Three Tips to Optimize Your CRM Data Validation Sprint


Data Validation is a set of capabilities that leverages your Constituent Relationship Management (CRM) integration. A “data validation sprint,” from an agile methodology standpoint, is a set period of doing specific work that must be completed and reviewed at the end. A data validation sprint aims to build a series of experiments that will confirm or reject the assumptions made about your CRM.


There are plenty of reasons for running a data validation sprint, but here are just a few of the most important ones:

  • data-driven validation on your early-stage CRM project;
  • identify and list your most critical assumptions;
  • validate or invalidate these assumptions;
  • gather useful information about your potential donors; and
  • finalize in a way that is fast, lean, and efficient.


As you plan and prepare for your CRM data validation sprint, here are three tips to maximize and optimize the process. 

Communicate early and often.

Regarding your CRM implementation, communication is always vital—your data validation sprint is no exception. Communicate with those completing the validation, and your subject matter experts (SMEs) assigned the task of data validation early and often. The earlier you communicate and the frequency, the better the outcome. 


Focus on simple things like notification of orientation dates. Let users know what’s coming—give notice ahead of dates and communicate the time commitment. Clearly articulating the time required helps users properly allocate time to complete the validation. 


Allowing your team to prepare appropriately, impacts the results of your data validation—most often positively.  Additionally, preparation prevents the “last-minute scramble,” decreasing the likeliness of overwhelming feelings of your CRM team.

Offer support and resources.  

Support SMEs and provide appropriate resources to achieve and optimize results. Whether it’s simple system navigation or offering clarity about CRM project expectations, make a support person available to help. 


For example, at Precision Partners, we offer planned times throughout the data validation sprint to provide clarity, direction, and IT troubleshooting support, alleviating the need for users to visit their IT departments. 


One fairly easy way to support SMEs is to hold office hours. The project team should make themselves readily available during this sprint. Office hours allow SMEs to ask questions or troubleshoot an issue or problem with their assigned data validation. 

Develop and maintain a resource repository.  

For each data validation sprint, maintain a resource repository specific to the subject matter at hand. A repository or center of excellence is where users can go for support. 


As you build the resource repository, create decision logs specific to the subject matter. The decision log should include any tool or resource that provides clarification or information that could be helpful. Keep your decision log up to date, relevant to the subject matter at hand for the sprint, and easily accessible. 


For example, SMEs are tasked with data validation, and the repository equips them with the resources to identify and support them with how to do it. The repository would provide the following: 

  • where to find information;
  • what tools are available;
  • what tools are appropriate for what purpose; and
  • videos about how to use them.


Consolidate where you access the repository information, making it easy and efficient. Create something users can bookmark whether through their email or in an internet browser. This prevents the hassle of sifting through various links or resources, instead offering all the tools they may need to complete the data validation sprint or work requirements.

Enterprise Data Management and the Importance to Institutional Advancement Operations


In the age of so much information and the ability to collect data at different touch points, an entire methodology has emerged: enterprise data management (EDM.) EDM is the ability of an organization to precisely define, easily integrate, and effectively retrieve data for both internal applications and external communication. In addition, it focuses on the creation of accurate, consistent, and transparent content. 


Previously, each department was responsible for managing its own data. This process has shifted to a collaborative approach. Specifically examining how the data collected by different departments can be pulled together to better serve the institution. (Concepts like the 360-degree customer view were born out of that.) 


What is the single version of truth about specific data points?


From an EDM perspective, it has traditionally been led by the information technology (IT) department. However, in some instances, IT may be specialized and have a data management division and the ability to reach out to the competency departments. 


For example, hospital IT reaches out to the clinical area to get feedback; a university reaches out to the student information management department (or the marketing department) for feedback. Both scenarios have a central IT department, and likely big data consumers. But the downside is this often isolates advancement operations.


Institutional advancement’s primary goal is to extend the message through outreach, fundraising, marketing, or publicity. They are also tasked with establishing long-lasting relationships with donors, promoting the institution, and building financial resources to support ongoing programs and operations. 


When it comes to enterprise data management, they’re often forget about—but they shouldn’t be. Here’s why. 


Quality Data Improves Processes 

Data is only valuable when it is accurate, relevant, and reliable. Advancement departments often work to build relationships based on interactions that may be initiated because of data.


But if your data is low-quality, a considerable chunk of your revenue is spent on the dedicated staff hired to cope with it. They could instead be focusing on value-add processes like building relationships or raising vital funds for your organization.


Data Provides Donor Insights 

Leveraging the potential of data analytics, advancement team members can quickly identify prospective donors and optimize the fundraising process.


For example, in a hospital, an address to patient billing is essential so they can send the bill and receive payment. When it comes to advancement, an address helps them contact prospective donors and identify wealth.


Data Supports Relationship Building

Advancement teams are on the front line with donors and supporters, and data empowers a meaningful way to build relationships.


For example, a fundraiser is interacting with a donor or supporter, and they mention their spouse who happens to be deceased because they are unaware. This creates a considerable embarrassment for the fundraiser, offends the donor or supporter, and creates an overall uncomfortable situation. 


Another scenario might be a fundraiser sends mail or an invoice to the wrong address that then gets returned to the sender. This is a missed opportunity to engage prospective donors, but also makes your organization look incompetent. Both scenarios could be avoided with the use of enterprise data management. 


Simply put, enterprise data management is essential for institutional advancement. It creates a standard and streamlined system for advancement departments to locate, access, control, store, and secure their data. 

Data Mart vs. a Data Warehouse: What’s the Difference?

Too often in advancement, a data mart and a data warehouse are used as interchanged terms. But they are, in fact, two very different things.


Here’s the difference between a data mart and data warehouse and best use scenarios for your advancement needs.


Data Mart

A data mart is a curated subset of data often generated for analytics and business intelligence users—typically limited to holding warehouse data for a single purpose, such as serving the needs of a single line of business or company department. Data marts are often created as a repository of pertinent information for a subgroup of workers or a particular use case.


