Years ago, our mantra in research was “if in doubt, collect the data”. That meant not only an individual’s name, email address, phone number, organisation, but also things like age, gender, location, profession, and a whole heap of other things sometimes. Why did we do that? Our answer was always “just in case”. In case we needed it later, in case we wanted to use it for segmentation, in case… well… just in case. Not today however.

With increasing scrutiny on personal information, privacy and data security, and changes and strengthening of privacy regulations on the rise across the world, organisations are quite rightly becoming increasingly concerned about the burden of compliance. This is largely because Europe’s General Data Protection Regulation (GDPR) is now in effect. But it is also exacerbated by other new global privacy regulations that are modelled around GDPR, such as changes to laws in Australia and Japan, and the new California Consumers Privacy Act (CCPA).

So to go back to our mantra, we now champion “data minimisation”. If you’re not going to use it for the specific objective or project you are contemplating, don’t collect it. The more information about a person you collect and hold, the more easily identifiable they are, and the greater the risk of exposure in the event of a data breach.

You may be thinking “so what?”. A lot of not-for-profit organisations are not required to comply with the Australian Privacy Act (1988), because most businesses with an annual turnover of less than $3 million are exempt. However, regardless of whether you have to comply, you should be considering the reputational damage and the associated risks should your organisation breach an individuals’ privacy.

My business had to confront changing and strengthening privacy regulations recently when we acquired a European customer. We needed a complete rewrite of our privacy policy and terms of use and all the associated processes and procedures to comply with Europe’s GDPR.

And that got me thinking about what all the new and changing privacy regulations mean for the not-for-profit sector.

So to help you start to think about data and privacy, and based on my experience, here are some questions to ask yourself about data and your compliance with privacy regulations. I preface however, that I am not a lawyer, so your organisation needs to seek your own legal advice about collection, use and storage of information or data you collect from customers, subscribers, supporters, members, donors and other stakeholders.

DATA STORAGE

•  Do you know where the data you collect is stored? This means which country the data is housed and/or backed up. For example, many free survey instruments that are in popular use store the data in the USA.
• Does your privacy policy specifically outline what you do with any personal information you collect and hold? Are you always collecting and storing the information you collect in accordance with your policy?
• What do the privacy policies of the third party organisations you use to collect information say about the use and storage of personal information? This extends to third party survey software, database and CRM vendors.

Personal information includes all of the usual things like name, address, phone number, email address etc, but can also extend to IP addresses. Having researched many survey software applications, I know that IP addresses are automatically and routinely collected in all survey instruments unless you specifically turn that function off.

DISCLOSURE AND DE-IDENTIFICATION

• When collecting data, particularly through survey instruments, do you provide sufficient information to participants about how you intend to use and store the information they provide?
• How long will you keep the data you collect?
• How do you de-identify any personal information you hold? At what point do you de-identify the data?
• Do you have processes in place for individuals to access and/or correct any personal information you hold about them?

The answers to all of these questions should be part of your operational procedures and policies, and data security and privacy should always be a standing item on your risk register and the board and executive meeting agendas.

TOP THREE TIPS

1. Understand the types of data, including personal information, that you are collecting. Make sure you are only collecting personal information that you have to have, and that you will use. If in doubt – don’t collect it.
2. Understand where the data you hold is stored. Ensure you store your data in accordance with your policies, and that you regularly check that you are complying with regulations. Check third party software providers policies about where and how they store and use data.
3. Check your privacy policy and/or terms and conditions. Make sure it is up to date with current legislation, that everyone in the organisation understands the policies, and that you are dealing with personal information in the way that your policies outline.