How to protect donor data when working remotely

Donor data security

From the rising popularity of remote work to the introduction of artificial intelligence, how the average workplace operates has changed dramatically. For nonprofits, this means embracing flexible work environments, new productivity tools, and even decentralized workplaces with employees located across the world. 

While remote work environments offer many benefits, nonprofits adopting this approach also need to navigate challenges related to data privacy. With donor data, nonprofits can build relationships, run data-driven marketing campaigns, and reach new audiences. However, a data breach can be devastating to a nonprofit, especially when all of your operations are online. 

To help keep your donor data safe, this guide will explore how a remote work environment impacts data security and how you can safeguard your donors’ information.

Why keeping donor data safe matters

Nonprofits collect a range of donor information. 360MatchPro’s nonprofit data collection guide lists a few common types of data points most nonprofits gather:

  • Names
  • Geographic location
  • Demographic information
  • Contact details
  • Employment information 
  • Education level
  • Philanthropic history
  • Hobbies and interests 

This personal information traces back to specific individuals. If an organization fails to protect donors’ personal information, it may be subject to hefty financial penalties. 

For example, Cancer Care Group agreed to a $750,000 settlement after a remote employee lost a laptop and backup drive due to a car theft. The laptop contained more than 50,000 patients’ protected health information.

The Office for Civil Rights (OCR) determined that Cancer Care Group was in widespread non-compliance with the HIPAA Security Rule before the breach. Additionally, they failed to conduct an enterprise-wide risk analysis when the breach initially occurred, and the OCR found that Cancer Care Group did not have a written policy regarding removing hardware containing Protected Health Information (PHI) into and out of its facilities.

A similar settlement cost respiratory medical group Lincare almost $240,000. A remote employee breached the patient data of 278 patients by exposing and abandoning documents containing sensitive information. The court ruled that Lincare did not have adequate policies and procedures to safeguard patient information taken offsite, even though employees who worked in patients’ homes routinely removed patient data from Lincare’s offices.

The trouble didn’t end there for the company. Former Lincare employees also filed a class-action lawsuit against the business. The employees claimed negligence concerning personal information and noted that a Lincare data breach could result in identity theft.

Even if your nonprofit does not face lawsuits like these, a data breach can still harm your organization’s reputation. Fundraising trends for 2025 illustrate the increasing importance of building trust with donors. Improper data protection can damage these relationships, impacting your ability to retain donors, attract new ones, or continue normal operations.

How remote work can pose data security risks

Ultimately, any work environment without proper data security protocols is at risk of a data breach. However, remote operations face a few unique challenges that can make them more susceptible to data leaks. These include:

  • Extensive online databases. Storing donors’ personal information online allows your entire team to access it as needed to fulfill their daily tasks. However, this means your data may also be at risk of a data breach, and you must take proper security measures to prevent that from happening. 
  • Decentralized storage. Remote employees often have company property in their own homes. Unsecured property can lead to data breaches, such as the example from Cancer Care Group of a car break-in resulting in a stolen laptop that contained PHI.
  • Less oversight. Remote work allows employees to operate independently and manage their own schedules. This setup can be freeing to many remote workers and increase engagement. However, less oversight also raises the chances of employees making mistakes or acting maliciously, such as data exfiltration

However, despite its risks, collecting and sharing donor data is necessary for proper nonprofit management. Deep Sync explains how organizations gather different types of constituent data:

Types of data, listed out below.
  • First-party data is donor information your nonprofit collects. For example, you might analyze your website traffic to determine which social media platforms donors use to navigate to your site and likely use in their free time. 
  • Second-party data comes from other organizations working with yours. For example, a social worker might work with a hospital to share data when referring patients to create a cohesive experience for beneficiaries.
  • Third-party data comes from external providers. For instance, you may work with a data provider to append donor email addresses to your database. 
  • Zero-party data is information donors voluntarily share with your nonprofit. For example, a supporter provides their name and address when completing a donation form.

Whether it’s donors sharing personal information with your nonprofit or your nonprofit sharing it with another trusted organization, data sharing is normal. Just be sure your nonprofit takes proper measures to safeguard that information and prevent bad actors from accessing it.

How to safeguard your organization from data breaches

Below is a list of documentation requirements and preventative actions your organization should take to protect your donors’s sensitive information.

First and foremost, if anyone on your team is working offsite, create a set of security policies and procedures employees must be trained on and agree to follow. Use the following checklists to create these guidelines.

Equipment, software & hardware requirements

Create a list of your remote employees that specifies their technology and access levels. This list should include information such as who has access to your website’s password, who has permission to see personal information stored in your constituent relationship management system (CRM), and who possesses company technology. This basic step ensures that you can take proper accountability in the event of a data breach. 

From there, follow these steps:

  • Encrypt home wireless router traffic using WPA2-AES. This is a fairly standard configuration, and most routers come pre-configured.
  • Change default passwords for wireless routers to complex passphrases. This provides an extra layer of protection. Consider having employees download a password vault manager to create and organize their secure passphrases. 
  • Have IT configure all devices that access your network. Devices must be encrypted, password-protected, and installed with firewalls and anti-virus software.
  • Require employees to use a VPN when they access the organization’s Intranet remotely.
  • Encrypt all personal information before transmission. You can either do this through the organization’s Intranet or internal email encryption.
  • Encrypt and password-protect personal devices employees use to access personal information.

Have your IT department or vendor configure personal devices before allowing them access to the network. Specify what brands and versions of personal devices can access the company data.

Security and privacy requirements

While secure remote work software can protect against cyberattacks, many breaches are due to human error. For example, social engineering schemes that involve tricking employees into clicking malicious links are rampant and have negatively impacted many sectors, including nonprofits. 

Educate your employees about data security to prevent these situations by following these steps:

  • Employees should not allow any friends or family to use devices that contain personal information.
  • Have each employee sign a Confidentiality Agreement to ensure the utmost privacy when handling personal information.
  • Create a Bring Your Own Device (BYOD) Agreement with clear usage rules.
  • Employees who store hard copy (paper) personal information in their home office need a lockable file cabinet or safe to store the information.
  • Employees must use a shredder to destroy paper personal information once it is no longer needed. The organization needs to specify when employees can dispose of paper records.
  • Employees must follow the organization’s Media Sanitization Policy to dispose of all personal information or devices storing personal information.
  • Make sure employees disconnect from the company network when they finish working. Usually, IT configuring timeouts take care of this.
  • Employees cannot copy any personal information to external media not approved by the company. You may require all personal information to stay on the company network.
  • Keep logs of remote access activity and review them periodically. IT should disable any former employees’ accounts immediately after their departure. 
  • Mandate that any employees violating these procedures will be subject to the company’s Sanction Policy and/or civil and criminal penalties.

Remote employees aren’t exempt from following data security practices. It’s in your best interest to define all remote employee guidelines and ensure all signed documents involving remote work are up-to-date, signed, and safely stored.

From flexible work environments to data-driven fundraising campaigns, nonprofits can benefit from offering remote work and collecting extensive donor data. Just ensure your supporters’ data is kept safe by implementing proper security measures that limit both technical vulnerabilities and the potential for human error.

More Posts