T. Clay Buck and Ryan Woroniecki will show you how to safeguard your data, keep your donors happy, and protect yourself and your org.

Full Transcript:

Steven: All right. Ryan, Clay, I got 2:00 Eastern. Is it okay if I go ahead and get this party started?

Clay: Let’s do it.

Ryan: Get it going.

Steven: All right, awesome. Welcome everybody, happy Tuesday if you’re watching live. If you’re watching the recording, I hope you’re having a good day no matter where you are. We are here to talk about donor data privacy and security, specifically, doing what is right. We want to do what’s right for sure. I’m Steven and we’re here at Bloomerang, and I’m going to be moderating today’s discussion as always. And just a couple of quick housekeeping items, I just want to let you all know that we are recording this session and I’ll be sending out the recording as well as the slides later on this afternoon. So, if you got to leave early, maybe you missed something or just want to review the content later on, don’t worry, I’ll send you that recording later on today by email.

But, most importantly, please feel free to ask any questions you have throughout the hour. There’s a Q&A box, there’s a chat box, you can use either of those and we’ll keep an eye on them. We’d love to hear from you, don’t be shy, don’t sit on those hands. We’re going to save some time at the end for Q&A so don’t be shy at all. You can also send us a tweet, I’ll keep an eye on the Twitter feed as well but we’d love to hear from you, invite is open. Introduce yourself in the chat if you haven’t already because we’d love to know who we’re talking to as well.

And if this is your first Bloomerang webinar, I just want to say an extra special welcome to you, folks. We do these webinars a couple times a week now. We love doing them. We bring on great guests, today is no exception. Today might be a little more silly than normal but that’s okay, we love these webinars, my favorite thing we do. But if you never heard of Bloomerang, just for context, we are a provider of donor management software so check that out if you’re interested. Maybe you’re going shopping before the end of the year, visit our website. There’s all kinds of videos on there you can watch, you can check us out.

But don’t do that right now because you are in for a real treat over the next hour or so. I don’t know who allowed the three of us to get together on a webinar. This seems like it should be against the rules. It’s never been allowed at a conference but that’s okay, it’s my webinar series. My good friends and I sincerely mean that, these are my buddies for sure, Clay and Ryan joining us. Clay, you are in Las Vegas, you are a Las Vegan I just learned minutes ago. Yeah.

Clay: I am, I am.

Steven: Ryan from the Baltimore, D.C. area. You’re doing okay? How’s it going?

Ryan: Everything good. Everything is good. I ran out of coffee so I don’t know, it might get kind of rough. We’ll see.

Steven: That’s not good. I can’t help you but you should have planned better I guess I should say, Ryan. But let me brag on these guys here real quick. If you don’t know Clay, one of my good buddies. I mean what can I say about Clay, he’s the first person I look for to give a hug at at a conference whenever we are travelling which we’re not doing now. Check him out, he’s over at Tactical Fundraising Solutions, one of the smartest working fundraisers right now honestly. He’s been doing this many years. He just taught the CFRE class over the weekend, I mean what more do you need to know, and that’s hard core. Follow him on Twitter, he’s a master trainer, he’s a CFRE, and he’s on the Rogare board which is also a very big deal. I won’t go into the details there but take my word for it. Ryan from DonorSearch, what can I say about Ryan other than the fact that he’s a Bills fan which I have some problems with. He’s my go-to for all things Wealth Screening donor data research.

And these two, they got together and put together this awesome presentation they’ve been giving all over the place, and gracious enough to do it for us here over at Bloomerang. It’s a cool one. It’s timely. And I don’t want to take any more time away so I’m going to stop sharing my screen. I think, Ryan, you’re going to bring up the slides. I think you’re going to be the driver here. Let’s see if we can get it going here.

Ryan: I’m going to click that magical green button that lets me share.

Steven: The fun transition. Looks like it’s working.

Ryan: Tada.

Steven: Cool. And I’m going to pipe down so the floor is yours, my friends. Take it away.

Clay: Thanks, Steven.

Ryan: Thanks so much. Clay and I’m really excited to be here.

Clay: We are.

Ryan: Clay, we’ve been giving this session for . . .

Clay: Steven was talking, I think it’s a year and a half now. Yeah, yeah.

Ryan: Yeah. And, well, go ahead.

Clay: No. I mean this is, and folks as Steven said, it will be a little silly but this is how we do it, right? If you look back the first time we did this to what it is today, it’s kind of why we love the presentation is because it keeps evolving and the conversation keeps happening. So, yeah.

Ryan: Yeah. And for those of you watching, please, please, please, drop stuff into the chat. If we were in person, we would be pausing and looking at you, and calling on people. A little tougher here virtually so drop things into the chat and this way we can keep it light and keep you engaged.

Clay: We already got a few folks that are piping in saying, you know, they’re looking at their CRM and thinking about how they manage security. So, yay, like we’re set up for the right conversation. Yeah, yeah. So we’re ready, Ryan?

Ryan: Oh, yeah, we’re ready.

Clay: So, when Ryan and I started this conversation, it actually began with a tweet on prospect development and what you would share with the donor and the ethics of including information. And it has, again, it just evolved since that conversation because this conversation on data and privacy and how we manage data keeps evolving and growing. And I, for one, really believe this from Seth Godin. And if you’re not familiar with Seth’s work, it’s definite must for your fundraising library, a complete inspiration from his perspective. If anybody was at the AFP ICON two, three, four years ago, he was the keynote speaker. And [does affair 00:05:43], you can find his work on fundraising and talking about fundraising online. But he says, “We’re leaving the industrial economy and entering the connection economy.” And if we look at the proliferation of data and social, and everything that’s online, and even now more so, I mean we’re all on Zoom.

I’ve been on Zoom I feel like for a month solid so, right? The way we connect with each other in what we do is very, very different than it was, you know, 10 years ago, 15 years ago. Twenty-six years ago, when I started my career and where we’re still using carbon paper and 3 by 5 cards, how we approach it is very differently. So what do we mean, let us take a quick look to set us up here. What do we mean by the connection economy? Ryan, I just tried to move the slides because, you know, I’m a control freak and I can’t help it, forgetting that you had the thing. So I really like this definition from this website, payette.com. The connection economy rewards value created by building relationships and fostering connections, rather than assets and stuff, like the industrial economy. The industrial economy values more, better, faster, whereas the connection economy, and here’s the thing, builds on who you know, what you know, and how that knowledge influences your connections.

