It is 6 a.m. and you receive a call from your chief financial officer that your donor data has been stolen. What do you do? Whom do you call? How do you handle this situation? I find that a fair number of our nonprofit clients are unaware of where their data resides, who has access to it, and how it’s protected. So, let’s explore some methods that your organization can employ to better protect the privacy of your donor, employee and volunteer data. This is the first of two articles that will better prepare you to implement a data privacy program.
Step One: Understand Regulatory Standards
Due to the prevalence of data breaches, data privacy standards are popping up across the globe. Regardless of whether you operate in the internationally or only in the United States, it is critical to understand which data privacy regulations apply to you. In the United States, there are approximately 20 sector-specific national privacy or data security laws, and there are hundreds of them among the 50 states. From a global perspective, there are thousands of data privacy laws that have been in place or will be put in place in the next several months. Regardless of where you operate, you need to understand how your organization should comply.
Step Two: Identification
The next step is to ensure you understand what information you have and where it is. Certainly there are tools to assist with this, but if you do not have the budget to access those tools, start by conducting interviews of the individuals who manage certain types of applications and data. During these interviews, gain an understanding of what software applications or technology are used to conduct your business, identify where that data is stored, whether it’s managed internally or externally, and how long data is retained.
To prepare your data inventory, follow these steps:
1. Obtain application inventories that might already exist.
2. Update the application inventories.
3. Gain an understanding of who manages each application.
4. Identify what types of data are stored within each application.
5. Understand how long certain data types are retained.
6. Determine where your most sensitive types of information reside.
7. Map how the data flows through the organization for those critical sets of data, who manages it, who has access to it and where security gaps might exist.
Step Three: Classify Data
There will be certain types of data that you consider very sensitive, while other types might be considered less critical or sensitive to the organization. To develop classification schemas, use a guide similar to the one outlined at the end of this article.
Regardless of the size of your organization, classifying data is a critical step in protecting the privacy of your information.
Step Four: Align Policies with Data Classifications
Once you have classified your data, the next step in the process is to understand what data protection policies are currently in place and whether they are current or in need of updating. Often times, an organization will find that its policies have not been updated for years. This can be more detrimental than not having policies at all. If you create policies, the key is to ensure there are good governance and management practices to maintain those policies. Typical policies that are essential to maintaining the privacy of data can include:
- Data classification
- Data retention
- Legal hold
- Data security
- Data handling
- Information lifecycle management
- Data privacy
As you are developing your policies, your technical or security teams should ensure that the information contained within each policy matches actual controls. In other words, it is critical to align your security practices with your policies.
Step Five: Mobilize and Train your Team Members
Once you complete the above steps, it’s time to develop an implementation and change management strategy, as well as a training program. Training and change management are critical to performing a successful roll-out of any program. And, although implementation plans vary widely, standard steps that can be employed in any organization include:
- Pilot: Test the process, policies or procedures with a small group.
- Utilize Technology: Understand what technology can be utilized to better manage processes, policies or procedures over time.
- Roll out: Once you conduct the pilot, begin to rollout the program to all team members.
- Training: Immediately following your roll out or implementation step, ensure that each team member is trained in a timely manner.
Now that you have these steps under your belt, it is time to move on to establishing the privacy program.
This article originally appeared in BDO USA, LLP’s “Nonprofit Standard” newsletter (Winter 2017). Copyright © 2017 BDO USA, LLP. All rights reserved. www.bdo.com Warren Averett is an independent member of the BDO Alliance USA. This article was borrowed with permission from BDO USA, LLP