Data marts are a subset of a data warehouse. Organizations may use data marts to provide user access to those who cannot otherwise access data. Data marts may also be less expensive for storage and faster for analysis, given their smaller and specialized designs.


Other significant differences between a data mart and a data warehouse include the size, range, and sources.


  • Size: Data marts are typically less than 100 GB, whereas a data warehouse is typically larger than 100 GB and often a terabyte or more.
  • Range: Data marts are limited to a single focus for one line of business, whereas a data warehouse is typically enterprise-wide and ranges across multiple areas.
  • Sources: Data marts include data from just a few sources, whereas a data warehouse stores data from multiple sources.


In the context of your advancement CRM, a data mart is beneficial for creating a suite of reports—either from a daily operational standpoint or issues that may require information you need to make decisions. In addition, these reports enable you to see your progress or implement a course correction if needed.


Another case where you may want to leverage a data mart is to maintain “supplemental information.” Supplemental information may include a report you use on an infrequent basis. You can use your data mart to create a table or a couple of tables to house supplementary information to leverage reports that you can refer to once or twice a year.


This is beneficial because you may not want to build something special in your advancement CRM to hold the report because you use it infrequently.


Another use for a data mart may be to store what’s considered “frozen data”–a snapshot in time of your transactional data. Data marts enable you to store those exact numbers and easily reference when needed.


For example, you created a Voluntary Support of Education (VSE) report. Each year, you reported specific numbers to an external entity on how your institution was doing. But your transactional system is constantly changing.


This is because new data is being input and updated daily in the CRM application. If you were questioned on a previous fundraising year, would you be able to back it up? You may get the same data if you run the report out of your current application in your advancement CRM. The “frozen data” that was stored is needed to be a reference. A data mart enables you to maintain those transactions and tag them appropriately.


Software Platforms for Data Marts

When it comes to which software platform to use for a data mart, you should select the one that best aligns with your advancement CRM. Avoid using multiple vendors, as this creates confusion.


For example, you have one vendor for your advancement CRM and one for your data mart, and they don’t get along. But you need the transition of information from your advancement CRM to your data mart to be seamless.


Opt to use something from the same software vendor or choose another platform that has a very close partnership with the software vendor of your advancement CRM.


From a usability perspective, you want something user-friendly. On the other hand, you don’t want an overly technical solution for your data. This is because the audience for your data mart may be tech-savvy, but they’re not programmers, and they shouldn’t have to be. So instead, select something for more of an analyst-level ability to interact with the data mart. Save your heavy technical resources for something else.


Data Warehouse

A data warehouse is a relational database designed for analytical rather than transactional work, capable of processing and transforming data sets from multiple sources. It draws in data from disparate systems, taking on more of an enterprise view of data.


Data warehouses receive information across your organization. This is not fundraising or advancement specific; the data warehouse should be feeding information from all areas of your organization. Best usages for a data warehouse include:


  • Healthcare: A data warehouse combines information from advancement with a patient information system.
  • Higher Education: A data warehouse combines information from an advancement CRM with a student information system like the registrar’s office.


Software Platforms for Data Warehouses

Now is the time to leverage your central information technology (IT) resources. When it comes to the software platforms for your data warehouses, you want the combined support of the IT resources or expertise of individuals for the other systems.


For example, your experts in your advancement area are usually not the same as those in your patient area. So instead, use your central IT who has colleagues and expertise in all these different systems—that’s whom you want working on your data warehouse projects.


Select a platform they know best and can manage the data from these different systems. For example, your data mart needs to communicate well with your advancement CRM, but your data warehouse needs flexibility with many other systems.


Slow and overloaded data warehouses are often the underlying reason for creating data marts and frequently serve as their underlying data source. Often, as data volumes and analytics use cases increase, organizations cannot fill all analytics use cases without degrading the performance of their data warehouse, so they export a subset of data to the mart for analytics.

Data Validation Is a Critical Step in The CRM Process: Here’s What to Consider


Data validation is a critical step in your Constituent Relationship Management (CRM) implementation project. For the best results, you must get out of thinking that anything having to do with data conversion is a technical task or an activity that only requires the involvement of the technical team members.


Instead, consider using your Subject Matter Experts (SMEs). Using your SMEs in the advancement CRM implementation project adds value because they live and breathe the data daily. Of course, there are technical components and things the technical team will do, but for the best results, you must combine that with your SMEs.


Here’s how you can get your SMEs involved in the data validation process.


Step One: Establish a Framework

Establish the framework for how to involve regular business users in the process. Ensure the data validation compares what’s in your legacy system and your new advancement CRM.


  • Is the data there?
  • Did it land in the right place in your new advancement CRM?


As you evaluate the data accuracy, consider things like proper orientations, instructions, and available preparations for navigating to where the data lives in the legacy system.


Specifically, helping your business users to navigate the data’s “new home” in the advancement CRM. Navigation is vital because if you compare data and involve the business users, they must know how to navigate. Otherwise, they’re at a loss.


Step Two: Create a Validation Checklist

Involving your business users in the data validation process requires clear instructions on how they can (and should) participate. In many cases, decisions may have either changed it or left data behind when it moved from the old system to the new one.


From the business users’ perspective, they’re working within the system daily and may find themselves exploring beyond the project outline. While their input is valuable, you don’t want them to get lost in their exploration. To help deter this, create a validation checklist that outlines the minimum requirements they should perform that will be critical in giving feedback to your CRM project.


For example, create a list of 15-20 items of minimum requirements that must be met from an assignment perspective. Once those requirements are completed, then you can encourage further exploration. This helps your CRM project stay on track without losing sight of priority validation items that need to be completed.


The data validation checklist is one way to balance tasks getting done to move the project forward versus encouraging curiosity during a project.


Step Three: Determine the Records to Test

There are pockets of populations within your advancement CRM that have more data or are more prominent individuals and organizations that you need to pay attention to as you complete your data validation.


