Data Privacy Resources
All documents below are in “View Only” access. Copy the document to your Google Drive or download it to make changes.
Data Privacy Survey
Overview: Kickstart your organization's journey towards better data privacy by first understanding the landscape. This survey is designed to uncover insights across various departments about the data collection practices within your organization. You might be surprised by what you learn!
Action Step: Engage with staff from different parts of your organization by distributing this survey. The insights you gather will be pivotal in identifying potential data privacy risks and areas for improvement.
Data Systems Inventory
Overview: This spreadsheet template helps organizations document the various systems they use to collect, store, or manage personal data—whether donor records, program participant info, HR data, or email lists. It prompts you to track what kind of data is collected, where it's stored, who has access, and whether key protections (like encryption or backups) are in place.
Action Step: Use this template to conduct an organization-wide inventory of your data systems. Fill it out with input from different departments to uncover hidden risks (e.g., old databases or spreadsheets), clarify ownership, and identify where privacy and security measures might be missing. It's an essential first step in strengthening data governance and meeting privacy obligations.
Incident Response Plan
Overview: A clear, step-by-step plan for how your organization will respond to data breaches, cyber incidents, or other security events. This helps reduce panic, ensure compliance, and limit harm when something goes wrong.
Action Step: Customize this plan to reflect your team’s roles, communication channels, and systems. Make sure all staff know where to find it—and test it at least once a year with a tabletop exercise.
Data Classification and Handling Policy
Overview: This template helps nonprofits classify the types of data they handle—such as Restricted, Confidential, Internal, and Public—and define appropriate handling protocols for each category. By aligning data practices with the sensitivity of the information, this policy supports compliance, reduces risk, and improves operational clarity.
Action Step: After completing your Data Systems Inventory, work with key organizational stakeholders—across programs, HR, IT, development, and leadership—to tailor this policy to your organization’s specific needs. Together, determine how each type of data should be accessed, stored, shared, and disposed of. This collaborative approach ensures the policy is both practical and enforceable, and encourages organization-wide buy-in for improved data stewardship.
Overview: Examples of what personal information goes into which category: PII, Sensitive Information, Special Category
Examples of Personal Information Categories
Third party risk management (TPRM) is becoming ever more important as a privacy practice as we consider where our data is stored.
Overview: The Third-Party Risk Management Policy outlines procedures to mitigate risks from external vendors, integrating risk assessment into procurement processes. It ensures that partnerships align with data security and compliance standards, safeguarding operational integrity.
Action Step: Audit your current third-party engagements to identify risk areas. Adapt the policy template to fit your organization, incorporating vendor due diligence and ongoing risk assessment into your procurement strategy.
*The policy references security scores. Security Scorecard offers a 14-day free trial for generating scorecards.
Data Retention and Deletion Policy
Overview: This template supports nonprofits in establishing clear, legally grounded retention periods for the types of data they collect—from donor records and program files to communications and board materials. It also outlines secure deletion methods to reduce the risk of over-retention, data breaches, and legal exposure.
Action Step: Use this template to define how long various types of data should be kept and when (and how) they should be securely deleted or archived. Work closely with stakeholders across departments—including programs, development, governance, and IT—to ensure the policy reflects actual data practices and operational needs. This process will help your organization reduce unnecessary data storage, demonstrate compliance, and protect the trust of your community.
Privacy Notice
Overview: This customizable template helps nonprofits clearly communicate how they collect, use, and protect personal information—especially through websites, forms, and email interactions. It outlines individual data rights (like access, correction, and erasure), security practices, third-party vendor relationships, and cookie usage in plain, accessible language.
Action Step: Use this template to create or update your organization’s public-facing Privacy Notice. Be sure to work with relevant stakeholders—including legal counsel, IT, communications, and program staff—to ensure the final version reflects your actual practices and covers all relevant data flows. Publishing a clear Privacy Notice is a foundational step toward building trust with your community and demonstrating transparency and accountability.
AI Acceptable Use Policy
Overview: An AI Policy is an organizational guide for defining guidelines around the ethical and appropriate use of artificial intelligence, focusing on sanctioned tools, data privacy, and general risk mitigation. It's essential for nonprofits using AI, providing a clear path for employees given the widespread availability of tools
Action Step: Review and customize the AI Policy Template to align with your nonprofit's culture and AI needs. Involve team members from across your organization to ensure comprehensive coverage of AI's impact. Implement the tailored policy, integrating it into training and operations to promote ethical AI practices organization-wide.