For charities, security controls is key to donor trust

Sept. 2, 2015
Organizations must consider going beyond regulations while building a trusting relationship between givers and charities

Charities and not-for-profit organizations, like most companies, must collect data in order to perform the service of connecting the donor to their cause. Like most companies, they often use these stores of information to improve their services, whether it be user experience, targeted messaging or other aspects.

However, unlike many companies, private information shared with charitable organizations can be very meaningful and sensitive for serious reasons – personal details relating to health or sexuality could be inferred and used against the donor, oppressive state factors could threaten lives, and the most obvious reason, valuable financial data. Charitable giving can reveal as much or more than personal medical records or online purchase history. What you care about goes to the core of your identity.

The Unique Security Concerns of Charities

The rising awareness of the potential risks of sharing personal information has donors and the public at large increasingly concerned about its misuse, by both nefarious outsiders looking to steal it and potentially the charities themselves, for unethical fundraising practices including the exploitation of elderly and other vulnerable people. As such, donors are becoming increasingly adamant that they have complete control over their data, and distrustful of the lack of transparency in many charities and not-for-profit causes.

JustGiving is one of the world’s largest charitable platforms, active in 164 countries with over 24 million donors. Like many other organizations in the charity sector, protecting donors and building trust with them is a number one priority for us, but so is expanding to new areas and locations, including social networking, to allow people to more easily find and connect with the causes they care about and other individuals with shared values.

Due to the inherent sensitivity of the work, charitable organizations like JustGiving are challenged to find creative and innovative ways to increase transparency and donor privacy, while also providing top-notch services to an ever increasing number of countries and users. To build a proper relationship between donors and charities, information must be in the open, but also protected.

It’s vital to public trust for charitable platforms to be transparent in their purpose and the transactions themselves – where the money is going and how much is actually reaching the cause. The objective is to raise more for good causes and one of the major challenges is that the public is unforgiving of spending outside of the donations’ intended cause – charitable organizations are often punished for advertising or marketing.

Unfortunately, these tight fiscal constraints do not leave a lot of room to spend on security, which can make some charitable organizations and not-for-profits easy targets for hackers. In online retail, for instance, profit margins typically run between 30-40 percent, providing the latitude for security investment. Compare that to the charitable giving space where that margin may be as slim as 5-10 percent, with as much as possible of the funding going to serve the underlying mission. This makes it a delicate balancing act to spend as little as possible, but also protect the data and provide strong technology.

The hard fact is JustGiving and other “tech for good” companies must be open and transparent about spending to improve, secure and expand charitable giving because the better the technology and platform, the more people can be reached and more money can be raised for causes they care about.

Best Practices for Improved Security

When it comes to protecting donor information, privacy should be an ethical concern for upstanding charitable organizations just as it is for the rest of the public. Awareness and protection of sensitive data is a societal movement, and in order to protect data and build trust with donors, responsible organizations need to give donors firm control over their information. Charities should, for instance, develop and promote a policy where data is only stored or shared with outside partners with the express written consent of the user and with clear purposes at the fore. Strong, clear controls over the use and sharing of their information will not only reduce risk by limiting the amount of sensitive data within your systems and shared with third parties, but also provide a sense of empowerment for users over their information.

Firm control of data security should also be paramount for the organization itself as it grows. Due to the aforementioned fiscal constraints and to avoid greater overhead, some charitable organizations may fall back on protections that are already available to them, such as payment tokens from their payment processors. While this can save some money on the front end, keep in mind this approach does not take into consideration some privacy information that may be separate from the payments data. Depending on the number of payment processors used and the variety of donation sources, the complexity of managing a database of payment tokens for donor information may also create more problems than it solves. By making the organization much more reliant upon the processor(s) for protection, it can lead to a false sense of security.

Taking internal control of data security enables customized protection to suit the exact use case, for maximum performance, faster response times, and the most effective security. It also allows charitable organizations to more easily adapt to upcoming changes in the space, including updates to PCI DSS, privacy and data residency laws, and new platforms and payment methods, including E-wallet and contactless payments. In JustGiving’s case, we investigated many protection methods, and landed on Protegrity’s tokenization solution as the technology of choice.

Tokenization is the practice of replacing sensitive data with random, unique fake data that retains the aspects (data type, length, etc.) and sometimes even parts of the original data. Unlike encryption, tokenization is much more flexible, performance-scalable and allows the protected data to be completely transparent to systems and applications, without major modifications. There’s no need to change data schemes or flows. Tokens are also much easier for developers, analysts and other users to interact with – they may not even know they are looking at tokens instead of the real thing – and because they are unique, tokens can even be used seamlessly in some business processes and analytics. Protegrity enables us to realise our ambitions to provide peace of mind for donors without compromising the margins of their investment, in a fraction of the time it would have taken to build a solution ourselves.

Finally, consider that laws and regulations are merely guidelines. Growth and giving both necessitate strong security to protect sensitive personal and financial data to earn and keep the trust of donors and provide a reliable medium to support meaningful causes across the globe. To establish a healthy, trusting relationship between givers and charities, organizations must consider going beyond regulations by protecting the data with the strongest technology available and providing as much control to the donors over their data as possible.

A marketplace of secure, transparent charities ensures better services today and incentives to improve and become more efficient in the future. As long as we all move forward to responsibly protect donors, we can improve giving worldwide to ensure that no good cause goes unfunded.

About the Author:

Richard Atkinson is CIO at JustGiving and responsible for building the award winning JustGiving service 15 years ago.  After a foray into healthcare which concluded with an AIM-listing and the turnaround and sale of a hospitality business, Richard returned to JustGiving 3 years ago to transform its technology capability and drive the next era of growth. Since then JustGiving has established itself as the world’s largest fundraising platform, raising over half a billion US dollars in 2014 alone, and helping 23 million people in 164 countries raise over three billion US dollars for good causes since its inception.