10 Tips for Creating a Data Security Plan for Your Foundation
Tip Sheet
Nonprofits are not immune from the issues of data security—both malicious and accidental—that plague today’s businesses. Because most charitable organizations have small teams who wear multiple hats, nonprofits can find themselves struggling with data security more than traditional for-profit organizations. As a grant maker, that can put both you and your grantees at risk.
There is a real and ongoing threat of a cybersecurity hack—there is an attempt every 39 seconds. If you don’t have a plan in place, that can leave your team scrambling to protect your organization and the organizations you support when there is an issue. Grantmakers need to create proactive data security processes that put the grantee at the center of the conversation for when—not if—an incident happens.
Put Grantees at the Center of Your Data Security Plan
1. Be clear with grantees how their data will be used and shared.
Your grantees know best what risks they face. Give them opportunities to identify sensitive information and determine how best to respond to the risk. They will know best what information carries the most risk for their organization.
2. Check in with your grantees at various stages in the process.
As situations locally and around the world change, so might your grantees’ comfort level with sharing information. Also, be mindful of the power dynamics between grantees and funders. Make sure your grantees feel like they can say “no” to sharing and not have it affect the relationship.
3. Once you have your grantees’ preferences, follow through.
Check areas of your database to make sure all information is correctly housed—especially the grant descriptions. Sensitive or identifiable information can often be included in those detail heavy content blocks.
Assess the Risks from the Grantee Data You Have
4. Identify the type of information you have, where it is housed, and how sensitive it is.
Create a system that not only categorizes data by type and sensitivity, but also is flexible enough to respond to a specific grantee’s requests. One organization may be happy to share its address, but another might have struggled with violent threats in the past and wants to keep that information private.
5. Define the nature of the risk should sensitive information be stolen or accidentally made public.
Any risk to an individual’s safety—including the grantee’s staff, the funder’s staff, or individuals in the community—is the most important. But also consider reputational risk and the risk that a grantee may not be able to execute on a funded project.
6. Review your processes around different levels of data.
Make sure you have policies in place for how you handle sensitive data and how the data is shared. For example, are you using secure FTP sites to transfer non-public information?
7. Delete old or unnecessary data.
Have a data retention policy so know what you need to keep and you don’t hold on to any data you don’t need. The less data you have, the fewer opportunities for problems.
Have a Data Security Plan Before You Need It
8. Know what you need to do to keep grantees safe indifferent situations.
In addition to your process for storing and managing sensitive information, create a plan for what you need to do if a grantee decides certain information poses a risk. For example, will you suppress that information temporarily or remove it completely from your system? Decide ahead of time what the steps are to do that and how your grant management system can help.
9. Decide who needs to be involved in the response to an incident and what their role will be.
It should include your IT and technology team as well as your leadership and communications team. Identify how your program staff and customer support team are kept informed to answer any direct questions from stakeholders.
10. Understand how your vendors manage data and keep track of where data has been shared externally.
What was good to share yesterday may not be okay to share tomorrow. How can you pull back information that is now sensitive? It’s also good to read through your third-party vendors’ policies so you know what will happen if there is an incident on their side—and be able to quickly deal with it on your side
Be Transparent with Your Processes
For funders, transparency with all stakeholders should be the default. But having information on your grantees carries risks to both you and the organizations you fund. Best practices around data security evolve constantly, often leaving small nonprofits struggling to keep up. Ask your grantees if they need support with data security and share templated policies and resources to help them stay secure.