Donor information is among your most sensitive data. Donor names, contact information, giving history, payment information, and personal details—this data, in the wrong hands, harms donors and damages your organization's reputation. Additionally, donors have come to expect privacy. Data breaches exposing donor information have become major nonprofit scandals. Protecting donor privacy is both a legal obligation and an ethical commitment. This article addresses what information you collect, why, how to store it securely, and what you owe donors regarding their data.

The legal framework varies based on donor location and the information you collect. GDPR applies if you have European donors. State privacy laws apply based on where donors live. Payment processing regulations apply if you handle credit cards. Additionally, donors have ethical expectations about privacy that go beyond legal minimums. This article focuses on both legal compliance and ethical data stewardship.

What Data to Collect: Only Collect What You Need

The first question isn't how to protect donor data; it's what data you should collect. The principle of data minimization—collect only the information you actually need—is your first line of defense. If you don't collect data, you don't need to protect it or worry about breaches.

For donations, what do you actually need? Name, email or mailing address, and amount given. That's the minimum for acknowledging a gift and issuing a tax receipt. Do you need phone number? Only if you plan to contact donors by phone. Do you need their employer or occupation? Only if you want that information for prospect research. Don't collect it "just in case." Each data element you collect increases your responsibility and risk.

For recurring donations, do you need to store credit card information? Ideally no. Use a payment processor that stores and manages credit card information. You receive confirmations but don't store the cards themselves. This removes your responsibility for credit card security (a major compliance burden) and transfers it to a processor with more resources for security.

For major donors, you might collect additional information (employment, giving interests, wealth indicators). Store this separately from payment information. Use different systems with different access controls. Your major donor information shouldn't be as accessible as your general donor database.

Storing Donor Data Securely: Managing Access and Encryption

Once you collect donor data, you're responsible for protecting it. This means controlling access (who can see it), encrypting it (making it unreadable if stolen), and securing the systems it's stored in. Security isn't perfect, but reasonable precautions are essential.

Use secure cloud-based donor management systems. Purpose-built fundraising databases (DonorPerfect, Bloomerang, Salesforce) include security features that most nonprofits can't build themselves. They handle encryption, access controls, and backups. Using a secure system is often easier and better than building your own. Don't store donor information in spreadsheets on shared drives; use a proper system with access controls.

Limit access to donor information. Not every staff member needs access to all donor data. Program staff might need to know who funded their program, but they don't need full donor contact information. Finance staff might need donation amounts, but not wealthy-indicator information. Implement role-based access: different staff get access to different data based on job role. Regularly review and remove access when staff leave or change roles.

Encrypt sensitive data both in storage and in transit. In storage, this means the data is encrypted when stored. In transit, this means it's encrypted when transmitted. When staff access your donor database remotely, the connection should be encrypted (look for "https://" in the URL). If staff email donor information, use secure email or don't email sensitive data at all.

Don't store sensitive data on individual computers or removable drives. A laptop with unencrypted donor data that gets stolen creates a breach. Instead, use cloud systems with proper security. If staff must download reports containing donor data, delete them when done. Don't keep copies lying around.

Data Breach Notification: What You Owe Donors If Breached

Despite your best efforts, breaches happen. If donor data is compromised, you have legal and ethical obligations to notify donors. Many states have breach notification laws specifying what you must do and on what timeline. Additionally, donors deserve to know if their information is exposed so they can take protective measures like monitoring credit reports.

Understand your notification obligations. Most states require notification to affected individuals without unnecessary delay (typically within 30-60 days of discovering the breach). You also need to notify state attorneys general and credit reporting agencies if large numbers of people are affected. Look up your state's specific requirement. Have a lawyer review your plan; breach notification is complex and noncompliance has legal consequences.

Create a breach notification template in advance. If a breach happens, you'll need to notify donors quickly. Don't write notification letters in a panic during the breach. Write a template beforehand describing what information was exposed, what steps the donor should take (check credit reports, place fraud alert, change passwords), and contact information for questions. Have a lawyer review the template to ensure it meets legal requirements and protects your organization.

