and volunteers.
Presently, many nonprofit organizations are still navigating what the overturning of Roe v. Wade means for them on multiple levels. While laws may vary from state to state, the role of activism, volunteering, and offering financial support to institutions that continue to fight for bodily autonomy will be more crucial than ever.
With that in mind, here are 10 ways organizations can protect sensitive personal data for donors, volunteers, and the people they service:
Whether you’re a CEO, manager, or volunteer with an organization, everyone uses email. For nonprofits, a well-thought email campaign is a powerful tool for reaching donors and prospective volunteers.
However, with great power comes great responsibility. You’ll want to make sure that subscribers (and those that have unsubscribed) have their email addresses protected, and also be sure that donor information (including names, home or business addresses, emails, IP addresses, and credit card info) isn’t leaked online.
To preserve confidentiality and PII when using email:
Make sure your emails are encrypted. Your IT team can help you set up proper protocols. Email clients like Gmail and Outlook will show you the level of encryption (for both sender and receiver).
For instance, in Gmail, look for a “lock” icon in the “recipients” dropdown. There are different levels of encryption depending on the color of a lock icon.
If you plan to use an email client, look into their policies around data security and privacy.
For instance, MailChimp has robust documentation on how they protect information for all users. Do some research on email clients and investigate their policies to make an informed choice.
Truly sensitive information (such as credit card info or other forms of PII) should never be shared in an email in the first place. Rather, it should be submitted via an encrypted form.
Safeguarding PII isn’t just an issue for your organization’s IT department. It’s the responsibility of everyone involved – from the front office to the front lines. Establish clear policies to help safeguard information and convey this during any onboarding process.
To ensure administrative best practices for handling access to data:
If someone doesn’t need access to relevant data, don’t give it to them. That includes the CEO.
PII and pertinent data should only be shared with those who are directly involved on a need-to-know basis to prevent leaks.
Make sure that person understands the technology used by your organization and is responsible for change management. This could be multiple people, if you have a large team.
6 – Don’t store passwords or API keys on your computer. Use a password management app instead.
If you’re sharing passwords to access online resources across a large organization, you may leave yourself vulnerable to that information falling into the wrong hands.
An enterprise-level password management app (like LastPass, for example) can be used to encrypt passwords and make it easy to grant or revoke permissions to the right people at the right time.
A password management app can also negate the need to remember passwords and discourage sharing them via less secure channels like email, text, instant message, on your computer, etc.
If possible, create groups of roles, departments, and roles within departments to avoid adding anyone’s individual email to distribution lists. Adding an email address to a group makes it easier to revoke access. Simply delete them from a group and their permissions will be deleted everywhere.
Additionally, if your budget allows, consider issuing secure laptops for company use only and leverage remote management of team computers. This will allow computers and permissions to be turned off when a person leaves as well as releasing security patches as needed to the whole fleet of laptops.
Making sure email communications are encrypted and free from sensitive, confidential information is crucial to keeping donor and/or volunteer information safe. Additionally, you’ll want to work with your IT team or computer network administrator to inform those within your administration to enforce best practices coupled with installing protocols for data usage at an administrative level.
To safeguard sensitive PII from accidentally getting leaked online:
It may be tempting to want to keep old donor information languishing in your database in case you may want to reach back out at a later date to gauge interest. However, avoid storing personally identifiable information and only store it when absolutely necessary.
Work with your administrative and/or IT team to develop policies around a reasonable timeframe to purge old donor and volunteer information, and what constitutes proper PII usage.
Make it a policy to protect information of these individuals, as well as anyone who may have unsubscribed to your organization’s communications.
If you use forms to capture donor information and process payments, PII can accidentally get dumped into your Google Analytics (GA) files via URL strings. This can be prevented by encrypting forms and request values that may contain sensitive PII.
Chat with your IT or web team to be sure this is not happening and to stay on top of scrubbing PII from URLs to protect donor and/or volunteer data.
For pro-bono and nonprofit organizations, having a team of individuals with a background in Analytics and proper data storage will be mission-critical in staying up-to-date on the protocols and legalities associated with keeping donor data safe.
There are a few ways to help fill that void.
Google offers free courses via Skillshop to help you learn about Google Analytics 4 (GA4) and put those skills into practice for your organization.
If you’re pressed for time and still not confident in your Analytics and data privacy capabilities, look to organizations like CatchAFire.org, which matches nonprofits to passionate, qualified professionals with expertise in a variety of areas – from copywriting to marketing to analytics. Consider setting up a profile and interviewing interested volunteers who may be able to lend a hand or are willing to conduct training with members of your team.
In addition to the right to choose, people also have a right to privacy for fear of their personal views and causes they support being used to discriminate against them. Donors have an expectation of privacy when financially supporting an organization that aligns with their personal views, without fear of retaliation if their deeply-held beliefs don’t align with those of their employer – or even family members.
Like many across the US, the Seer team will be keeping a close eye on how the rollback of Roe v. Wade may impact human rights, as well as technology and data privacy.
To stay in the loop, keep reading about privacy’s impact on digital marketing.