Respecting and protecting people’s privacy is essential when running a not-for-profit. Various laws around the world define the types of information you can collect and how you can use it, and a breach of privacy can be a public relations nightmare. To guide you, here are several best practices for managing data privacy on your website.

Limit Data Collection

The first thing to do is to minimise the amount of information you collect in the first place – if you don’t have it you don’t have to worry about protecting it!

As a not-for-profit, it can be tempting to try and collect as much information on your donors and supporters as you possibly can. While this is understandable, asking for too much – especially too early in the relationship – can be a big red flag for a lot of people. Finding a balance between respecting people’s privacy and obtaining enough information to continue engaging with them is important. Clearly explaining why you ask for particular details can help assuage concerns in this area – for example if you want someone’s address so you can let them know when you’re running an event in their area, then tell them that.

Reducing the amount of information you ask for can also significantly improve the chances of someone completing a donation, especially as a first-time donor.

Protect Personal Data

Once you collect someone’s information, you need to ensure that you protect it. Most online systems – including WordPress and your CRM – have the ability to assign your staff and volunteers different access levels depending on what they need to be able to do. While it can be tempting to just give everyone full access to everything, you should only give people the minimum permissions they require to fulfil their responsibilities. This also means everyone having their own unique username and password – there shouldn’t ever be a reason for multiple people to share a login.

Regularly review all of your user records to make sure that their permissions are still accurate, and remove unneeded logins (e.g. for staff members who have left) as soon as practical.

Secure Your Website

An SSL certificate should be provided free with any web hosting, so your website should always be served over HTTPS, not HTTP. This ensures that all information transmitted between your visitors’ browsers and your website is encrypted to prevent anyone else from “listening in”.

WordPress itself along with all themes and plugins should be updated on a regular basis to ensure that any security patches are applied as soon as possible. Likewise the software on the web server should be kept up to date – your host probably looks after the operating system updates, but in most cases they won’t update PHP unless you specifically ask them to (as there are sometimes changes which are not backwards compatible). Keeping on top of all of this is vital, as once a security flaw is known it becomes an obvious target for hackers to try and exploit it.

Use Fit-for-Purpose Services

In certain situations, using an external service can be both easier and safer to handle particular interactions than to try and manage them suitably yourself. Online payments is the most obvious example – while it is possible to collect credit card information directly on your website and pass it on to your bank or payment gateway for processing, ensuring that data is properly protected is a minefield. While we strongly recommend not just directing people off to an external site to make a donation, most payment providers offer ways to embed their payment forms into your site so that the experience is smooth for your donors, but your website never sees their card details.


Have any more tips for protecting the privacy of your constituents and donors? We’d love to hear it.

Leave a comment

Your email address will not be published. Required fields are marked *