Data Privacy and Security—Classifying Data for Advancement

 

Data is a significant asset to your organization. It can provide a wealth of information about donors. A growing number of organizations are using data analytics to determine which supporters are most likely to make a significant gift or donate in response to their campaigns.

 

Data privacy is more important than ever before—especially in today’s digital economy—and organizations should review their data, privacy policies, and procedures. Here are different types of data privacy and security and how to classify data for advancement.

 

What is Confidential Data?

 

Any data or information that is protected by laws, regulations, or industry standards is considered confidential. Confidentiality is the need to strictly limit access to data to protect organizations and individuals from loss. Confidential data can also be defined as information that could cause harm to an individual or an organization if it is inappropriately accessed.

 

Data Privacy

 

Data privacy (information privacy) is a data security division that deals with the proper handling of data—more specifically, consent, notice, and regulatory obligations. Practical data privacy concerns are affected by several factors.

 

  • whether (or how) data is shared with third parties;
  • how information is legally collected or stored; and
  • regulatory restrictions

 

One important aspect of data privacy is transparency. Organizations must disclose how they request consent, abide by their privacy policies, and manage the data they’ve collected. Ask questions to understand your organization’s stance on data privacy.

 

  • What data is to be collected?
  • How long will it be kept, and does that comply with the laws?
  • Is there limited data access that is monitored, or is that data openly available?
  • What measures will be taken to protect data?
  • Is the planned use of the data aligned with why it was collected?

 

Data Security vs. Data Privacy

 

Simply keeping sensitive data secure may not be enough to comply with data privacy regulations. Data Security protects data from compromise, whereas data privacy governs how data is collected, shared, and used.

 

If you’ve worked to secure data—implementing encryption, restricting access, and overlapping monitoring systems—but your organization collected the data without proper consent, you could be violating data privacy regulations.

 

You can have data security without data privacy, but you cannot have data privacy without data security. Train employees to understand the difference. Include processes and procedures necessary to ensure the proper collection, sharing, and use of sensitive data as part of a data security portfolio.

 

Sensitive Data

 

Sensitive data is any information that needs to be protected—often dependent on the nature of the business conducted by an organization and, even more so, the responsible governing body.

 

What is Considered Sensitive Data?

 

The categories of sensitive data vary based on the privacy laws that apply to an organization.

 

For example, a healthcare organization will need to adhere to Health Insurance Portability and Accountability Act (HIPAA) privacy rules. In contrast, an educational institution will have to adhere to regulations such as the Family Educational Rights and Privacy Act (FERPA).

 

Sensitive data includes any information such as:

 

  • personal data, or data that can be used to identify an individual—including customer and employee data;
  • financial data such as bank account or credit card information; and
  • intellectual property or proprietary information such as software code.

 

Personal Data

 

Personal data, also known as Personally Identifiable Information (PII), is any information used to identify a specific individual. The protection of personal data has become increasingly important due to regulations that aim to protect individuals concerning their personal data processing. This has only become more prevalent as cyberattacks continue to evolve.

 

More frequently, organizations are being held responsible for how they process and secure sensitive data to prevent exposure and risk.

 

Cybersecurity Risk

 

Cybersecurity threats and data breaches have become the rule rather than an exception for organizations. Do you have data protection policies and the necessary procedures in place to guard against this threat?

 

Your organization must carefully handle sensitive data to avoid disclosure or data breach. The potential damage from a data breach goes beyond tarnishing your organization’s reputation. Your organization can be legally liable if you fail to comply with data privacy laws—which can come with exorbitant fines and penalties.

 

Protect sensitive data with cybersecurity best practices.

 

  1. Establish a data protection policy.
  2. Create a comprehensive and up-to-date inventory of sensitive data.
  3. Develop guidelines for assessing and maintaining privacy and confidentiality of data on all systems.
  4. Communicate your organization’s data security policies to staff members.

 

Go a step further and implement basic strategies for preventing data theft.

 

  1. Don’t open unsolicited email attachments or unknown files.
  2. Educate staff to identify and prevent phishing.
  3. Require strong passwords for each employee, and insist they are changed regularly.
  4. Establish processes to monitor your network for suspicious behavior.

 

Using Data for Advancement

 

Collected data is only valuable if it’s used for a purpose. One of the most popular uses of organizational data is for development. You can’t control people’s ability to give—but you can control how you use data to make decisions regarding your advancement.

 

Revamp your advancement strategy to focus on assessing your most connected donors and how you have engaged them.

 

Gauge donor giving capacity. Analyze alumni data and external sources, such as tax filings, home values, and other assets—then assign “wealth scores.” Once you’ve assembled data or scores on wealth and involvement, have staff members work on your top and bottom groups separately.

 

Look for differences. Organizations should record more than just donations in their fundraising databases. Review data to see which events your supporters attend, whether they volunteer or serve on committees, and how they give to other charities.

 

Identify loyal donors. The traits and behaviors that predict who is most likely to give a significant gift vary. Use data to identify loyal donors, even if their contributions aren’t substantial gifts.