A quick side note, the last before I go too much further, the last time I did this presentation, one of the comments back was, “Why does Clay read the slides, we can read the slides.” I’m reading the slides for anybody that might have any accessibility issues or concerns in reading so I want to be sure to read out the words that are on it in case anybody is here focusing on hearing things. So we’ll read and comment both as we go. But this concept of the connection economy where really the value is far more on who we know and how we’re connecting to each other than on a specific commodity or a specific thing, or as this definition says, stuff. Think about, again, think about social media, think about digital platforms. Think about Zoom, how we are building those connections and interrelationships with each other digitally. Ryan, if you would, please, sir.

Ryan: Before I do, really quickly, we can’t skip one of the most important parts of this webinar. It’s the Legos, right?

Clay: Which is the Legos, yes.

Ryan: So the Legos, if you think about it, assuming, I hope everybody watching played with Legos at some point in their life, not kids, maybe in 10 when they hand out the Legos. The whole thought is a few Legos on their own really aren’t anything special. But being able to connect them and layer them on top of them, that’s what makes the cool thing. And so you’ll see throughout we . . . Legos in as a light, fun, and exciting way to keep the dialogue going.

Clay: Exactly. Exactly. So, in then, if we agree and let’s agree that we are living and working on fundraising in a connection economy, the data really is the most value and coveted asset. There are some analogies out there that talk about data as the new oil, right? If you know in an industrial economy, the fuel, right, the oil that drove that economy was the most value asset. There’s an interesting counter to that argument that says that analogy, it’s actually data is the new land and how important land is because you can’t access oil if you don’t have land rights. So an interesting way of looking at it and framing how we think about what donors are entrusting us with when they sign up for our newsletter or make a donation, or enter, however they come to us, however we connect with them. What they’re entrusting with us is it’s not just information, it is an asset that we need and that other people want. So I think Ryan is going to give us a little historical perspective on what we’ve seen in recent years.

Ryan: Yes. So talking about what some people have and what other people want, it’s that data. So there’s a lot of different things here that we’re looking at, mostly it’s logos of companies. And one of the things that they all have in common is they’ve been involved in where they had a data breach that has impacted consumers, donors, individuals. In all likelihood, most of you, if you look on the left-hand side, there’s that thing that says Equifax. So, back in 2017, Equifax, they let a few of their security licenses and a few other security measures just kind of lapse. They weren’t paying close attention and I think it was somebody from a government entity basically said that it was child’s play to go in there and access the data that they had. Pretty much anybody could have gone in and grabbed all the data which, if you think about it, Equifax, what do they do? They’re a credit company so they have your name, they have your date of birth, they have your social security number.

So that was one of the really big wake-up calls that security is no joke, it’s really important. And for us in the nonprofit sector, fairly recently we’ve all had this come to the forefront in light of the data breach that occurred at Blackbaud. And that’s kind of an ongoing evolving issue that we’re learning more of. But the important things here are not that these companies had data breaches, but it’s that it could happen to anyone and it’s the way in which these companies react hopefully ethically, transparently, and quickly that could allow them to retain your trust or could kind of start to alienate you. And, again, what happens to them is no different than what could happen to you if it is your donors, right? Think of anybody impacted by the Blackbaud breach, they should have been communicating that information with their donors. The quicker they did it, the more directly they did it, the better off they would be because ethically that’s the better thing to do.

Now, looking at all of those different breaches, if you look at this quote here, by some estimates, cybercrime is expected to globally cost up to $6 trillion annually. Losses of this scale put the incentives for innovation and investment at risk and it will be more profitable than the global trade of all major illegal drugs combined. So, if you ever thought, “Wow, there’s a whole bunch of people that died because of drug cartels,” that’s because it’s profitable. And this is more profitable than an industry that is that violent. So there’s a lot that you just want to consider to put it in perspective. Each day, the amount of money works out to about $16.4 billion. And each hour, we’re talking about $685,000. That’s what it costs because of people’s data being stolen. And the takeaway on this again is you should value your data, your donor data, your volunteer data that much because it’s that important to you. So to kind of walk through a little bit more, hey, what exactly are we talking about? We didn’t see an agenda slide, so where is this going?

Clay: Now that you’ve scared the heck out of us, Ryan, now that we’re all quaking, right?

Ryan: That’s right. There are solutions. Now that you’re awake, the goal is we want you to be aware of the things that you can do so that that stuff won’t happen to you. But you’ll see over here, we’ve got our Jedi saving us and protecting us. So we’re going to talk a little bit more about donors are data and we have to make sure that they trust us. We’re going to talk about the legal and ethical approach. They’re two different things, what is legally required of you is not necessarily what is ethically correct. And then we’ll start talking about the different steps that you can take in order to make sure that you have trust from your donors, which will mean ethically you’re doing the right things. And also from a legal perspective, make sure that you’re secure.

So, for those of you that can’t see the bullets at the bottom, we’ll highlight change the culture, data is an asset, be aware of the laws, so many laws, so many changes, policies and procedures, which one should you have, which ones do you have, and then leadership and governance, right, because the policies that you have it’s important that they make it all the way to the top of the organization.

One of the last things here, and this is great because it’s so easy to find a whole bunch of white people Legos but this is a nice diverse group where they’re all playing well together. You can see that they trust one another, right? The lady who’s up on the ladder, she’s being supported by somebody down at the bottom. For those of you that like to do housework alone on the second story, you really should always have somebody holding the ladder down below. And if you think about it, you’re not going to choose somebody that you don’t trust to hold that ladder. Really, no different than a donor isn’t going to choose an organization to invest in that they don’t think would do a good job of stewarding their funds to achieve their philanthropic goals. So the value of trust, transparency, and ethical relationship management is more critical than ever before, right? If we’re thinking about what we just highlighted with all the data breaches, that trust is so important.