For example, if something went wrong with your VIP list in the legacy system—that would be very noticeable—and should be a part of the group of records you will test in the new advancement CRM.


Deciding what records are the most valuable to test requires prioritization. Consider these lists as you plan what to prioritize.


  • VIPs
  • Board members
  • Trustees
  • Major donors
  • Organizational partnerships
  • Foundations


Be thoughtful about building the test record population, as this is a necessary step toward effective data validation.


Step Four: Generate Guidelines for Reports

The final step toward involving your SMEs in the data validation process is to generate a particular framework on how they can report results. Your SMEs are a population of users that don’t do this regularly—these aren’t your technical team members who understand the testing methodology. Therefore, you must provide an easy-to-follow framework and instructions for how to report results, so you get meaningful information.


Having clear reporting strategies also helps to eliminate the back-and-forth communication or vague generalizations like, “This didn’t work.” Instead, generate guidelines for how users can report challenges. For example, include prompts to help identify specific issues and an explanation of the problem, “Which test record were you on and what happened?”


Encourage screenshots and videos so they can share what they experienced most efficiently.


Data validation provides accuracy, clearness, and completeness to your new advancement CRM dataset—avoiding errors and ensuring data is not corrupted. While data validation can be performed by your technical team, involving your SMEs adds significant value and enhances your CRM project.

Stronger Data Security for Cloud Vendors Becomes Standardized


Cloud technologies are becoming a significant investment for organizations of all sizes. Cloud computing increases efficiency, helps improve cash flow, and offers many more benefits. You’re likely aware of how beneficial cloud technology can be if you’ve recently purchased (or considering) a new advancement Constituent Relationship Management (CRM). This is because many of today’s advancement CRM options are cloud-based vendors.


How does cloud based technologies affect data security?


Data security has become more prevalent, especially for the advancement community. Choosing a cloud vendor with robust data security standards are vital. This is because CRM data security management is critical to creating and maintaining an effective CRM system.


Until recently, data security standards have only been consistently applied to companies that contract with the federal government. But many states have now taken notice of the importance of data security standards. Here’s what to consider.


Cybersecurity Laws

Texas Gov. Greg Abbott recently signed a cybersecurity law that will implement several new programs at the state’s Department of Information Resources, including a cloud-security certification system modeled on a longstanding federal program.


Under the new law, Texas will create a rubric for verifying that the cloud services that state agencies and higher-education institutions contract with meet specific data-security standards. The program went into effect in January 2022 and is modeled after the Federal Risk and Authorization Management Program (FedRAMP), which grades the security of federal vendors.


Other states are taking similar initiatives to enact data-security standards—namely Michigan and Ohio, with many others likely to follow suit.


U.S. Senator Gary Peters (Michigan), Chairman of Homeland Security and Governmental Affairs, announced he had introduced bipartisan legislation to update and make permanent the FedRAMP program to ensure federal agencies can quickly and securely adopt cloud-based technologies that improve government operations and efficiency. In addition, the bill will make FedRAMP more accountable to the American people and create private-sector jobs in companies that provide cloud services.


In a November 2021 press release, Senator Peters said, “This important bipartisan bill will ensure that agencies can procure cloud-based technology quickly while ensuring these systems—and the information they store—is secure. It will also help companies that provide these technologies grow and create jobs and incentivize them to provide innovative products to bolster our nation’s competitiveness in this space.”


FedRAMP and StateRAMP

FedRAMP provides a standardized approach to security authorizations for cloud service offerings. This standard empowers agencies to use modern cloud technologies, emphasizing security and protection of federal information—helping to accelerate the adoption of secure cloud solutions.


It consists of two primary entities: the Joint Authorization Board (JAB) and the Program Management Office (PMO). Members of the JAB include the chief information officers (CIOs) from the Department of Defense, Homeland Security, and General Services Administration. The JAB serves as the primary governance and decision-making body for FedRAMP.


FedRAMP has defined the responsibilities of federal agencies since 2012—when cloud technologies began to replace outdated tethered software solutions—to ensure cloud-based information technology is used appropriately. FedRAMP was born from the U.S. government’s “Cloud First” strategy. That strategy required agencies to look at cloud-based solutions as a first choice.


Getting FedRAMP authorization was (and is) no easy task. The level of security required is mandated by law. There are 14 applicable laws and regulations and 19 standards and guidance documents. It’s one of the most rigorous software-as-a-service certifications in the world.


All cloud services holding federal data require FedRAMP authorization.


StateRAMP is a nonprofit organization that launched in early 2021 with the intention to promote cybersecurity best practices through education, advocacy, and policy development to support members and improve cybersecurity.


StateRAMP is designed as a shared service for government and a streamlined service for suppliers who can verify their products one time and reuse that certification with each government agency they serve.

Preparing for Data Validation During Your Advancement CRM Implementation


Data validation checks the accuracy and quality of data before importing and processing during your advancement Constituent Relationship Management (CRM) implementation. Validating the accuracy, clarity, and data details are necessary to mitigate any project defects.


Without validation, you run the risk of using inaccurate data.


Additionally, having accurate data is an important step toward user adoption. If users cannot trust the data in the CRM, they may resist adoption of your new CRM. This is especially true if the promise of having accurate and reliable data is made as part of implementing a new CRM. Having reliable data is often a main motivation for doing a CRM project—and often one of the project goals.


Data validation is a form of data cleansing. It can be one of those things that can be a grueling process, but your institution must do it.


Here’s how you can prepare for data validation during your advancement CRM implementation.

Determine Your Data Validation Team

Having the right people as part of your CRM validation team is as important as conducting the data validation itself. Team members selected to validate data should be experienced in your new and old systems and keenly aware of the existing data.


When choosing who should be on your data validation team, engage users who are:


  • familiar with the data in your legacy system;
  • proficient in the new system and have participated in the CRM project;
  • expert navigators of your legacy system but also your new CRM system; and
  • known for their attention to detail.

