In the last few months, we've heard reports of crippling hacks of organizations that put their communities at risk. The fact is, civil society organizations (NGOs) that collect data to inform, educate, and activate communities are under attack. And this means our communities are under attack.
After listening to quite a few leaders in the civil society space, I learned that safe data collection and storage practices are rarely baked into the sense of responsibility we feel towards our communities. We know data is important, but we don't always think about how dangerous it can be to hold onto data we don't need. And we're not always thinking about our responsibility to the communities we serve from a digital security perspective.
So with Mozilla's Legal Team, I created Lean Data Practices for Civil Society Organizations, a framework for advocacy organizations to think about their data practices. In this day and age of hacks, breaches, and phishing attacks, how can we make it safe for people to join and participate in the resistance? How can we build trust and reduce risk to create a culture of safety for all?
Lean Data Practices encourage 3 main practices:
- Stay Lean
- Build in Security
- Engage Your Membership
- If you don’t need a piece of data, don’t collect it.
- If you need a piece of data, keep it for only as long as necessary and anonymize the data before you store it.
For example, at Mozilla we often delete data when we know we'll no longer need it. Email addresses that haven't interacted with content we've sent might get one reminder, but usually we delete them from our list 12 months after the last interaction. In other cases, around specific time-bound campaigns, if we've collected any information we'll often delete it within 120 days of the end of the campaign.
- Limit access to the data to those who truly need access.
- Encrypt it while you’re moving it.
- Know where you store your data and think about how best to protect that data.
But does everyone who has access to the data NEED access?
What happens if a third-party vendor is breached? What responsibility do they have to share their data if subpoenaed by the government? These types of questions can also help guide what 3rd-party vendors you decide to work with in the beginning as well.
This sort of trust can help build and foster long-lasting relationships between members and organizations. Members join lists and donate to causes because they want to make a positive change in the world. Showing them that you're respecting their privacy while letting them contribute to a better world creates a wonderful, symbiotic relationship.