And so talking about who Americans trust, right, now you’ll see this is specific to the U.S. There are other studies for other countries. So, for those of you in Canada and elsewhere, we’re not ignoring you. It’s just that this was the most readily available. We’re looking at an image that was referenced in Chronicle of Philanthropy article, and the link is down at the bottom for those of you that get the slides. And it’s, essentially, you survey hypothetically a hundred Americans. Out of those, 54 said, “Yeah, we trust businesses.” Fifty-two said, “Yeah, we trust nonprofits.” Forty-eight said, “Yeah, we trust the media.” And 40% said, “Yeah, we trust the government.” Now, it’s kind of sad that the numbers are that low and there really isn’t that much trust, but what one of the really scary things here folks is that people trust businesses more than nonprofits, right?

We all know that, yeah, okay, nonprofits are technically businesses but there’s a very different mission statement, right? I mean the mission of the business is essentially to make money regardless of all of the other things that it does. Whereas the mission of the nonprofit is we’re just in it for the social good. And the way things stand in the U.S. now is that people are more likely to trust Patagonia as a company than they are a random nonprofit just by a little bit which is really kind of sad. So, again, the important part is make sure that you’re communicating with them well and steering them along so that you garner their trust. With that, we’re going to pass this off to Clay just like the storm trooper is passing this egg off.

Clay: Yeah. And Nancy just asked a great question and we are going to talk about it a little further down the line, right, on actual implementation of how and who should have access to data and security protocols and all of that which is a major step in building the trust and the transparency. The more savvy donors gets and the more they pay attention to this the more it’s going to be absolutely critical for us that our policies and procedures, and knowing how we manage data and who has access to it and being able to articulate that is really, really clear to our donors. So, yeah, we’re going to talk about it in a little more specifics. But the process of building trust in a higher level of how ethics and trust tie together and repeat each other. It’s interesting, the number of academic studies and other studies on ethics.

And, you know, when we’re talking about ethics, we can go back for, you know, thousands of years to the earliest writings. So we’ve been trying to figure out what ethics means since then, right? And so definitions in how we define and how we look at ethics are open to as many interpretations as there are people. But in essence, at least for me, defining what ethics means and how we approach it. This is the higher level data management along with the specific protocols that, yeah, again we will talk about here in a little bit, right? But setting the grammar of understanding what ethics is or a couple of definitions here, ethics is based on well-founded standards of right and wrong that prescribe what humans ought to do, usually in terms of rights, obligations, benefits to society, fairness, or specific values. Okay. The BBC Center for Ethics defines it as at its simplest, ethics is a system of moral principles. They affect how people make decisions and lead their lives.

Ethics is concerned with what is good for individuals and society and is also described as moral philosophy. In a fundraising context, we look at ethics in that context of what should we do and what is the right thing to do here? Ryan kind of already addressed it a little bit and, you know, the right thing to do is communicate open, transparently, honestly with our donors. The right thing to do is have policies and procedures that clearly define how data is managed and how assets are managed. Particularly in light of the connection economy and where we live, and people want your data, it’s just as simple as that. If there is personal information attached, name, address, phone number is incredibly valuable to any marketer, let alone social security information, credit card information, payment information, all of that regardless of your size, regardless of what you think of the quality of your data, there’s somebody out there that wants it because they can sell it and make a buck.

If you’re on Twitter, Ryan and I spend a little too much time on Twitter. But if you’re on Twitter, this Twitter account is life-giving. We saw it and fell in love with it, and it ties right into what we’re talking about. The actual account is @EthicsinBricks and every day they post some sort of philosophical or ethical conundrum told in Lego. The other day it was the Myth of Sisyphus in Lego and it was brilliant, and they played into the whole, how it started and where it’s at now. And it was Sisyphus rolling up the rocks thing into place, but digress, a great account to follow.

So defining ethics but then how do we implement ethics and what are the . . . why, right? Why in fundraising, why in nonprofit management is ethics important to us? And it is, again, because of that accountability, because it helps us, I mean we are required in the nonprofit sector to be transparent. That is part of the mandate, that is part of the responsibility of carrying a 501 Certification is we are required to be transparent. So there’s the legal requirement but also the ethical requirement of taking that step further to do what’s right and being as fully and openly transparent as we can.

Transparency leads to public trust. So Ryan referenced that slide where 52% of Americans say that they do trust nonprofits. Flip that script and look at it from 48%, nearly half of Americans do not trust the nonprofit sector, that’s kind of scary especially if what we’re doing is out there for the common good, changing the world. This life-changing work that we all spend so much time and energy, and passion around, and merely half of the country doesn’t trust us to do it. Well, that’s building that trust. And the reason why this section is titled the way it is, again, there are multiple studies from psychologists and sociologists looking at the analysis of when somebody says they trust something, they like it more. And when somebody says they like something, they trust it more.

So like and trust, connection and trust build on each other and keep building each other. So I trust you which means I like you more. I like you more which means I trust you more. And those just keep compounding and growing. There is also an ethical responsibility to the organization, right? If we are a paid fundraiser, we have a responsibility to the organization, to the mission of that organization and to the budget. We are the revenue generating arm of the for good sector so we have a responsibility to hit those goals to make the mission happen. We have a responsibility to our donors, absolutely. And we can’t talk about those two prongs of our responsibilities without bringing in equal representation to the beneficiaries, to the recipients of our mission. So our duty, if you will, to all three of those in equal measure, from an ethical standpoint of doing what’s right by all of those three priorities really sets a mandate for us of more than just what’s required of us but what is the right thing to do, if you will.

Steven, in his intro and I appreciate him mentioning it, mentioned that I was a member of the Rogare Advisory Board. Rogare is a fundraising think tank based out in the UK headed by Ian MacQuillin and a number of other great thought leaders and researchers in fundraising. If you haven’t, if you’re not familiar with Rogare, I encourage you to look up some of the work that we’ve done and some of the white papers and a whole bunch of it. There’s a whole lot of studies and academic research into the work of fundraising, taking that critical thinking approach to it and how do we really think about and look at what we do. But this is a wonderful white paper on ethics and ethics in play in fundraising, so rogare.net/fundraising-ethics. You can download it totally free. Rogare, by the way, is Latin for “to ask,” which is why it’s named.

So why ethics? This definition, fundraising is ethical when it balances the duty of fundraisers to ask for support on behalf of their beneficiaries with the right of the donor not to be subject to undue pressure to donate such that a mutually beneficial outcome is achieved and neither stakeholder, meaning beneficiary or donor, is significantly harmed. So ethics driving how we look at our work and how we approach our work, and how we manage things like data.