Common Mistakes to Avoid

One of the most common mistakes organizations make during CRM data validation is assigning new staff members because they are available. Organizations may also try to hire temporary staff with the idea that getting more people to assist with the data validation is beneficial. In these scenarios, these individuals may essentially follow instructions, simply comparing the old system against the new. This will result in a limited ability to discern more nuanced issues, and more profound problems won’t be recognized because they are not familiar with the data.


Data validation is not a task for a newbie. Instead, the data validation team needs individuals with many years of institutional history and knowledge to effectively assess data and change the data quality.


Another common mistake organizations often make when it comes to data validation is they don’t define the effort. You could ultimately spend years on the tasks associated with data validation. Unfortunately, you don’t have that kind of time. Instead, define the goals and the amount of time your data validation team should have it completed.


For example, “X data needs reviewed and should be completed in two weeks.”


Institutions also forget to identify focus areas and assign tasks to specific team members.


Be explicit and intentional when identifying a focus and assigning tasks—only assigning the data validation to the folks who have willingly committed their time. Give detailed assignments with clear identifiers. This helps everyone fully understand how much work they need to achieve and guidelines, so they know when they’re “done.”


An example of identifying focus and assigning tasks includes, “we’re focusing on X area; here are your assignments that need to be completed in X weeks.”

How should we approach data validation?

There is a healthy amount of rigor to the process of data validation. “Looking” into the system is not appropriate data validation. Before beginning with your CRM implementation data validation, establish a set (or sets) of test data that can be validated during this process.


First, set a collection of test records—like board members, trustees, and major donors. Be intentional about the collection of data you’re validating.


Then, develop test cases or use scenarios. Outline what the user should be testing. Be very clear on what is considered success versus failure—it shouldn’t be a mystery to them. Your data validation team should have a deep understanding so they can look at the records and compare them. Once you’ve gathered all this information, assign a score of a pass, or fail—which should also be documented.


Finally, prioritize what you’re testing. At the outset, you might think you want all your data to be validated, but you usually don’t have enough people or time to do so. Instead, rank the data validation assignments in order of importance. This way if you run out of time to complete all your data validation, you’ve already completed your most important test cases.

Will a New Advancement CRM System Really Make a Difference?


A new Constituent Relationship Management (CRM) system can propel your fundraising efforts to new levels. But do you really need a new system?


A CRM is a hub for all donor-centric activities, and solutions exist for every organization regardless of size. With the right CRM, your institution can deliver timely, automated, targeted communications to donors to personalize the donation journey.


Leveraging new technology can help your development office stay competitive. But unless you first define your organizational goals and needs, it’s difficult to understand how any new technology meets those needs and achieves those goals. Especially when data quality is in question.


One of the first things organizations do when experiencing poor data quality, is start looking for a new CRM. But implementing new technology will not always solve the problems departments face with obtaining clean and accurate data.


A new CRM system may not be the answer to your problem, especially if your processes and procedures are the cause for your poor data. Your poor data quality will continue to be ineffective in a new system if you don’t correct procedures to ensure the current system is being fully optimized.


Can your organization relate to any of these common complaints when it comes to data quality and your CRM?


  • Teams are spending time and resources performing quality assurance and data cleanup, but these efforts are not focused on the most important to the users.
  • The CRM system includes a massive amount of data, but there aren’t enough resources to make a noticeable impact on donor-based efforts.
  • The information teams receive (either from the system or reports) is often misinterpreted by the users, making it ineffective.
  • Data is pulled from several resources, but there are no measures to interface the data, resulting in poor quality.
  • There is a lack of metrics and ongoing user education of the CRM system. As a result, users do not understand their responsibilities, the importance of data quality, and their role in the quality of that data.


If your organization can relate to any of these common complaints, it may benefit you to look internally and implement the following tactics before undergoing a new CRM implementation.


Perform a Data Quality Assessment

Your first task should be to assess the quality of the overall data your users are receiving. By using a quality data prioritization method, gauging the data usage and impact, you can obtain a quality rating. This also helps you determine the factors that increase or decrease that quality rating.


Incorporate Stakeholders

By identifying management stakeholders and stakeholders in different departments, you gain sponsorship of the data quality. This also helps to stress the importance of accurate data to the users responsible for the quality.


Establish a Strategic Data management Program

A comprehensive strategic data management program that reviews the overall quality of your data should:


  • evaluate if business definitions are standardized and comprehensive;
  • identify sources of data and the reliability of that data at each level of the process;
  • distinguish data entry workflows and determine which are susceptible to errors; and
  • review quality assurance procedures and determine if they are aligned with the highest priorities.


Consider these other measures that ensure you are obtaining the best data.


  • Use automated tools and routines to clean up your data.
  • Prioritize data cleanup at the user level.
  • Define a “master record” to ensure current data is used and duplicate information is eliminated—especially when integrating data from multiple resources.
  • Create reports that monitor the data quality.
  • Hold regular meetings with stakeholders to ensure the data meets quality expectations.
  • Illustrate how the quality of the data directly affects user efforts—stressing the importance of ownership of data at the user level.


After implementing these systems, you may find that you don’t need new CRM technology—alternatively, optimizing what you already have. High-quality data is the lifeblood of your fundraising initiatives. Every effort should be made to obtain quality data and fully use your CRM system.

Updating Your Legacy Database Documentation, What Are the Benefits?

You’ve decided to move your Constituent Relationship Management (CRM) system. You’re hoping for a clean break from your legacy system—the current system you’re on when you’ve decided to move on to a new software. However, you realize the transition will provide better data and ease of use once it’s finally up and running.

In the meantime, you might be considering if it’s worth updating your legacy database documentation. Doing so takes time and money, and you’re left wondering if it’s worth it.


Here’s a brief overview of how updating your legacy database documentation benefits your new CRM implementation.