 

Data Security: A Primer for Advancement Leadership

Data security is critical to making sure that vital information from your organization is not easily accessible, but maintaining data security isn’t easy. In fact, there have been 540 data breaches this year.

 

That’s 163,551,023 people affected in 2020 so far by breaches in data security. Let’s dive into this critical topic as more and more workers and students sign in online every, single day.

Top 6 Causes of Data Breaches

To increase your knowledge about data security, here are the top causes of data breaches.

1. Weak and Stolen Credentials

Passwords that are cracked through brute force algorithms are a main cause of data breaches, but so are stolen passwords.

 

To keep your passwords safe, make sure that you’ve made them complex enough to render them “unhackable”. You can randomly generated passwords and manage them with tools like LogMeOnce or LastPass. Extra points for a combination of upper and lowercase letters, numbers, and special characters.

2. Application Vulnerabilities

Hackers find the technical vulnerability in a software and then exploit it. Before using or launching a new application, make sure your team tests it for vulnerabilities and finds ways to patch those security threats. This includes applications that house your constituent data, like your Advancement CRM database.

3. Malware

“Malware” is short for “malicious software.” It describes a variety of threatening methods that are designed to infiltrate and damage, disrupt, or hack a device. For example, think of viruses, worms, ransomware, and Trojan Horses. You don’t want to be on the receiving end of malware.

4. Malicious Insiders

Taking care of your employees so that they don’t become a future risk to your institution is important, but so is screening out those who seem predisposed to betraying their employer. Malicious insiders are the employees who have access to sensitive information and then purposefully commit a data breach to harm the institution. Better hiring and screening processes, along with maintaining a good organizational culture and robust employee training programs, can help prevent these insiders from coming on board and wreaking havoc from within the organization.

5. Insider Error

Employees who do not have malicious intent but commit a data breach by mistake are also a threat. These employees may not be aware they’ve done anything wrong, but one accidental keystroke can cause a serious data breach.

 

For these employees, it’s important to remind them to take more care with their work and to encourage them to be transparent when they’ve made an error. Employee training is a crucial step to prevent these errors. Together, you can grow and learn, ultimately stopping similar mistakes from happening.

6. Physical Theft

Theft of a device that holds your institution’s sensitive information falls under this category. To prevent these breaches, you may want to take extra care in where you physically store this information—consider using a safe or a security system.

Why Preventing Data Breaches Is Important

Data breaches are preventable. In fact, 4 of the 6 causes of data breaches can be prevented based on changing human behavior. This means that every staff member in Advancement can be a part of the solution.

How To Prevent Data Breaches

There are several measures you can take to prevent data breaches.

Security Policy Training and Education: Setting The Standard

When you’re creating your security policy training and pulling together your educational materials, it’s important to clearly set the standard. When you’re completing this step, it helps to ask yourself and your colleagues the following questions:

  • What is the policy?
  • Why is it beneficial to the organization?
  • How does a security breach impact Advancement?
    • By making a breach relevant to Advancement itself, you’re adding a sense of urgency for employees to comply.

You’ll also want to discuss examples of behaviors that adhere to the policy and examples of behaviors that would violate the policy. By giving employees clear examples, you’re ensuring that they’ll fully understand what does and does not constitute a data breach.

Advancement Leadership as Security Champions: Lead by Example

As a leader in your Advancement team, you must champion the cause to protect sensitive information and build confidence with your donors and supporters. Give periodic Executive Briefings on the key points below:

  • Know what data you have, including its:
    • Location (is it in an on-premise data center, is it vendor-hosted, is it in a storage room, or is it in Mike’s desk drawer?)
    • Format (is the data in a digital copy or a hard copy?)
    • Volume (how much data is there, really?)
    • Classification (whether the data is sensitive or confidential)
  • What potential vulnerabilities exist based on the data you have, the software you’ve used, and access you’ve given staff members?
    • Map these vulnerabilities out and identify them, before a breach occurs.
  • What plans are in place to reduce the vulnerabilities your company has? Are they working? (Tip: If they’re not working, brainstorm ways to improve.)

Communication Plan for Data Breach

Have your plan ready before a data breach occurs. Establish a communication plan such that you and your leadership team can be immediately informed if there is a threat or possible threat of a data breach. Creating a data breach task force or committee can also help streamline that process internally. Determine how you will communicate to your constituents.

Performance Evaluations: Enforce Security Policies

You can’t simply rely on IT to be the sole security watchdog for your organization. By the time they are even aware of staff behavior that has compromised the organization, that door may have been open for months. Staff should be evaluated on a consistent and measured basis.

Data Security: Final Thoughts

Assessment of your Advancement team’s Data Security requires a 360-degree look into how your institution is performing, the vulnerabilities that exist, and ways that existing processes can be refined to prevent future data breaches.

 

When you’re trusting employees with sensitive data, remember—human error can and will happen, but with the right precautions, you’re taking safeguards to prevent future accidental breaches from happening again.

 

Malicious actors also exist, but again—with the right measures, you’re taking steps to prevent them from hacking into or stealing your data.