Ryan and I were asked at one point in doing this to look at the ethical statements of the different professional associations, which sent us down this long, wonderful, several month-long kind of rabbit trail of reading every professional association that we could find. And I actually found a new one yesterday, Ryan, after we talked and updated the slides. I didn’t have the chance to pop it in but I found a new one last night.

So any professional association that deals with the nonprofit sector and with fundraiser specifically has a code of ethics. So, yay, like hooray, it’s out there. If you’re a member of any of these, AFP, CASE, APRA, ADRP, Grant Professional Association, AHP, any of those membership orgs have some form of an ethical statement of how we should do our work. And, in many cases, they are actually enforceable. I know for certain with AFP, if you know of a member who is violating ethical standards, there is a committee to whom you can report that anonymously. They will research it, look into it, and take action if action is needed. So there is a high level of importance to this. The really interesting thing is they all kind of says the same thing. It’s fascinating, it’s a great study in communications if you ever get the chance. I never really want to read them all because some of them take like five pages to say the same thing that the other is saying in a paragraph but it’s still great, right?

They all very similarly talk about the same things and address many of the same issues in how we deal with donors and how we approach our ethic, our work ethically and responsibly. AFP is the one that I am most familiar with just because it’s the association I’ve spent the most time with. So we wanted to highlight a couple of points, at least from, again, the Association of Fundraising Professionals’ Code of Ethical Standards, that really highlight data. We just highlighted these here. One, value the privacy, freedom of choice and interests of all those affected by their actions. I think we can underscore, triple underscore privacy there. And then adhere to the spirit as well as the letter of all applicable laws and regulations. Ryan is going to take us through a fun, little study here in a second on the applicable laws and regulations. The question is from an ethical viewpoint, right, where ethics is separated from law.

From an ethical viewpoint, not just do the laws exist but are we adhering to them, are we following them, and are we being ethical in our approach to them because laws set the minimum standards of behavior, if you will. The law requires us to do things and that’s on the next slide, sir. The law sets the minimum standards for us, while the ethics set a maximum, higher or moral standard. Again, the right thing to do. So we know we are legally required, for example in some states, to register and disclose that we are soliciting in those states, that is a requirement of the law, Nevada and California. Nevada is a registration and disclosure state, to solicit donors in the State of Nevada, you must register your nonprofit and you must disclose that on all solicitations. Okay, that’s a pretty basic, pretty standard, easy follow the law.

But how do we take it to that ethically responsible, to that next level, higher, moral standard of we’re doing it not just because it’s the law but because it’s the right thing to do for our donors, it’s the right thing to do for our organization, and it’s the right thing to do for beneficiaries who are, that’s who we’re raising money for. Yeah. So high level, kind of overview of ethics and the fundraising nonprofit look at it. Let’s dig into some of the laws and the legalities of it, and the caveat being neither Ryan nor I are attorneys. We are just guys with a Google account who found this fascinating and just spend a lot of time digging into it.

Ryan: So truth is it’s very surface level, it is not legal advice. Hopefully, you have access to lawyers who can give you that. Because if you’re relying on us, it could get scary. Almost as scary as having some little man pull your keys apart at night and you come back to a blank keyboard. So we’re going to start with something called GDPR and a little bit of the history on data laws in Europe. So the EU, when it was formed there’s this really cool thing called the Maastricht Treaty where everybody got together in a, I guess a smaller town in the grand scheme of things in the Netherlands called Maastricht, and they ironed out all the different rules that they would have. As they started to get going, one of the centerpieces of that, they decided was data protection because they knew that this was going to be such an important part of the global economy which is what EU is designed to feed into when they got started.

So the basis was they had, in 1995, they created the EU Data Protection Directive. And what that essentially meant was there’s certain ways that you have to hold data. If you have information on a bank account, there’s certain security measures that you as an organization would have to take. So you’re a bank, when you store a credit card, stuff has to be encrypted. It’s a really easy example. Fast forward to 2014, they came up with something that it always been ethically correct but it never been legally, never been a legal measure and that’s the right to be forgotten.

So that is if you say, “Hey, Facebook, I’ve decided I’m done with you. I want you to delete all the information you have on me.” Well, prior to 2014, if you were a citizen in the EU, which is not all of Europe but many countries, then you could ask Facebook and they could laugh at you. There was no law that they said they had to delete your information even though you wanted them to delete it. Even though, ethically, that would have been the right thing to do. So that set the groundwork for similar right to be forgotten laws elsewhere in the world.

And then in 2018 is when they rolled out GDPR. Now, GDPR, again this is specific to EU residents, so if all of you are residents are in the United States, or in other countries, then this may not be that important to you. But if you do have European donors, this is important to you and we’ll talk about that in a little bit. But at the end of ’18, the beginning of ’19, they basically said that if you’re going to collect data on anybody, they have to opt in. So it can’t simply be, “Hey, by virtue of you having a Facebook account, we’re going to collect all of this information on you.” It was actually no. But by virtue of you saying, “Yes, it’s okay for you to collect my information,” it’s fine. Otherwise, I’m still legally allowed to use your offering but you can’t collect my data, and you can’t resell it without my consent. Okay.

Now, here in the United States, that’s very different and we’ll talk about the ways that that’s changing. But there’s a really interesting book that recently came out by a Cambridge Analytica insider named Brittany Kaiser, the book is called “Targeted.” And she goes really in depth on all of these things. If you got, I don’t know, 12 hours, it’s well worth to read. But now, so if you think beginning at 2019, you probably got emails from say a Marriott or a Hertz, or any large international company, where they said, “All of these things are changing and we’re asking you to opt in.” And the reason they did that is because it’s easier to have the same policies for citizens in different countries as opposed to trying to create various policies and various platforms for each separate country. So many international nonprofits, like Heifer International, they did the same exact thing.

Now, let’s talk about you. If you have European residents and you’re tracking their information because they’re donors or volunteers or patients, these are a few different bullet items that you really ought to be on top of. Again, the part where, “Hey, we’re not lawyers but this is a good baseline level.” So you should have high data protection standards. If you click that link when you get this it goes in depth, but a very simple way to think about that is there should be one username and password combo per person per login.

