Blog: Data Retention Policy Best Practices in Uncertain Times

We all know the vital work that nonprofits do, often with limited resources. In today’s digital landscape, protecting your organization and the sensitive data you handle is paramount, but it can’t break the budget at the expense of your vital programming. 

The world of cybersecurity can seem complex – but taking simple, strategic, and manageable steps can make a significant difference in the security of your nonprofit. Once you have a foundational level of cybersecurity in place, focusing on your nonprofit data retention policy is a low-cost yet valuable next move.

Community IT, a trusted voice in the nonprofit tech space, advocates for establishing basic cybersecurity hygiene. Our free Cybersecurity Readiness for Nonprofits Playbook is an excellent resource to get those initial safeguards in place. 

Cybersecurity Basics: Getting to a Foundational Level

Tackling these basics isn’t as simple as 1-2-3, but it’s certainly more manageable than many of the complex challenges nonprofits address daily. 

These fundamental steps, which provide an impressive 80% protection against common threats, include:

• Manage Your Identity: Ensure accounts are strongly protected, and implement multi-factor authentication (MFA) so staff can verify their identity when logging in. This simple step significantly reduces the risk of unauthorized access.
  
• Patch Your Hardware and Software: Regularly updating your systems is crucial. Rebooting devices periodically – weekly, nightly, or at least monthly – can force essential security updates. Additionally, your IT provider or internal IT team should have a robust patching strategy in place.
  
• Look Out for Phishing – Train Your Staff: Over 90% of cyberattacks begin with a user clicking a malicious link. Investing in regular cybersecurity awareness training, like the tips highlighted in Community IT’s webinar Cybersecurity Awareness Training Tips, empowers your team to identify and avoid these threats.

Level Up: The Power of a Data Retention Policy

As you put these foundational elements are in place, don’t forget your nonprofit data retention policy and implementing and monitoring compliance consistently. While this won’t break the bank in terms of budget, it will require a commitment of staff time and energy. 

Consider this challenging moment as the perfect catalyst to undertake this essential “sorting-and-retaining-or-deleting” project.

Why is a Data Retention Policy So Crucial for Nonprofits?

A well-crafted data retention policy isn’t just about tidying up digital files; it’s a fundamental pillar of your cybersecurity strategy. Here’s why it’s so vital:

• Minimized Reputational Risk: A data breach can severely damage your nonprofit’s reputation and erode the trust of your donors, beneficiaries, and partners. A strong retention policy helps prevent such incidents by limiting the amount of sensitive data at risk.
• Reduced Attack Surface: The less data you store, the fewer potential targets cybercriminals have. By systematically deleting data that is no longer needed, you minimize your organization’s exposure.
• Improved Compliance: Depending on the nature of your nonprofit and the data you handle, you may be subject to various regulations (like GDPR, HIPAA, or state-specific privacy laws). A clear retention policy helps ensure you comply with these legal requirements and minimize risks.
• Cost Savings: Storing large volumes of data, especially in the cloud, can incur significant costs over time. Regularly purging unnecessary data can lead to tangible savings. It isn’t true that cloud storage is practically free, but we often treat it that way.
• Enhanced Efficiency: When your data is well-organized and irrelevant information is removed, it becomes easier for your staff to find what they need, improving overall efficiency. It also will allow Artificial Intelligence (AI) tools to better surface the data you need with fewer errors.

Best Practices for Crafting and Implementing Your Nonprofit Data Retention Policy

Creating an effective data retention policy requires intentional consideration and a collaborative approach. Here are some best practices to guide you:

1. Conduct a Data Inventory and Assessment: Before you can determine what to keep and for how long, you need to know what data you currently hold, where it’s stored, and who has access to it.
   
   This includes databases, documents, emails, cloud storage, and even data on individual devices. Many nonprofit staff work with data without specific data management expertise, making this initial assessment crucial to identify potential vulnerabilities.
   
2. Define Retention Periods Based on Legal, Regulatory, and Operational Needs: Research the legal and regulatory requirements that apply to your organization’s data.
   
   Consider the operational needs of different departments and determine the minimum and maximum retention periods for various data types. For example, donor records might need to be kept for a certain period for audit purposes, while outdated program data could be safely deleted sooner.
   