Legacy System Review

Legacy systems are often based on an in-house client-server model. The database is running on a SQL Server or Oracle. There are Windows-specific applications. Users can access the system using a locally installed desktop client. Remote access is available through a Virtual Private Network (VPN) login and a Citrix remote desktop session.


The legacy system can also refer to an early generation, browser-based system. Compared to the previous category of legacy systems, the browser-based version may be easier to use and maintain. But they are not continually optimized to run on newer browser versions, subsequently relying on outdated versions to run smoothly.


But the question remains—do your legacy documents need to be addressed before transitioning your CRM solution?


In most cases, your legacy database either has little or outdated documentation. There is a standard argument that, if you’re leaving the system, why invest time and effort in bringing documents up to speed. Updating your documentation is not a waste of time and money. These critical elements will save your CRM project.

Misunderstood Processes

The original documents institutions have on hand about their legacy system are usually how the program was intended to be used. But business processes don’t always remain consistent as new users or institutional needs change.


For example, your users may have tried to establish business rules to accommodate a particular report. Many times, these workarounds to fill functional gaps in your legacy system can convolute your new CRM implementation.


It is beneficial to review the documentation on how your system was used and compare it to established business rules. Review the fields you’ve proposed, the areas the vendor set to use for one, and how it captured information—all that information matters and will be worth the investment.

Weird Data

The second thing to consider regarding your legacy database documentation is weird or strange data. When reviewing imported data, oftentimes the data doesn’t match what you expected to find. This could be a result of a requirement that wasn’t met by the system, and your users got creative. Many times, users find a way to use the system to get the information they want and need, and it doesn’t always align with your initial business processes.


If you don’t get to the bottom of the weird data in your legacy system database before the transition of your CRM application, the same thing will happen in your new system.


The top benefit of a new CRM implementation is the quality data. But if you transfer insufficient data into your new system and don’t have any documentation or understand where the guidelines exist, you’ll get good data from bad statistics.


Updating your data within your legacy database will allow you to spot the difference and pressure test the system. You’ll be aware of what portion complies and what does not. The only way to get quality data for your new plan is to ensure you’re transferring quality data from your existing database.


Examining your existing database will ease the transition to your new CRM—preventing failure, as well as costly and timely data issues later.

3 Documents You Should Maintain for Your Advancement CRM Platform


Constituent Relationship Management (CRM) is the set of processes and supporting technologies used to initiate and improve relationships with constituents. CRM is not just a technology that is brought into your institution. It helps you manage relationships with constituents and involves all of the workflows, processes, and reporting that your institution uses to achieve its mission.


When it comes to your Advancement CRM platform, document maintenance is vital. Here are three key documents you should revisit now.


#1—Master Configuration Document


The master configuration document tracks changes made to the software application to make it work for your organization—specifically site changes that enabled a certain workflow. In many cases, this document’s purpose becomes a part of your application support guidebook.


It can be a vital tool for your support team to reference when trying to help users with questions. It’s also used (or referenced) when contacting your software vendor for support due to a problem or issue. The information in your master configuration document is helpful to your software vendor and ensures you receive support as quickly as possible.


#2—Security Matrix for Staff


The security matrix for staff provides clear guidelines for how access is disseminated across the institution—indicating who has access to what information. Within your security matrix, include the justification of the access to make sure it is aligned with the staff’s job responsibilities.


Having a handle on your security at all times is an essential part of maintaining data security and data access policies.


#3—Data Management Business Rules


Your data management business rules define how a specific field should be used and provides guidelines to populate uniform information in that field. For example, you may identify data management business rules that require specific naming conventions or the structure in which you would input that information.


These business rules should be directions given to the user—explaining what to do if they do not have the given data at the time. The purpose of the data management business rules helps maintain data quality for accurate reporting and reliable decision making within the system.


Overall, your institution should review all three of these documents regularly. On an Ad Hoc basis, you should assess these documents for updates before rolling out any new initiatives using your advancement CRM system.


For periodic reviews, follow these guidelines.


Master configuration document: Yearly basis

Security matrix for staff: Twice per year

Data management business rules: Yearly basis

Data Privacy and Security—Classifying Data for Advancement


Data is a significant asset to your organization. It can provide a wealth of information about donors. A growing number of organizations are using data analytics to determine which supporters are most likely to make a significant gift or donate in response to their campaigns.


Data privacy is more important than ever before—especially in today’s digital economy—and organizations should review their data, privacy policies, and procedures. Here are different types of data privacy and security and how to classify data for advancement.


What is Confidential Data?


Any data or information that is protected by laws, regulations, or industry standards is considered confidential. Confidentiality is the need to strictly limit access to data to protect organizations and individuals from loss. Confidential data can also be defined as information that could cause harm to an individual or an organization if it is inappropriately accessed.


Data Privacy


Data privacy (information privacy) is a data security division that deals with the proper handling of data—more specifically, consent, notice, and regulatory obligations. Practical data privacy concerns are affected by several factors.


  • whether (or how) data is shared with third parties;
  • how information is legally collected or stored; and
  • regulatory restrictions


One important aspect of data privacy is transparency. Organizations must disclose how they request consent, abide by their privacy policies, and manage the data they’ve collected. Ask questions to understand your organization’s stance on data privacy.


  • What data is to be collected?
  • How long will it be kept, and does that comply with the laws?
  • Is there limited data access that is monitored, or is that data openly available?
  • What measures will be taken to protect data?
  • Is the planned use of the data aligned with why it was collected?


Data Security vs. Data Privacy


Simply keeping sensitive data secure may not be enough to comply with data privacy regulations. Data Security protects data from compromise, whereas data privacy governs how data is collected, shared, and used.


If you’ve worked to secure data—implementing encryption, restricting access, and overlapping monitoring systems—but your organization collected the data without proper consent, you could be violating data privacy regulations.


You can have data security without data privacy, but you cannot have data privacy without data security. Train employees to understand the difference. Include processes and procedures necessary to ensure the proper collection, sharing, and use of sensitive data as part of a data security portfolio.


