Not-for-profit organizations safeguard a diverse and vast array of data, from beneficiary stats to donor details. As a result, it's imperative to identify and protect important data, ensuring it's compliant with regulations and safe from unauthorized access or leaks.

While personal information once meant specifics like driver's license numbers and bank details, the introduction of the General Data Protection Regulation (GDPR) in 2018 broadened the definition of what needs protection to include any data that could feasibly be used to identify a person (e.g., an IP address,  religious affiliation, race, gender, etc.).

Although GDPR was established as a comprehensive data protection law enacted by the European Union (EU), its reach extends worldwide, meaning a broader spectrum of data now demands more careful protection under privacy laws.

In the United States, 13 states have created data privacy laws, including California, Texas and Virginia. While they echo the GDPR in many aspects, nuanced differences exist, presenting not-for-profits with the challenging task of ensuring uniform compliance across the board.

The first step toward strong data privacy management is creating a data map.

Charting a Data Map

Not-for-profits navigating privacy compliance can benefit from crafting a comprehensive data map. Creating a data map involves pinpointing and documenting how data enters, moves through and exits an organization, which is instrumental in managing data effectively and ensuring compliance with privacy regulations like GDPR. A data map connects a business process, with the personal information elements it acts on, to the applications or systems where the data is processed and stored. 

Organizations should identify the types of personal data they hold and understand its flow across various departments, including how it's accessed, processed and stored. Engaging with stakeholders from each department will chart your data movement, enhancing the accuracy of the map.

Think of it this way: The human resource hiring process includes sensitive information like addresses or phone numbers on resumes and social security numbers, which can move through emails and online forms. Your data map should clearly show this path, ensuring you can manage and locate data effectively when you receive a "Data Subject Access Request" from an individual who wants to know what information you have and may request it all be deleted.

Utilizing "data discovery" tools can be advantageous in mapping, enabling organizations to automatically identify personal information across the enterprise, visualize data flows, identify potential vulnerabilities and allow your organization to make more informed decision-making regarding data protection strategies and policy development.

Choosing Resources to Ensure Compliance

As organizations navigate the complexity of various compliance requirements, a framework like ISO 27701 can help simplify the management of regulations by providing a unified approach to handling information security and privacy. ISO 27701 is a privacy extension to ISO 27001, providing guidelines for implementing a privacy information management system to safeguard personally identifiable information.

Additionally, SOC 2 incorporates a strong privacy component that can serve as a supportive framework to enhance data security throughout an organization's processes. Both ISO 27001 and SOC 2 underscore the significance of protecting sensitive information and can act as blueprints for organizations to build and operate robust and attestable information security and privacy programs.

It's also important to designate someone in your organization who will be specifically responsible for overseeing legal and compliance issues and staying alert to regulatory updates, ensuring your not-for-profit remains protected as the environment evolves.

Lastly, you must remember that data privacy is not just an in-house matter; your privacy program must address vendors and other external partners accessing, storing or processing personal Information on your behalf. You will need to evolve your third-party risk management programs to address privacy.

Next Steps

At CBIZ, our cybersecurity team is available to help you with data privacy and setting up frameworks like ISO 27001, ISO 27701 or SOC 2. We're prepared to assist you in managing and protecting your data efficiently and effectively. For more information, connect with one of our professionals today.

Copyright © 2023, CBIZ, Inc. All rights reserved. Contents of this publication may not be reproduced without the express written consent of CBIZ. This publication is distributed with the understanding that CBIZ is not rendering legal, accounting or other professional advice. The reader is advised to contact a tax professional prior to taking any action based upon this information. CBIZ assumes no liability whatsoever in connection with the use of this information and assumes no obligation to inform the reader of any changes in tax laws or other factors that could affect the information contained herein.

CBIZ MHM is the brand name for CBIZ MHM, LLC, a national professional services company providing tax, financial advisory and consulting services to individuals, tax-exempt organizations and a wide range of publicly traded and privately held companies. CBIZ MHM, LLC is a fully owned subsidiary of CBIZ, Inc. (NYSE: CBZ).