close icon
Data Protection

3 Fundamentals in Data Risk Mitigation for Nonprofit Staff

Nonprofit staff are the first line of defense you have, so here's what they need to know

Last Updated On: May 26, 2022

As a leader of a mission-driven organization, you know that all nonprofit, non-governmental, and charitable organizations count on every stakeholder to help bring their mission and programming to life. The one tool they all have in common?


It doesn't matter if this data is being actively used or waiting for its turn to influence a crucial decision; it's always of measurable value.

It powers nearly all of a nonprofit's business functions; and contains critical information from organization programs and finances to the financials, identities, and personal information of every person in the organization's ecosystem. In ill-equipped, improper, untrained, or ill-intended hands, mishandling of this data can cause unpredictable damage to an organization and its stakeholders.

Data Protection – the Fundamentals

Although the responsibility of a nonprofit's data protection and security may fall to a designated individual person or team, even they can't monitor the thousands of actions stakeholders take with their data every day across the organization.

When it comes to keeping data safe, the best defensive measure is an educated and security-aware workforce. However, this is not always the case with nonprofit employees, who can often lack the general awareness and ongoing involvement necessary to play a more active role in safeguarding data. It is essential to include everyone in building an environment where personal responsibility contributes to the organization's cyber well-being.

So what are three fundamentals that can empower your people?

Fundamental 1: Communicate Policies & Procedures Regularly

As part of staff onboarding, review any data protection and security policies and procedures in place across your organization. All contributors should know what is expected of them. Leaders should make sure this information is kept current and that all staff, and any non-internal parties, are informed and provide an acknowledgment that they've reviewed your policies and procedures as they're made available and updated.

⇒ Unsure of where to start with creating policies and procedures for data protection and security, or looking to review what your org has in place?

Check out Cyber Essentials from CISA, which is an excellent resource for building a culture of cyber readiness within your organization and CISA's Cybersecurity Framework; a gold-standard in helping org's understand and improve their management of cybersecurity risk.

Individual contributors should expect to review this information upon onboarding and throughout their tenure with your organization. If this hasn't been the case, then just ask. Everyone plays a part in keeping data protected and secured. If you're an individual contributor on some (or every) level of the organization, YOU are the best line of defense. Review security policies and procedures and frequently refresh, at a minimum, twice annually.

Fundamental 2: Ensure Compliance

PII (Personal Identifiable Information), GDPR (General Data Protection Regulation), HIPAA (Health Insurance Portability and Accountability Act), CCPA (California Consumer Privacy Act), and PCI DSS (Payment Card Industry Data Security Standards) — are just a few of the many regulations and standards regarding data usage, protection, and security compliance a nonprofit may encounter and be responsible for adhering to. And what's more, these rules and regulations vary greatly.

To give you an idea of just how vast protection and privacy laws are around the world, check out this interactive map from the global law firm, DLA Piper.

All staff and vendors supporting your organization's mission should understand the compliance regulations and standards regarding the data they have access to and work with. Staying up-to-date on changes in regulations is paramount. Failure to remain current and comply with these regulations and laws may result in heavy fines and/or legal action being taken against a nonprofit.

If your organization relies on vendors who have access to your organization's data, request their most current privacy and security policies and audit reports. Review them and ask for clarifications on anything that may be unclear. It's important to understand the measures they're taking to protect and secure your potentially sensitive data.

For example, visitors to Auth0, a product unit within Okta's online properties, can learn more about our trust and compliance policies through the information we've provided here:

Fundamental 3: Access Accountability

Working remote, working from work, or some variation of the two? In order to access data needed for work, connectivity to a network and login credentials are needed. No matter what your role is at a nonprofit organization, there are some basic measures you can take to safeguard access to the nonprofit's data:

  • When connecting, ensure the network is PRIVATE and SECURED. (Public wifi isn't recommended)
  • Using unique, random passwords preferably created by a password manager with the longest character count possible (ideally at least 16 characters at the minimum) will help ensure your login credentials are not easily guessed
  • Enable Multi-Factor Authentication on all your important work and personal accounts. Multi-Factor Authentication, MFA for short, can reduce the likelihood of cyberattacks from stolen credentials. MFA works by requiring additional verification information (known as factors) when they log in using a username and password, providing further proof of identity
  • Avoid sharing your account credentials information with anyone in any format (written, electronic, verbal, etc.)
  • Leaders should enforce the principle of least privilege when it comes to who has access to the organization's data at all levels based on their individual role and need. This should be reviewed often and updated whenever there are changes in people or technology

⇒ The principle of least privilege is a concept in security limiting a user's access rights to only that which is required to do their job

These are just the three basic fundamentals for mitigating data risk in a nonprofit at the staff level across the organization. All staff could benefit from the helpful information we've compiled to create Auth0's resource, Your Personal Cybersecurity Checklist: Workplace Edition. The checklist covers basic workplace cyber hygiene, personal cybersecurity, and advanced workplace cybersecurity actions every staff member can follow. It's a great place to start your organization's journey to being more secure and assured in 2022 and beyond.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit

  • Twitter icon
  • LinkedIn icon
  • Faceboook icon