Sensitive Data


Sensitive data is any information that needs to be protected—often dependent on the nature of the business conducted by an organization and, even more so, the responsible governing body.


What is Considered Sensitive Data?


The categories of sensitive data vary based on the privacy laws that apply to an organization.


For example, a healthcare organization will need to adhere to Health Insurance Portability and Accountability Act (HIPAA) privacy rules. In contrast, an educational institution will have to adhere to regulations such as the Family Educational Rights and Privacy Act (FERPA).


Sensitive data includes any information such as:


  • personal data, or data that can be used to identify an individual—including customer and employee data;
  • financial data such as bank account or credit card information; and
  • intellectual property or proprietary information such as software code.


Personal Data


Personal data, also known as Personally Identifiable Information (PII), is any information used to identify a specific individual. The protection of personal data has become increasingly important due to regulations that aim to protect individuals concerning their personal data processing. This has only become more prevalent as cyberattacks continue to evolve.


More frequently, organizations are being held responsible for how they process and secure sensitive data to prevent exposure and risk.


Cybersecurity Risk


Cybersecurity threats and data breaches have become the rule rather than an exception for organizations. Do you have data protection policies and the necessary procedures in place to guard against this threat?


Your organization must carefully handle sensitive data to avoid disclosure or data breach. The potential damage from a data breach goes beyond tarnishing your organization’s reputation. Your organization can be legally liable if you fail to comply with data privacy laws—which can come with exorbitant fines and penalties.


Protect sensitive data with cybersecurity best practices.


  1. Establish a data protection policy.
  2. Create a comprehensive and up-to-date inventory of sensitive data.
  3. Develop guidelines for assessing and maintaining privacy and confidentiality of data on all systems.
  4. Communicate your organization’s data security policies to staff members.


Go a step further and implement basic strategies for preventing data theft.


  1. Don’t open unsolicited email attachments or unknown files.
  2. Educate staff to identify and prevent phishing.
  3. Require strong passwords for each employee, and insist they are changed regularly.
  4. Establish processes to monitor your network for suspicious behavior.


Using Data for Advancement


Collected data is only valuable if it’s used for a purpose. One of the most popular uses of organizational data is for development. You can’t control people’s ability to give—but you can control how you use data to make decisions regarding your advancement.


Revamp your advancement strategy to focus on assessing your most connected donors and how you have engaged them.


Gauge donor giving capacity. Analyze alumni data and external sources, such as tax filings, home values, and other assets—then assign “wealth scores.” Once you’ve assembled data or scores on wealth and involvement, have staff members work on your top and bottom groups separately.


Look for differences. Organizations should record more than just donations in their fundraising databases. Review data to see which events your supporters attend, whether they volunteer or serve on committees, and how they give to other charities.


Identify loyal donors. The traits and behaviors that predict who is most likely to give a significant gift vary. Use data to identify loyal donors, even if their contributions aren’t substantial gifts.


Review of FERPA Regulations—Dos and Don’ts for Fundraising


Family Educational Rights and Privacy Act (FERPA) protects student education records’ privacy in the United States. The law applies to all schools that receive funds under the U.S. Department of Education’s applicable program. FERPA applies to any public or private elementary, secondary, or post-secondary school and any state or local education agency that receives funding under appropriate U.S. Department of Education programming.


FERPA allows “school officials” access to a student’s education records without consent if the official has “legitimate educational interests” in the information.


To prevent breaching FERPA, your organization’s disclosure should define “school official” and “legitimate educational interests” in a way that includes fundraising—disclosing types of information that are shared (name, address, date of birth, degree information, athletic team participation, etc.).


Fundraising departments are allowed to be in contact with campus partners, including admissions. These information transfers should happen only after a student has accepted their offer of admission. This is because parent prospecting and alumni fundraising are not problematic once the applicant is officially a student. But the data transfer should only include basic personally identifiable information.


Education Records


Education records include records—whether handwriting, print, computer, videotape, audiotape, film, microfilm, microfiche, or e-mail—of an institution that contains information directly related to the student.


Education records do not include:


  • medical records;
  • employment records (when employment is not contingent on being a student);
  • law enforcement records;
  • alumni records; and
  • parents’ or eligible students’ rights.


Schools must have written permission from the parent or eligible student to release any information from a student’s education record. Schools that fail to comply with FERPA risk losing federal funding.


How FERPA Helps


FERPA gives parents certain rights regarding their student’s education records. These rights transfer to the student when a student reaches the age of 18 or attends secondary education.


Current regulations exclude records with information about an individual once they become an alumnus. Schools must be cautious not to mistakenly interpret this provision to mean any document created or received by the institution after a student is no longer enrolled—regardless of the subject matter—because it is not an educated record under FERPA, whether they were created or received by the institution.


Parent Rights


Parents or eligible students have the right to inspect and review the student’s education records maintained by the school. Schools are not required to provide copies of records unless parents or eligible students can’t review them.


Schools must have written permission from the parent or eligible student to release any information from a student’s education record. However, FERPA allows schools to disclose those records, without consent, to the following parties or under the following conditions:


  • school officials with legitimate educational interest;
  • other schools to which a student is transferring;
  • specified officials for audit or evaluation purposes;
  • appropriate parties in connection with financial aid to a student;
  • organizations conducting certain studies for or on behalf of the school;
  • accrediting organizations;
  • to comply with a judicial order or lawfully issued subpoena;
  • appropriate officials in health and safety emergencies; and
  • state and local authorities within a juvenile justice system.


Schools may disclose, without consent, “directory” information such as a student’s name, address, telephone number, date and place of birth, honors, awards, and attendance dates. But schools must tell parents and eligible students about directory information and allow them to refrain from disclosure.


Parents and eligible students must be notified annually of their rights under FERPA. Communication can be completed through a letter, school bulletin, student handbook, or newspaper article—the method of communication is at the school’s discretion.