So, if there’s eight of you that share a CRM login, that’s a really big no-no, that’s a violation of GDPR. It’s also not safe, I mean if you think about it going back to ethics and trust, right, you’re doing the right thing ethically, you will gain trust from your donors. If one person leaves out of the eight and it’s a really ugly exit, the smallest of your problems will be seven people are going to have to figure out a new username and password and memorize it. The biggest of your problems is you don’t shut it down because everyone else needs access and then the time that you don’t shut it down, the person that left has done something nefarious, maybe pull out the database and who knows what they’re going to do with these donors. So that’s the first thing to think of.

Second thing is, again, move from opt-out to opt-in, think of communications, right? Do you want this newsletter? Well, if you do, you should opt in instead of saying, “We’re going to give it to you regardless.” Again, ethically, that’s the right thing to do even though it might not be the way we practice here in the U.S. The second, the third rather is allow people to request all the information you have on them or the deletion of data. One thing to consider there, that means when you’re taking notes and entering call reports in, make sure you’re putting stuff in there that you would be okay showing the donor. Don’t add your opinion about things unnecessarily or things you heard about, members of their family if it’s irrelevant to your organization’s relationship with the donor.

And lastly, here’s a big one and here’s something that really whether or not you have European donors, you should start doing as well is assign a data protection officer. Give somebody the responsibility at the organization to make sure that there are a list of policies that everyone should be following to ensure that the data is secure, right? There’s policies, it’s essentially a playbook so that if there is some sort of weird data breach, the very least you can show your donors, “Hey, look, we had these things in place.” And Steven Shattuck here was the one that set this really good list of things to do and not to do to make sure that your data was secure. So that’s GDPR.

Now, I mentioned Cambridge Analytica, so when everyone found out about Cambridge Analytica and the whole getting information on your friends through Facebook, California was the first state to react with legislation. And they passed a law and the law said, “Within the next 12 months, we will define this law,” which is kind of scary. It basically said, “Look, we need data security. We don’t know what it’s going to look like yet but we all agreed that it’s going to be something. And over the next 12 months before this bill goes into effect, we’ll figure out what it is.” Now, the bullet points down here, they explain what that is. So anybody in the State of California has the right to access data. Anybody has the right to delete their data. Anybody has the right to know the collection process piece that company uses, and anybody has the right to opt out.

Now, there’s some really important information about this. In its current state, this does not impact nonprofits, right? So this means the way you interact with your organizations or with your donors rather, you don’t have to follow these rules. However, it does impact you indirectly because, right, I work at DonorSearch. We’re a wealth screening prospect research firm. Steven, who is here earlier and he’ll show up again at the end, he works at Bloomerang. Well, both of our companies need to adhere to these laws because we’re for profits that have clients and have information on residents of California.

So that was the biggest first change that happened. Right after that, there was a slew of other legislative changes. So you’re looking at one map now, we’re going to look at another map in a minute that shows, “Hey, where is consumer privacy in the house, in the senate at these different states?” So you’ll see right next to California, our friends in Nevada which, hmm, that might include Clay. They saw what California did and they said, “Hey, that’s a great idea. We’re going to do it. We’re going to do it better and we’re going to do it quicker.” So there’s some . . .

Clay: And we did, we did. We got it in place first before California did.

Ryan: You did, that’s right.

Clay: That’s a thing for us.

Ryan: Mm-hmm. Nevada one, California zero. The laws are virtually the same but to Clay’s point, yeah, it went into effect a few months earlier. You’ll see not shown here is Vermont. Vermont had one of the first consumer privacy laws that went into effect, it actually went into effect before California and a lot of that had to do with the security standards, if you’re holding somebody’s social security number. So, if you look, this is one really well-known source, IAPP, they’re on top of these different privacy laws.

But here’s a map from a different source. And if you’ll notice in this map, Vermont is filled in, Wisconsin has nothing going on, so that, whoops, the different states are moving so quickly that it’s very difficult to catch up and it’s difficult to stay on top of which state is doing what. Which ultimately means if you really think about it and you want to be safe, if you adhere to what GDPR has in place since what California created tried to design that, that’s the safest way to make sure that you’re, a), doing the ethical thing, but b), you’re also going to be on top of the legal ramifications.

There’s another law that you might want to look into called the New York Shield Act. And the New York Shield Act applies to anybody with a New York resident and it applies to nonprofits. So, really, it has to do with the transparency, if there’s a breach you have to respond quickly. Nothing crazy but, again, the thing is if you don’t know that and you just assume, “Well, I’m going to follow what my state laws are,” and you have donors in New York, it’s not just an ethical issue if you’re not doing the right thing but legally, it can come back to bite you. And with that, I’m going to kick it over to Clay and we’ll stop talking about the quilts that is U.S. state laws and we’re going to talk about federal legislation.

Clay: Yeah. I’m keeping an eye on the clock, too, Ryan. I want to be sure that we leave plenty of open time at the end for Q&A. But that patchwork of data privacy laws in different states that some may or may not affect nonprofits in different ways, which also ties to the patchwork of different registration and disclosure requirements in different states, it’s a lot to stay on top of and it’s a lot to be aware of. But, again from an ethical perspective, how much do we and what are the policies and procedures? And really having those high level discussions of, okay, what exactly are we going to do here and how are we going to take not only the required steps but the ethical steps in protecting and dealing with this information. Because there are currently, I honestly don’t know, I told Ryan we did a little prep last night. “I don’t know that this is correct today. I could have changed because it’s changing that quickly but there are currently several different legislation proposals on the Florida House going through and the prediction is that one of them is going to pass.

And some permutation of one or all of these is more than likely going to pass and that in the not too distant future, we will have federal legislation on data privacy standards across the United States. And Ryan talked a little bit of this just a second but our friends in Canada have different privacy laws than we do, so any of us that are working in both Canada and the United States have to be aware of those. Certainly, for donor search and any wealth intelligence firm or public data firm is aware of the different rules and restrictions just across the border. And as Ryan already mentioned, if you bring in the EU, right, so then we’re going to add on this very likely federal legislation. It is something that I would encourage all of you, particularly encouraging your boards and your governance to pay attention, to keep an eye on this. And if you have legal counsel, if you have any sort of government relations activity going on either at your nonprofit or in your community, or through a community foundation, keeping a very close eye on this. Because as we learned from GDPR, the ones that weren’t prepping for it in advance were the ones that really got hurt on the backend and really had struggles.

