The safest data is the data you never collected.
Data Privacy & Protecting the People You Serve
For many organizations, the data issensitive by nature — health, immigration status, LGBTQ+ identity, survivors of violence, kids. The people you serve hand you their secrets because they trust you. That trust is a vault, and you're the keeper of the keys.
Two villains circle it. Chaos wants to pry the vault open — a breach, a leak, a misdirected email. The Mundaneis subtler: it whispers “keep everything, just in case,” until you're hoarding a mountain of data you never needed and can't protect. The Crew guards the vault a simple way: collect less, and fiercely guard what's left. For community and mission-driven organizations, a privacy breach isn't just embarrassing — it can endanger the very people you exist to help.
People trusted you with their story. That's sacred. Protecting their privacy isn't paperwork — it's keeping a promise to the people we're here to serve.
The safest data is the data you never collected. Minimize every form, set a deletion schedule, and map where everything lives. Less to guard means less to lose. #AutomateThis!
The Crew's playbook: a practical privacy checklist
- 1
Collect only what you need
Every field you gather is a field you have to protect. If you can't name why you need a piece of personal data, don't collect it.
- 2
Write a plain-language privacy notice
Tell people what you collect, why, and who you share it with — in words a human can read. (Ours is a fine starting template.)
- 3
Get real consent
Consent buried in fine print isn't consent. Ask clearly, especially for anything sensitive, and let people say no without losing service.
- 4
Set retention and deletion rules
Decide how long you keep each type of data, then actually delete it on schedule. Data you no longer hold can't leak.
- 5
Control third-party sharing
Know which tools and partners receive your data. Don't export your full contact list into every shiny new platform.
- 6
Map where data lives
A simple list: what you collect, where it's stored, and who can reach it. You can't protect what you can't find.
- 7
Honor data-subject requests
Under laws like CCPA and GDPR, people can ask to see or delete their data. Have a simple, known process to respond.
Data minimization, in practice
Minimization sounds abstract until you look at your own intake form. A few real examples:
- Do you need a date of birth, or just “over 18?”
- Do you need a full home address, or just a ZIP code for your grant report?
- Do you need to keep every intake note forever, or summarize and delete the raw detail after the case closes?
- Does that volunteer signup really need a Social Security number? (Almost never.)
Every field you remove is one fewer thing Chaos can steal and one fewer thing you have to defend.
Your vendors are data processors
The moment you put personal data into a tool, that vendor is handling it on your behalf. Ask where the data is stored, who can access it, whether it's encrypted, and — critically — whether it's used to train the vendor's products. Prefer vendors who'll sign a data processing agreement and put their answers in writing. (Want to see a real, plain-language example? Read our own Privacy Policy.)
US-first, but know where your people are
Most US organizations anchor on US rules like CCPA/CPRA (California) and sector laws such as HIPAA for health data. But privacy law follows the people in your database, not just your office. If you serve or fundraise from people in Europe, the GDPR can apply; in Canada, PIPEDA and Quebec's Law 25may too. The throughline is the same everywhere: collect less, be transparent, get real consent, and let people see or delete their data. Do that, and you're standing on solid ground in any jurisdiction.
How Chaos & The Mundane win
- Spreadsheets full of personal information sitting in a shared drive anyone can open.
- No retention policy, so data piles up forever — pure hoarding, and a bigger breach when it comes.
- Consent buried in fine print nobody read or could find later.
- Exporting your entire contact list into every new tool "just in case."
The next leg of the journey
Prefer a story? See these ideas play out in our comic-book field guide.
Ready to reach your Pitch?
You don't need a full-time CTO to do this right. Island Pitch works as your Fractional CTO — senior technology leadership at a nonprofit's budget, helping you choose well, lock the doors, and sleep at night.
Get the whole field manual
The full Right-Way Tech Guide — all six chapters, including the privacy & retention checklist.
The free guide is on its way.
Sign-ups open shortly. In the meantime, email us and we'll send it to you directly.