Be transparent about what happened. Explain clearly what information was exposed. Donors can't protect themselves if they don't know what's at risk. A vague notification that "we experienced a security incident" is less helpful than "unauthorized access to our donor database exposed donor names, addresses, and giving amounts between [dates]." Specificity allows donors to take appropriate action.

Offer credit monitoring or fraud monitoring services. If credit card information was exposed, consider offering one year of free credit monitoring to affected donors. This shows good faith and gives donors tangible protection. Your cyber insurance might cover this cost.

Third-Party Data Sharing: Controlling Who Uses Donor Information

Do you share donor information with third parties? List rental companies might want to rent your donor list. Partners might want donor contact information. Vendors might need access to donor data to provide services. Each time you share donor information, you transfer responsibility and risk. Minimize sharing and have agreements in place.

Before sharing donor information with any third party, consider whether it's necessary and whether donors would expect it. If you're renting your list to another nonprofit for exchange, donors might expect that. If you're sharing data with a vendor to process donations, that makes sense. If you're selling donor information to a for-profit company, that's ethically questionable and many donors wouldn't want it.

When sharing is necessary, use data processing agreements. These are contracts specifying that the third party will protect the data, use it only for specified purposes, not share it further, and return or delete it when done. Include security requirements (encryption, access controls, incident notification). Have a lawyer review the agreement. Don't share sensitive data with vendors who don't have data protection agreements.

Avoid buying or renting third-party donor lists if possible. Each external list introduces unknown data quality and potential privacy issues. If you need list data, work with brokers who specialize in this and who can verify data quality and compliance with privacy regulations.

Donor Rights and Transparency: Being Honest About Data Practices

Beyond legal requirements, donors have reasonable expectations about their data. They should know what information you collect, how you use it, how you protect it, and what rights they have. Be transparent about your data practices. Publish a privacy policy and update your donor terms to address data handling.

Your privacy policy should address: what information you collect, how you use it, how long you keep it, who you might share it with, how donors can access or correct their information, and how donors can opt out of certain communications. Make it accessible and understandable. Avoid legal jargon. Donors shouldn't need a lawyer to understand your privacy practices.

Give donors control over their information. If a donor asks to see what you have on file about them, provide it. If they want to update their contact information, make that easy. If they want to opt out of email communication, honor that request. Make your systems easy to use so donors can manage their own information.

Frequently Asked Questions

Do we need a privacy policy?

Yes. A privacy policy describes your data practices and is required by law in many circumstances. It should explain what information you collect, how you use it, who you might share it with, how long you keep it, and how donors can access their data. Make it clear and accessible. Donors should understand your practices without legal expertise. Update it if your practices change. A privacy policy is both a legal requirement and an ethical practice demonstrating that you take donor privacy seriously.

Should we store credit card information?

No. Use a payment processor that stores credit cards for you. Payment Card Industry Data Security Standard (PCI DSS) compliance for storing credit cards is complex and expensive. Payment processors handle this. You receive confirmations of donations and can process recurring gifts without storing card numbers. This is simpler, more secure, and reduces your compliance burden.

What should we do if we discover a data breach?

First, contain it: disconnect affected systems if necessary to prevent further unauthorized access. Second, investigate: understand what happened, what data was exposed, and how. Third, notify affected people: follow your state's breach notification law. Fourth, notify regulators if required. Fifth, review your security practices and fix what allowed the breach. Sixth, communicate with your community about the breach and the steps you're taking. Having a plan in advance makes this process smoother.

Can we rent our donor list to other nonprofits?

You can, but consider donors' expectations. If renting is a standard nonprofit practice, donors might expect it. If you do rent lists, your privacy policy should disclose this. Don't share it with for-profit companies. Consider whether donors would feel violated by the sharing. Some donors explicitly want their information kept confidential; honor those requests. If list rental is important to your revenue model, disclose it upfront so donors can opt out if they want.