So starting now, in the midst of everything else going on, right, starting to pay attention to this federal legislation. You know, Ryan and I are very conscious and we all are. You know, you don’t want to single blame here or point anyone out but we also have to learn in 2020 that the nonprofit sector is not immune to data privacy hacks. We know this very clearly, unequivocally now that as a sector, our data has value and the bad actors, if you will, want it.

So, Ryan, if you’ll flip one more for me, please sir. Right. So, on September 15th, the Chronicle of Philanthropy reported that donors had filed five class action lawsuits against Blackbaud. Okay. So that kind of lit everybody up and I think we need to not panic but we do need to watch carefully because it’s pretty clear that our data is vulnerable, that people want our data and they can get it, and donors are aware of it.

So these are class action suits started by donors against the software firm. All right. Now, flip over one more. Just one week later, the number increased and they started targeting nonprofits directly. So it went from something like 5 class action suits to 9 or 10, I don’t know the exact number but the number of lawsuits increased and then the lawsuits started targeting nonprofits. So, again, something we need to keep our eye on very, very carefully in context of that public trust and in context of that transparency, that this is really going to change the dialogue for us. Again, we don’t . . . The point here is . . . to be scared. The point is to take logical good steps that we can do anything that we can to protect it. And now, we’re going to talk about that. But, first, a little visit to Canada.

Ryan: Yay. So we’ve got our Mounty friend and he’s here to talk about some of the Canadian privacy laws. So there’s two that we’re going to talk about. The first one is PIPEDA, generally speaking, it doesn’t apply to nonprofits but a lot of what it says has to do with data security and data privacy, and making sure that you’re taking appropriate measures to safeguard the data that your organization has. Now, the one that does apply to nonprofits is CASL. And that applies nonprofits, so that applies essentially individuals to opt in for solicitation emails. So Stephanie asked a question earlier about whether or not any of the U.S. state level legislation impacted email solicitation. And I think, currently, the answer is no but as soon as next week, it could. So you should just keep that in mind that it’s kind of a gray area. Now, when it comes to Canadian donors, it’s not a gray area. It’s not a gray area at all.

If you are let’s say an arts organization, not only can you not solicit donors without their opt in for gifts but you can’t solicit them for tickets. So there is one Canadian organization that did something really cutting edge. And if you’re an arts org or you’re any kind of organization that has insider info or insider opportunities, I recommend you take note. They created a special group for individuals that were willing to donate $1 and opt in. You would be able to get the schedule or the program two weeks early.

So, if you donate $1, right, that’s a small gift and you say, “Yeah, I want the information. And yes, I want your solicitations.” You’re suddenly able to see, “Okay. Well, this is when ‘The Nutcracker’ is going to air and I want to buy my tickets two weeks early. So, yeah, why wouldn’t I do that?” What they were able to do by creating that $1 membership is they picked up somewhere between $20,000 to $30,000 in donations but they also had a small group of people who not only legally had said, “Yeah, it’s okay to send me these messages and solicitations.” But, more importantly, it was, “Hey, I actually want you to communicate with me,” which is really brilliant because those are the people that are turned on to the org. You’ve built trust, you’re doing the right thing.

So let’s talk a little bit more about data governance. So what do you need in the database? What is it used for and can it be stored elsewhere? Do you need to track an individual’s gender? Do you need to track their ethnicity? Do you need to track their age? Maybe, maybe not. Maybe if you’re thinking about gender, there could be really important reasons to track it. Hypothetically, if you’re a hospital, then you need to know their current biological gender. But, more importantly, if you’re an org, you probably don’t, you just need to know the title that they prefer when you communicate with them. Maybe you want 80 points of wealth screening data in there but maybe you just want one. So the thought is make really intentional decisions about what you’re storing and how you store it.

Number two is update agreements to ensure institutional safety. What is your volunteer agreement look like? When is the last time you updated that? Does that include the kind of information that you’re collecting from these volunteers and what you’re going to do with that data? And review information requests strongly, don’t give info to scammers. So, on a regular basis, you might have people reaching out and asking for their data, right? Because let’s say you’re trying to be ethical and you’re trying to adhere to the 19, I guess the 2014 new directive where people can find out their own information and delete it if they want. Well, that’s great, definitely want to do that but you also want to make sure that you’re not dealing with Clay pretending to be me trying to get my info. So that he can, I don’t know, let’s say send me some strange emails at 3:00 in the morning about Legos and maybe sign me up for their Lego regular email blast so that I could buy the latest set.

Even though I might want to do that, you shouldn’t facilitate it. That would be a big no-no. So, again, pay attention, look out for scammers when you’re trying to field those requests. Basic security practices, so we touched on this a little bit, right? But there should be separate passwords for every employee and every volunteer. If somebody has a login, it shouldn’t be a shared login. It should be their own. The next one is just so important. Don’t email donor information. I can’t say it any more clearly than that. If you ever get a request from a vendor to email you names and addresses and gift state. Say you’re doing a conversion to a new database, say that you just signed on with Bloomerang, you’re going to start using them as a CRM, they’re going to send you an SFTP or an easy way to securely share that information with them. They’re not going to ask you to email it. If you email that stuff, it’s not secure. Someone can grab it and that’s how a bad actor ends up with donor data and you end up in a dicey situation.

The number three, really easy one, use up-to-date antivirus software. There’s tons of stuff out there. McAfee is a really good one, Norton is another good one and they’re affordable. Don’t share passwords especially via email. So, again, right, everyone is supposed to have their own username and password but what if I need to login and I need Clay to share a password with me temporarily and he’s going to change it in an hour. Okay. Well, let’s just say, hypothetically, that has to happen for whatever reason which it shouldn’t. But if it does, don’t email it, again, because email is not really secure. One of the last ones, probably a little less relevant now since many of us are working from home, but be careful on public Wi-Fi.

When you’re on a public Wi-Fi, everyone can see what you’re doing. It’s not difficult to pop in, take a look at somebody’s email history or pull files down off of their computer. Or watch when they logged in and grab their username and password. So be careful on public Wi-Fi. Don’t do anything that you wouldn’t want anyone else to see. And, again, stop emailing data lists. So now, Clay, we’re going to kick it over to you for some more advanced security practices.

