Grace Lazzara| Business2community
A TechSoup study recently showed 90 percent of nonprofits use cloud computing in some way, shape or form. A sticking point for many nonprofits, however, comes when they think about moving constituent data to the cloud.
NTEN’s recent “State of the Nonprofit Cloud Report” said as much: “Many respondents said they were concerned about security for some hosted systems—especially constituent databases.”
From credit-card and social security numbers to healthcare and even simple name and address information, nonprofits frequently deal with truly sensitive data. Keeping your constituent data secure and private involves not only protection from outside (hackers, power outages, etc.) but also from inside (who in your organization is allowed to see what constituent information). The concern about constituent and fundraising data is underpinned, in many cases, by regulations and standards—like HIPAA, PCI DSS, ISO 27001,
EFTA—specifying how organizations handle personal and financial data.
This concern around cloud security is natural, but it’s not necessarily based in fact. A May post in Guidestar’s blog notes that while “nonprofit personnel often have less confidence that data in the cloud is truly secure and recoverable . . . [i]n reality, security and privacy is often much greater with major cloud providers.” Also a reality of data security . . . your organization, as well as the cloud services company you’re working with, has a big role to play.
To begin ensuring constituent data is safe in the cloud, your organization should:
- Identify where data lives. Are you maintaining data on donors, volunteers and other constituents in several databases? Or is all your constituent data in one core database? You need to know where the data is before you or any company can secure it.
- Determine which data is sensitive, proprietary or regulated, and needs to be secure. Data is usually classified either in terms of its need for protection (sensitive data) or its need for availability (critical data).
- Implement effective data governance, a documented system to handle your nonprofit’s data. For many nonprofits, a key data governance issue is deciding which staff, departments and/or locations can access certain (or any) constituent information. It can also include detailing how and when you collect data, managing data and privacy policies, among others.
Your cloud services company should:
- Help with data governance. Once you’ve set data governance rules, your cloud provider should help you meet those requirements. For example, users of ClearView CRM can set access rules within the system that allow national headquarters development staff to see all donor information but chapter staff to see only information on their regional donors.
- Have well-established policies for disaster recovery. ClearView CRM’s developer, SofTrek, maintains a second, fully functional location for client data. Some ClearView CRM clients have fully mirrored databases at a second location that are kept in sync with the database they use daily. If, say, a natural disaster affects the main database location, these clients can point their browsers to the replicated databases and begin work almost immediately.
- Back up constituent data on a regular basis. SofTrek backs up client data to disk (and tape) nightly and takes the additional step of mirroring the data over a communications link to the second location.
- Meet appropriate regulations and standards. Encryption to testing, password maintenance to malware detection–the company that handles your constituent data needs to comply with and even go beyond the rules and recommendations from regulators and standards associations. For instance, cloud companies that handle credit-card transactions should be complaint with and receive certification from the PCI (Payment Card Industry) Security Standards Council.
These are just a few of the considerations your organization will deal with when you move constituent data to the cloud. With the right cloud services provider, however, addressing those considerations will be considerably easier.