3. Establish Clear Data Disposal Procedures: Your policy should outline the secure methods for deleting data, whether it’s securely wiping hard drives, shredding physical documents, or utilizing data destruction features in your software.
   
   Don’t forget when off-boarding staff to disable their access to your data, and to determine what data and files they may have managed that should be deleted or ownerships reassigned.
   
4. Include All Data Types: Don’t forget to explicitly address the retention of emails, instant messages, and data stored or backed up in cloud-based applications. These often contain sensitive information and should be subject to the same retention and disposal rules.
   
5. Assign Roles and Responsibilities: Clearly define who is responsible for implementing and enforcing the data retention policy within your organization.
   
   This might involve IT staff, department heads, and potentially a dedicated data governance team, to ensure consistent application across all departments.
   
6. Implement Training and Awareness Programs: Educate your staff about the importance of the data retention policy and their role in adhering to it.
   
   Regular training sessions can reinforce best practices for data handling and disposal, and help your employees identify areas of concern. As your staff feel they are part of an internal army protecting your nonprofit organization by protecting your reputation and your data, they will be better positioned to follow your policies.
   
7. Regularly Review and Update Your Policy: The digital landscape and regulatory requirements are constantly evolving. Your data retention policy should be reviewed and updated at least annually to ensure it remains relevant and effective.
   
   The review process is a good way to reinforce executive ownership of cybersecurity, IT and acceptable use policies. Do not set it and forget it.
   
8. Consider Vendor Policies: it’s crucial to vet your vendors and understand their data handling practices. Ensure their retention and disposal policies align with your own and that you have clear notification procedures in case of a vendor data breach.
   
9. Address New Technologies Like AI: With the increasing adoption of AI tools, it’s essential to develop clear guidelines for their acceptable use and the handling of data within these platforms. Be mindful of the potential for sensitive organizational data to be inadvertently shared with AI models. Community IT offers a helpful AI acceptable use policy template for nonprofits.

Next Steps to Take Now:

If your nonprofit doesn’t yet have a comprehensive data retention policy, here are some immediate steps you can take:

1. Start with the Easy Wins: Begin with a data retention policy and a vendor vetting policy. Templates for these are readily available, including from the National Council of Nonprofits.
2. Initiate Internal Conversations: Begin discussing data governance and the organization’s stance on data handling with your leadership team and across departments and stakeholders. Don’t forget volunteers, for example, if you want them to comply with your data retention policy.
3. Conduct a Preliminary Data Mapping Exercise: Even a basic initial effort to identify where your organization’s data resides is a valuable first step.
4. Leverage Existing Resources: Explore templates and guidance from organizations like Community IT, NGO ISAC, and SANS to help you draft your broader IT policies.
5. Prioritize Training: Even before a formal policy is fully implemented, begin educating your staff on data security best practices and the importance of responsible data handling.
   
6. Ask yourself: What would happen to my organization if my data were exposed publicly? Which data is most damaging? What are my policies to prevent that internal data becoming public? Are my staff complying with my policies, and how do I know that they are? 

Don’t Leave Cybersecurity As-Is and Hope for the Best

Ignoring your data retention policy is akin to leaving doors unlocked in your physical office. It creates unnecessary vulnerabilities. By taking the time and effort to create, implement, and consistently monitor your nonprofit’s data retention policy, you’ll be taking a significant step towards a more secure and resilient future for your organization. Cybersecurity basics and a data retention policy are low-cost investments with the potentially invaluable returns of protecting your mission and the trust of those you serve.

Ready for IT support you can depend on?

We’ve found that many nonprofit organizations deal with more IT issues than they should have to. Resources are tight. Systems are unreliable, responses are too slow, and repairs are too expensive. Sometimes nonprofits don’t even realize how bad things are until something big breaks and their mission is derailed.

Our process is based on decades of exclusively serving nonprofits. Our technicians have certifications across all major platforms, and we constantly research and evaluate new solutions to ensure that you get cutting-edge solutions that are tailored to the needs of your organization.

We regularly present webinars at Community IT about cybersecurity issues, and we work hard to keep our nonprofit technology community informed and engaged in best practices.

If you have more questions about nonprofit IT cybersecurity, just ask.

Photo by Desola Lanre-Ologun on Unsplash