Clay: And while you were talking, I’m going to ask you to poke into the Q&A, Ryan. The questions in the Q&A and in the chat are phenomenal. And I’m thinking back to, like I wish doing it live when we can do it right in Engage. But take a look at some of the questions and pipe in your thoughts, too, because there’s just phenomenal important questions going on. As we look at kind of the things that Ryan already referenced as we’re here barreling into the top of the . . . My clock is over there, that’s why I keep looking that way, sorry. As we barrel into the top of the hour. One of the best things that you can do to protect yourself is how they written policy and procedure manual. I know for a fact, Steven, I don’t know if I can do this but I’m going to do it anyway. I know for a fact somewhere on the Bloomerang blog is a data entry policy and procedure manual that the brilliant Robin Cabral wrote with Bloomerang and published on the blog, and it is just a phenomenal resource.

It’s actually so good that you can just take it and like replace your name into it and use it as long as you agree with everything. So that and a data security and maintenance policy that defines very clearly what you will protect, how you will do things, how you will enter things, and who will have access to it. You have noticed on websites all over the data privacy policy, when we accept cookies, when we sign up for lists, that we have to accept that data privacy policy. So ensuring that you have one and that you know what it means and that it is publicly disclosed and serves as a great donor stewardship document to be able to say, “Hey, donor, I get it. It’s legalese and it’s required but I want you to know that we take this very seriously and when you entrust your name to us, this is what we’re doing with it and this is how seriously we’re taking it.”

Gift entry, data entry policy and procedures, so who knows what and operate under the, what if you win the lottery tomorrow? And I get it, not all of us have the luxury of having a full-time database admin. But that person who enters the data, what if they win the lottery tomorrow and they don’t come back to work? Who’s going to pick that up and how do we know who and how it was done, and how are they securing and protecting data and including this in human resources and onboarding? Because everybody that comes on board at your nonprofit could have access to private information. Is that included in your HR policies and in onboarding, and signing that document that says, “I understand that I may come in contact with personal protected information and by signing this document, I acknowledge that I will keep it private as long as I’m an employee and blah, blah, blah.”

Is there a whistleblower policy in place? If you paid any attention to some of the scandals last year in terms of organizations that accepted donations form Jeffrey Epstein, sorry, it’s tough situation but name it, right? Is there a whistleblower policy in place that rises to the level of governance so that an employee, even if that employee is, you know, way down in the hierarchy knows that they can go to somebody at the governance level and be heard and protected when they see violations of these things? Does this rise to the level of governance? And this is where I’m going to say pretty much emphatically, “Yes, that we . . . now that you know all this, that you’ve seen all of this, we are all somewhat accountable to start bringing this up to our boards and our leadership and saying, “We’ve got to be looking at this data as an asset and protecting it as such.” Some real clever, fun ways to do this, Ryan, but we got two minutes left. So we’ll flip through that and then hit the last stuff.

Ryan: Yeah. So these are from our friends at the University of Chicago. University of Chicago gigantic nonprofit, right? They make more money that probably many of those that are attending today combined. So they have really good people that work in security and privacy. And back when everyone was going to the office, they made these index cards that they call Flip For a Tip. So you turn it over and you see this cute little puppy sticking his nose through a fence. But next to it it says, “Hey, turn off public Wi-Fi and don’t use public networks. Use a VPN,” which is a virtual protected network connection, that’s more secure, it’s a lot safer. You want to block nosy neighbors. We like the dog. We don’t necessarily want the dog to come in this time.

There’s a few more. Uh-oh, did you leave your computer unattended? Lock your computer every time you leave your desk. And you don’t want to see this sad polar bear, I mean think about it. Even working from home, you want to lock the computer. If you’ve got kids from home and you walk away to go to the bathroom, who knows what they’re going to do. And then we’ve got this little nosy raccoon going to the trash. You want to make sure you shred confidential documents and now, probably less important but, again, you don’t want to leave a written down username and password at home. When in doubt, shred it.

So kind of circling back, we’re going to finish on time, recommendations. Make sure you got a really clear and precise gift acceptance policy and stakeholder buy-in, right? Going back to Jeffrey Epstein thing, make sure you know here’s when we accept gifts and here’s when we don’t, and here’s why. So you can say, “I’m really sorry donor, the unfortunate situation occurs but this is why we cannot accept this gift.”

Data usage manual, who gets access to what? What are they supposed to do with it? And it’s part of onboarding training, right? When a new employee comes on, here’s how you use each system and make sure that permissions are set, right? So that a volunteer, because they’re checking in to spend time with the kid, that doesn’t give them permission to look at the entire donor database. Clay, do you want to take the rest of these?

Clay: We’ve already talked a lot about them, assigning that data protection person. Hey, here’s the thing, it doesn’t have to be senior leadership, it doesn’t have to be leadership at all. If your receptionist is the person who does the data entry and you make the person in charge of that, your data protection person then give that person the leadership role. And when they talk about data, everybody’s got to listen, so it’s, again, rises to the level of priority which makes data a huge institutional priority for the organization at the same level as we’re talking about goal setting and budget setting. So, yeah, that is the high level stuff. Ryan, I don’t know if you have time. Steven, I don’t know if this is allowable but I know there’s still a few questions running around so I’m happy to linger on and answer some of these because some of them were really good.

Steven: Let’s linger. We can take five minutes, I mean geez, this is good stuff. Yeah, let’s do it.

Clay: Cool. Ryan, I mean DonorSearch is really spearheading this. It lives on my website for whatever reason. I forget why we decided to do it that way but it’s all good. We would love your opinion, your voice, your input. We’re trying to take a measurement on the sector on how data management is done and get some actual data behind the data, see what I did there? So tcbfundraising.com/data-survey, if you can pipe in and answer three or four questions for us, that would be super helpful. Do not hesitate to reach out to either one of us if we can be helpful or answer questions. Steven knows how to reach out, too, so feel free to come to us through Bloomerang. But, clearly, it’s a topic we love and I’ll tell you honestly, for me, the reason I love it because, well, the reason I love it is it’s such a great way to be donor-centered and to really make that statement to the donor. Hey, what you’ve entrusted to us we’re protecting. Not just your gift, it’s not just your money, it’s you and your identity, and your important information, and we are taking good care of everything you have entrusted to us.