Unintentionally Violating FERPA


Carelessly disposing of old student records indirectly violates FERPA.


Under FERPA, schools are responsible for how vendors use data. That means that if a vendor unintentionally misuses a student’s education records, the school will be found at fault. This also includes online fundraisers.


Know when to release and withhold records. It is a violation of FERPA if schools deny parents access to student records if they are under the age of 18.


Proceed with caution when talking about student-related information that you may have experienced indirectly. For example, teachers can speak about a student incident if they witness it firsthand. But if a senior administrator reads a report about that incident, the senior administrator cannot talk about it publicly. These concepts apply to social media usage.


Here are some other dos and don’ts when it comes to FERPA and fundraising.


Do understand the difference between a directory and non-directory information, but don’t make this information available to the public.


Do know students can grant written consent, but don’t disclose non-directory information without student written consent.


Do check for a FERPA restriction before communicating directory information, but don’t disclose the information if that student has a FERPA restriction.


Do understand parents can receive non-directory information in cases of emergencies, but don’t share non-directory or non-public directory information with parents if the student is over the age of 18 without written consent.


Do use blind carbon copy (bcc) when electronically communicating with multiple students, but don’t use carbon copy (cc) with numerous students, parents, or constituents.


To make sure your FERPA disclosures are inclusive, contact your admissions office or legal counsel.

Review of HIPAA Regulations—Dos and Don’ts for Fundraising


Health Insurance Portability and Accountability Act (HIPAA) aims to protect the confidentiality and security of information. The Privacy Rule component of the law establishes national standards to protect individuals’ records and other personal health information—setting limits and conditions on how organizations will use the information without a person’s authorization, including usage for fundraising.


Updated HIPAA regulations were released in 2013, clarifying the rules fundraisers must follow to comply with the statute. Fundraisers need to revisit these modifications to ensure proper adherence.


HIPAA requirements apply to different situations, and without the proper knowledge and approach, it’s easy to make common mistakes. Here is a review of the HIPAA regulations as it relates to the dos and don’ts fundraising.


Information Available to Fundraisers


Organizations can target their fundraising based on the nature of the services a person received or their physician’s identity. The personal health information that can be used for fundraising purposes includes:


  • patient demographic data (name, address, phone/email, date of birth, age, gender, etc.).
  • health insurance status;
  • dates of patient services;
  • general type of department in which a patient is serviced;
  • treating physician information;


Information requiring written authorization before fundraising use may include:


  • diagnosis;
  • nature of services; and
  • treatment.


The Rule for Supporting Foundations


If an institutionally related foundation conducts fundraising activity, a business associate agreement with its health care provider for the use of patient information is not required due to its direct supporting relationship.


Consultants on a retainer or other external fundraising vendors who will be granted access to patient information must agree with the health care provider on file.


Notification Practices


Before using information for fundraising purposes, a HIPAA-covered entity’s Notice of Privacy Practices must state organizations may contact the patient for fundraising efforts. The patient can opt-out of receiving any fundraising communications.


You must provide this Notice to the patient in advance of receiving care.


It is important to remember that patients have the right to opt out. Health care providers and supporting foundations legally must include a provision in all fundraising communications (including telephone and face-to-face solicitations). The provision must state the patient has the right to opt-out of future solicitations and must:


  • identify any conspicuous part of the materials sent to the patient;
  • describe how your organization may use information;
  • be written clearly, in plain language; and
  • include a simple, not burdensome means to opt-out from receiving further fundraising communications.


Segment your opt-out options so patients can elect to opt-out of campaign-specific or all future fundraising communications. It’s important to note that the opt-out does not lapse.


Here are some dos and don’ts of fundraising when it comes to HIPPA compliance.


Do: Conduct a Thorough Risk Analysis


Some of the most significant HIPAA penalties are because of failure to conduct a thorough risk assessment. Violations related to inadequate risk assessments fall under the most severe Willful Neglect tier of penalties. Every organization that creates, receives, maintains, or transmits private health information must conduct an accurate and thorough HIPAA risk assessment to comply with the HIPAA Security Rule.


Don’t: Ignore Social Media Usage.


Most people (if not all) are active on social media in some capacity. People use social media differently, especially regarding HIPAA’s primary objectives. Too often, social media encourages the careless sharing of data. HIPAA regulations strive to keep personal health information as confidential as possible.


Do: Perform Regular Self-Audits


Conduct periodic self-audits as recommended by the National Institute of Standards and Technology (NIST)—it’s proven to be one of the most effective HIPAA compliance tools.


Self-audits tend to focus on HIPAA Security Rule compliance—covering technical, administrative, and physical safeguards related to personal health information. Audits can include issues within the Privacy Rule.


Don’t: Forget Your Employees.


Internal issues related to HIPAA compliance are a common mistake when it comes to not-compliance. Often, employees fail to ensure that all third-party vendors, contractors, and business associates handle sensitive information appropriately. Third-party HIPAA compliance was a focus of the 2013 HIPAA Omnibus Rule. Entities should work with vendors to ensure that private health information is secure.


Do: Have a Training Plan


The HIPAA Privacy Rule and the HIPAA Security Rule have training requirements, including the mandate that both covered entities and business associates provide regular training to their workforce members who handle private health information.


HIPAA doesn’t specify the length and topics required, but the Privacy Rule states that training must be as necessary and appropriate for the workforce members to carry out their functions.


These functions can vary, especially regarding fundraising. Create a targeted training plan to ensure your organization remains HIPAA compliant.


Do: Have a Contingency Plan


Organizations and covered entities must ensure they have a current HIPAA contingency plan to prepare for adverse events that could affect private health information. Events could include a physical burglary, natural disaster, or cybersecurity attack.


Your contingency plan will depend on your risk assessment and analysis—addressing the most prominent threats to your private health information. Establish specific guidelines and procedures to follow, including things like systems and data recovery.


