A spreadsheet of donors, with names, addresses, and gift amounts, sits in the personal Google account of a former volunteer who left the organization six months ago. Nobody remembers this, until the volunteer happens to resurface one day.
Nothing bad happened. This time. But the list of the organization's most loyal people spent six months outside its control, in the hands of someone with no connection to it anymore, and the organization didn't even know. Donor data is trust, squared, and it deserves to be treated that way.
When someone donates to an organization, they're trusting it not just with money, but with information about themselves: name, address, sometimes more. A leaked donor list hits reputation harder than many other mistakes, because it betrays exactly the people who were closest to the organization. Protecting this data doesn't require bureaucracy, just minimal hygiene and one short policy.
A donor performs a double act of trust: giving money and revealing themselves. They expect the organization to handle their information carefully, because they were generous. A leak or carelessness with this data feels like a betrayal, and it hits the most valuable circle there is, the people who've already proven their loyalty.
That's exactly why carelessness with donor data is more dangerous than many other operational mistakes. Losing a grant stings, but it's recoverable. Losing the trust of a loyal donor whose data leaked because of the organization is much harder, and often the people that donor tells about it leave too.
There aren't many rules, and they're simple. Data lives in one place, an organizational account, not in staff and volunteers' personal emails and spreadsheets. Access gets granted by role and, critically, revoked when someone leaves the organization, exactly the gap that was gaping open in this lesson's opening scene.
The organization doesn't store payment data at all: card numbers and bank details are the payment processor's job, and a properly run organization simply doesn't hold onto them. Exported lists don't wander through personal emails "to get some work done from home." And one rule stands apart: promises to donors get honored literally. If you promised anonymity, that means real anonymity. If you said "we don't share your data," that means with no one, ever, no exceptions for "well, they're practically family."
All of this is worth writing down, but not as a legal treatise. One page is enough: what the organization collects, where it's stored, who has access, and what it never does. This isn't a document for a regulator, it's an agreement the team makes with itself, recorded so it can be handed to a new person and shown to a donor if they ask.
A mini-policy like this has double value. It sets clear rules inside the team, so data doesn't scatter across personal accounts, and it works as a signal of trust outward: an organization willing to show how it handles donor data looks more serious than one that's never thought about it. One page closes both internal discipline and external trust.
Below is a builder for a data mini-policy: from your answers about what the organization actually collects and where it stores it, it assembles a one-page document ready to use internally and to show a donor.
Your data mini-policy in your Binder, plus a copy in your volunteer and staff onboarding materials. Every new person who gets access to donor data should know these rules from day one, not learn them after a list has already scattered across personal inboxes.
Does a small organization need a formal data policy?
A formal legal one, probably not. A simple, one-page team agreement, yes: it prevents exactly the everyday leaks that happen from carelessness, not malice.
What do we do with data when someone leaves the organization?
Revoke their access to all organizational data immediately, and make sure they don't still have exported copies in personal accounts. Do this the same day, not eventually.
Can donor data live in the founder's personal spreadsheet?
Better not to. Data should live in an organizational account, separate from a personal one, so it belongs to the organization, not to a specific person, and doesn't leave with them.
What if we promised a donor anonymity, but really want to mention their gift?
The promise gets honored literally: anonymity means anonymity. Breaking it for a nice mention betrays trust, and getting it back is nearly impossible.
That completes the organization's operating engine: people are set up correctly, risks are covered by insurance, data is protected. Next, the course moves to its most distinctive and most sensitive module: how a founder lives in two worlds at once, nonprofit and business, without breaking the logic of either. The next lesson is about the two structures built around one founder.
The material in this lesson is educational and drafted for review by your attorney and CPA. This course does not replace professional advice and makes no promise of outcomes.