Picture this: it’s a regular Tuesday. A staff member mentions in passing that a document with client details might have been shared a bit more broadly than intended. They’re not panicked—just flagging it so you’re aware.

Without thinking too much about it, you nod and move on to the next task. After all, things like this happen all the time in busy organizations.

But here’s the real issue: moments like this should make us pause.

Too often, we get caught up in the pace of our day-to-day work. We juggle competing responsibilities and move quickly, without stopping to consider the growing asset—and risk—our organization holds: our data.

Think about it: every day you manage the stories, identities, struggles, hopes, and histories of many people, and for non-profits, often those people come from vulnerable populations. That information is valuable. And when it’s mishandled, even accidentally, the consequences can be real.

As leaders, you are stewards of the information people share with you when they use your services. This involves a high level of trust, and you can't afford to let your clients down. Trust is the most valuable currency non-profits have, and it can take years to build and a single incident to lose.

For your organization, this means having the foundations of a strong privacy program in place. It means understanding how you collect, use, and manage the data you have and ensuring your team is prepared to respond when (not if) something goes wrong.

The World Has Changed (and So Have Expectations)

You’ve likely noticed it—every year your organization adopts new tools, new platforms, new forms, new apps, new workflows. There are so many amazing new ways to get work done that can save you and your team hours of effort. But these gains also come with risks. Through the adoption of every new tool, you’re building up a huge amount of personal information about clients, donors, partners, volunteers, and staff, often spread across multiple systems with uneven oversight.

On top of that, technology is getting more sophisticated. The rise of AI and automated decision-making means your systems may now even be making choices on your behalf. Governance matters more than ever. Leaders need to set boundaries for how any tool handles information.

Meanwhile, expectations are rising everywhere:

• Funders want proof you’re handling data responsibly

• Clients and communities assume their information is safe

• Staff want clarity, consistency, and protection—but they also need ways to do this that are simple and fast

• And governments are introducing stricter privacy laws with real penalties

Privacy at Non-Profits Is a Leadership Issue

A lot of people assume privacy is an IT thing. It’s not. Privacy is governance. It’s about decisions, not devices.

That’s why responsibility for privacy sits squarely with leadership. Yes, the technical people are the ones to handle the processes and mechanics of securing data, but leaders define the expectations, the culture, and the risk tolerance of the organization.

As a leader, the way you show up sets the tone for the entire organization. The values you model—care, intention, transparency, responsibility—become the values your team brings into their daily work. And that includes how they handle the information entrusted to them.

You don’t need to be a privacy expert to lead well in this space. But you do need to understand how privacy actually shows up in your organization—the kinds of information you collect, the small choices staff make each day, where risks tend to hide, and how your practices either protect people or expose them to harm.

When leaders understand these everyday realities, they make better decisions, create safer systems, and give staff clearer guidance. And that’s where strong privacy culture begins—not with checklists or technical fixes, but with leadership modelling what it looks like to treat people’s information with care.

This understanding becomes especially important when you consider the kinds of issues that actually lead to privacy incidents—which are far more common and far more human than most people realize.

Common Privacy Blind Spots in Most Non-Profit Organizations

Privacy risks are most often associated with cybersecurity incidents or “being hacked” when in reality, most privacy incidents are actually caused unintentionally or through human error. Great examples include:

• Copy-and-paste culture

  Client details dropped into emails or chat threads for speed.

  
  

• Shadow tools

  Helpful apps or AI assistants adopted by staff without organizational oversight or review.

  
  

• Over-sharing access

  “Everyone has the folder” because it’s simpler that way.

  
  

• Vendor assumptions

  Assuming a platform is safe because it is popular.

  
  

• Casual consent

  Collecting more information than needed, or collecting it without a clear purpose and explanation.

  
  

• Busy-day mistakes

  Attaching the wrong file, sending to the wrong person, leaving a form on a desk.

These are all common events seen by most organizations, even those with strong privacy programs. Mistakes happen. The goal isn’t perfection—that’s not realistic. The goal is fewer blind spots, better habits, and a simple plan for when things go wrong.

What Good Privacy Stewardship Looks Like in Practice

You don’t need a big budget or a department of specialists to get this right. Start small, build momentum, and keep it practical.

1. Be transparent

   Ensure your organization communicates its practices clearly to those you serve. Review your practices regularly and follow through on what you say you do.  When you collect information, explain why you need it, record consent, and provide straightforward ways to opt out.

   
   

2. Use basic safeguards

   Ensure basics like multi-factor authentication, strong (and unique) passwords, and data encryption are used on the systems you rely on. The more sensitive the data, the stronger the safeguards should be. Choose tools purposefully. Before adopting a new system, ask simple questions: What data does it collect? Where is it stored? Who can see it? How can we delete it?

   
   

3. Minimize the data and access points

   Give staff and partners access to what they need to do their work, not to everything by default. Schedule a periodic cleanup of old paper and electronic files—including emails—and get rid of or anonymize records you no longer need. Less data means less risk.

   
   

4. Provide awareness training

   Employees, volunteers and board members should have a solid understanding of their roles and responsibilities in protecting your organization and your community.

   
   

5. Plan for the “uh-oh” 

   Define a clear plan for responding to privacy incidents. When a mistake happens, how do people report it? Who responds? Who is informed and what steps do you take? Write it down, keep it short, and make sure everyone knows where to find it.

None of these steps require advanced technical knowledge. They require leadership attention, clarity, and a bit of discipline.

Book a Privacy Workshop for Your Non-Profit Team

Training is often the quickest way to build shared understanding without adding more to-do lists. The goal isn’t to pass a test. The goal is to help your team:

• Spot the small moments where risk hides

• Understand what to do instead

• Feel confident speaking up early when something isn’t right

My privacy workshop for non-profits is designed to do exactly that. I use plain language, real-world examples, and practical steps you can put in place the same day. In this workshop designed for non-profit leaders, you’ll master the privacy essentials you need to protect your organization. 

If your team would benefit from clearer guardrails and better habits, I’d be happy to help you build them. Contact newpact today to book a privacy risk workshop for your team.