Steven: This is awesome. Wow, good stuff. I love the last, the last few slides. That seems like the things we can be proactive about ourselves. Solve 90% would you say? I know there’s a lot of vendors and bad actors but I love it, it’s on us, too, right?

Clay: Well, and Steven, if you’re going to say that, I mean I’m going to say to you in all love and respect, and you know how much I love Bloomerang, but, you know, you do kind of need to lean on our vendors a little bit and help guide us and provide resources. I love what you guys do with the blog and stuff like that, right? But there’s all of us together making it. Oh, my gosh, I just turned into a commercial. All of us together making it safer for donors.

Steven: A virtual hug to Clay.

Clay: Virtual hugs. I love it.

Ryan: One point on that, too. If you think about it, a lot of these scammers know that nonprofits of smaller budgets might not be paying attention to this. So they’re quick to go out and see what easy things they can get away with. So, you know, the comment was made, “Look, if you do these things, it covers 90% of it.” You don’t email donor data, that’s a really, really great way to make sure it’s not going to get taken because that’s one of the ways that scammers might try to grab it. It doesn’t take a lot of effort for them to do it so it’s a quick check. So by not doing that it says, “Okay. Well, I’m going to move along on the next nonprofit or next company they want to hack, whatever they want to do.”

Clay: Hey, Steven, sorry, logistics. One of the questions in the Q&A is will the Q&A be shared after the meeting, some great question response? I don’t know how that works, like the ones that were written. Do you share a transcript or . . . ?

Steven: Yeah. We will when we post the recording on our blog, probably about a week.

Clay: Awesome.

Steven: Yeah. We’ll get all that good stuff in there. Yeah, absolutely.

Clay: Cool, cool. And, Ryan, actually that was a point to me, something you and I can do. We could write a joint blog with some of the big questions that we see, the most written.

Steven: I love it.

Clay: Okay, done. Yeah, we’ll keep talking about that. Yeah, we’ll try to get that done about the same time that you publish this and then . . .

Steven: I’ll hold you to it.

Clay: Well, yeah, do it, do it, do it, do it. I never know the answer, is the Google unsafe? I’ll never know how to answer that. I’m not a Google guy.

Steven: I would ask Google, yeah.

Clay: I would ask Google.

Ryan: Let’s Google.

Steven: Probably safer than an Excel spreadsheet on your computer on public Wi-Fi, right? I mean that’s kind of what we’re talking about, you know, but it’s hosted somewhere securely, that’s always better than in the local machine I feel like.

Clay: And super-fast, one of the most common questions today if I could, sorry, was donor recognition, right, and publishing the donor’s name with the level. I mean interesting, that is not something we really ever talked about as an industry before. Could it be? Maybe it could. I hadn’t really thought about it because you’re actually publishing their name with so it could.

Steven: Which is a starting point to go down that . . . Yeah.

Clay: It is and there’s a lot of discussions in the building equity and representation and giving that. Maybe we need to rethink how we do recognition. Maybe we need to rethink that whole thing so, you know, I kind of put a pin in that one and go for continued discussion.

Steven: Well, get to work on that presentation and we’ll have you back and you can do that part of it.

Clay: Excellent.

Steven: That’s really interesting, that touches so many things, donor centricity, equity, that’s wow.

Clay: And we have a couple of people saying their orgs have already decided not to publish donor recognition. I kind of, you know, yeah.

Steven: It kinds makes sense to me. You know, I’ve only been thinking about it for a good 10 seconds but . . .

Clay: Right. Well, there’s a question earlier. See, I could go all day, I’m sorry, right? There’s a question earlier, you know, what if we accidentally publish somebody who wants to remain anonymous? Well, ethically tell them before it hits the press. Tell them that you did it and you made a mistake and you’re sorry, but tell them before they find out and, yeah. Anyway, that’s fine.

Ryan: Right. The moment you realize it is the time to tell people just like if there’s a data breach. And, obviously, make sure you fix the breach before you tell the world that there was a breach because otherwise somebody might be able to come in and grab more data. But, you know, you got to be on top of it.

Clay: We need to find a Lego whale slide, right, because whales breach. Anyway . . .

Steven: Yeah. That’s a point against to you guys, you didn’t have that. I mean, come on, that was . . .

Clay: I think at this point I’m getting punchy so we might.

Steven: And I know you got a couple of dogs outside the office that need some attention from you and someone with the leaf blower just showed up in my house. I don’t know why but we’re a little overtime but, hey, this is awesome. I knew this would be a fun one and informative, so thank you both for taking . . . You’re both are real busy, you have your own jobs. I mean you’ve got day jobs. You’re doing this for fun so thank you. Thank you for doing this.

Clay: Thank you. It was fun. Always good to see you and everybody on here and the whole Bloomerang folks. It’s great.

Steven: And reach out to them, follow us on Twitter, three of us, a little bit of shenanigans. You may pick up a nugget here and there.

Clay: Go sports ball.

Steven: The sports ball. And, yeah, good luck, Ryan, tonight I guess with your Bills. Clay, good luck with . . .

Clay: Whatever.

Steven: Whatever is going on in Las Vegas I guess.

Clay: Everything and nothing, yeah. Indeed.

Steven: And for me, I’ll get working on the recording and the slides, we’ll get that out to you later on today. And we’ve got another webinar coming up this week. Two days from now on Thursday afternoon, another free webinar. I lost my slides but I’ll email you guys. I’ll email you that one. It’s going to be on cultural competency. Jessica from Mockingbird Analytics, you’d see her information here if I had my act together. This is going to be a really cool one so we’re going to touch on DEI issues, going to be a fun session, definitely timely and important topic. So look for an invite to that from me with a recording and the slides, and hopefully we’ll see you again on another session. If not, we got lots of other webinars coming up. If you follow Bloomerang, you know, we’ve got some good ones all the time. So we’ll call it a day there. Like I said, look for an email from me with all the goodies and hopefully we’ll talk to you again on another webinar. So have a good rest of your Tuesday, have a good week, stay safe, stay healthy. We need you out there and we’ll talk to you again soon. Bye.

Kristen Hay

Kristen Hay

Marketing Manager at Bloomerang
Kristen Hay is the Marketing Manager at Bloomerang. From 2018 - 2020, she served as the Director of Communications for the Public Relations Society of America's local Hoosier chapter. Prior to that she served on several different committees and in committee chair roles.