Today is Data Privacy Day.
Data privacy is essential to the trust our organizations rely on. Data is a powerful resource – it helps us serve our communities, understand impact, and tell our story. It’s useful and necessary.
At the same time, every additional data point we collect and store increases risk – not just to our organizations, but to the people and communities we serve. Protecting data isn’t only about safeguarding systems. It’s about trust.
While data privacy can feel intimidating at first, there are a few straightforward steps and principles that go a long way toward reducing risk and strengthening trust.
Keep data secure
Enforcing strong, unique passwords, turning on multi-factor authentication, and using a password manager are easy, inexpensive, and proven ways to prevent most security incidents. Securing access to systems is one of the most effective first steps you can take to protect sensitive information.
Minimize the data you collect and keep
Data is essential for delivering programs and understanding impact. But, it’s important to regularly ask why you need each data point – especially at the point of collection, such as application or intake forms.
If you need specific information to carry out your work – for example, banking details to pay a grantee – collect it and store it securely. But, if you’re collecting data “just in case,” or don’t have a clear use for it, that’s an opportunity to pause and reassess. In many cases, data can be collected later, once there’s a clear and specific purpose.
Every extra data point you hold increases risk. Reducing the amount of data you sit on is one of the simplest ways to protect both your organization and your constituents.
Train your team to recognize phishing attempts
Phishing remains one of the most common ways organizations experience data incidents. Attackers rely on messages that feel urgent, familiar, or just convincing enough to slip through.
There are many accessible resources that can help teams learn simple techniques – such as the SLAM method – to spot suspicious emails and messages. Building awareness and creating a culture where staff feel comfortable pausing, asking questions, and reporting concerns early can significantly reduce risk.
Develop a simple incident response plan
Even with strong controls and training in place, things will still happen. That’s why it’s important to decide in advance how your organization will respond when – not if – a data privacy incident occurs.
An incident response plan doesn’t need to be complex. At a minimum, it should outline:
- How incidents are reported
- Who takes the lead
- Who needs to be informed, and when
- What systems may need to be secured or shut down
- How the team pauses to assess the situation before reacting
The most important thing is that a plan exists and that people know where to find it. Without one, it’s easy to panic, act on incomplete information, or lack clear roles and accountability.
Data Privacy Day is a helpful reminder, but data privacy is really an everyday practice. Small, intentional steps can meaningfully reduce risk and reinforce the trust our work depends on.
If your organization is thinking about how to strengthen data practices without overloading your team, I’d be happy to explore how I can help.