Don’t: Tackle Compliance Alone


You can’t achieve HIPAA compliance single-handily. If necessary, work with an outside expert or consultant to develop a comprehensive risk assessment, create an effective training plan, and identify potential cyber vulnerabilities.


At the very least, enlist a compliance partner at the beginning stages of the preparation for HIPAA compliance.

Data Security: A Primer for Advancement Leadership

Data security is critical to making sure that vital information from your organization is not easily accessible, but maintaining data security isn’t easy. In fact, there have been 540 data breaches this year.


That’s 163,551,023 people affected in 2020 so far by breaches in data security. Let’s dive into this critical topic as more and more workers and students sign in online every, single day.

Top 6 Causes of Data Breaches

To increase your knowledge about data security, here are the top causes of data breaches.

1. Weak and Stolen Credentials

Passwords that are cracked through brute force algorithms are a main cause of data breaches, but so are stolen passwords.


To keep your passwords safe, make sure that you’ve made them complex enough to render them “unhackable”. You can randomly generated passwords and manage them with tools like LogMeOnce or LastPass. Extra points for a combination of upper and lowercase letters, numbers, and special characters.

2. Application Vulnerabilities

Hackers find the technical vulnerability in a software and then exploit it. Before using or launching a new application, make sure your team tests it for vulnerabilities and finds ways to patch those security threats. This includes applications that house your constituent data, like your Advancement CRM database.

3. Malware

“Malware” is short for “malicious software.” It describes a variety of threatening methods that are designed to infiltrate and damage, disrupt, or hack a device. For example, think of viruses, worms, ransomware, and Trojan Horses. You don’t want to be on the receiving end of malware.

4. Malicious Insiders

Taking care of your employees so that they don’t become a future risk to your institution is important, but so is screening out those who seem predisposed to betraying their employer. Malicious insiders are the employees who have access to sensitive information and then purposefully commit a data breach to harm the institution. Better hiring and screening processes, along with maintaining a good organizational culture and robust employee training programs, can help prevent these insiders from coming on board and wreaking havoc from within the organization.

5. Insider Error

Employees who do not have malicious intent but commit a data breach by mistake are also a threat. These employees may not be aware they’ve done anything wrong, but one accidental keystroke can cause a serious data breach.


For these employees, it’s important to remind them to take more care with their work and to encourage them to be transparent when they’ve made an error. Employee training is a crucial step to prevent these errors. Together, you can grow and learn, ultimately stopping similar mistakes from happening.

6. Physical Theft

Theft of a device that holds your institution’s sensitive information falls under this category. To prevent these breaches, you may want to take extra care in where you physically store this information—consider using a safe or a security system.

Why Preventing Data Breaches Is Important

Data breaches are preventable. In fact, 4 of the 6 causes of data breaches can be prevented based on changing human behavior. This means that every staff member in Advancement can be a part of the solution.

How To Prevent Data Breaches

There are several measures you can take to prevent data breaches.

Security Policy Training and Education: Setting The Standard

When you’re creating your security policy training and pulling together your educational materials, it’s important to clearly set the standard. When you’re completing this step, it helps to ask yourself and your colleagues the following questions:

  • What is the policy?
  • Why is it beneficial to the organization?
  • How does a security breach impact Advancement?
    • By making a breach relevant to Advancement itself, you’re adding a sense of urgency for employees to comply.

You’ll also want to discuss examples of behaviors that adhere to the policy and examples of behaviors that would violate the policy. By giving employees clear examples, you’re ensuring that they’ll fully understand what does and does not constitute a data breach.

Advancement Leadership as Security Champions: Lead by Example

As a leader in your Advancement team, you must champion the cause to protect sensitive information and build confidence with your donors and supporters. Give periodic Executive Briefings on the key points below:

  • Know what data you have, including its:
    • Location (is it in an on-premise data center, is it vendor-hosted, is it in a storage room, or is it in Mike’s desk drawer?)
    • Format (is the data in a digital copy or a hard copy?)
    • Volume (how much data is there, really?)
    • Classification (whether the data is sensitive or confidential)
  • What potential vulnerabilities exist based on the data you have, the software you’ve used, and access you’ve given staff members?
    • Map these vulnerabilities out and identify them, before a breach occurs.
  • What plans are in place to reduce the vulnerabilities your company has? Are they working? (Tip: If they’re not working, brainstorm ways to improve.)

Communication Plan for Data Breach

Have your plan ready before a data breach occurs. Establish a communication plan such that you and your leadership team can be immediately informed if there is a threat or possible threat of a data breach. Creating a data breach task force or committee can also help streamline that process internally. Determine how you will communicate to your constituents.

Performance Evaluations: Enforce Security Policies

You can’t simply rely on IT to be the sole security watchdog for your organization. By the time they are even aware of staff behavior that has compromised the organization, that door may have been open for months. Staff should be evaluated on a consistent and measured basis.

Data Security: Final Thoughts

Assessment of your Advancement team’s Data Security requires a 360-degree look into how your institution is performing, the vulnerabilities that exist, and ways that existing processes can be refined to prevent future data breaches.


When you’re trusting employees with sensitive data, remember—human error can and will happen, but with the right precautions, you’re taking safeguards to prevent future accidental breaches from happening again.


Malicious actors also exist, but again—with the right measures, you’re taking steps to prevent them from hacking into or stealing your data.

A Promise of Accurate and Reliable Data – Learn How!


The promise of having accurate and reliable data is often made as a part of the implementation of a new CRM (constituent relationship management) software. It is that promise that often keeps every VP of Advancement/Development Services up at night trying to figure out how to miraculously transform over 10 years worth of information plagued by human error and evolving data entry procedures into something that is pristine, free of duplicates, and meaningful for all users. So why do we even take this on? Accurate and reliable data is critical to user adoption. There is no way of achieving all of the benefits that were listed in the project charter for this multi-million dollar system if no one uses it. So let’s take a look at how we can fulfill on this promise…


Continue reading “A Promise of Accurate and Reliable Data – Learn How!”