Nonprofit commanders, get ready for a journey into the universe of digital compliance. Your mission, should you choose to accept it: protect the data of your valuable donors and beneficiaries. Join us to understand how Law 25 specifically applies to your nonprofit.

Why must your nonprofit comply with Law 25?

Don’t be mistaken, nonprofits are not exempt from Law 25. In fact, your nonprofit collects a variety of sensitive data:

  • Donors informations

  • Beneficiary contact information

  • Member and volunteer data

  • Bank information for recurring donations

  • Mailing lists for newsletters

In addition to complying with Law 25, your transparency in data management will strengthen the trust of your donors. Follow the 5 steps below to adopt exceptional data management practices.

5 steps to bring your nonprofit into compliance with Law 25

1 – Take inventory of the data collected

Start by taking inventory of all the data your nonprofit collects, like an astronaut mapping a new planet:

  • What information do you collect?
  • How are they collected?
  • Where are they stored?
  • Who has access to them?
  • How long are they kept?

2 – Appoint a data protection manager

This step allows you to appoint your ‘data protection captain.’ The role varies depending on the size of your nonprofit:

The person responsible can be:

  • A member of the management team
  • The senior coordinator
  • A volunteer with expertise in technology

His responsibilities:

  • Maintain a simple data register
  • Manage basic access requests
  • Train volunteers on best practices
  • Be the point of contact for the CAI (Access to Information Commission)

The person responsible can be:

  • A part-time dedicated employee
  • A member of the existing IT team
  • A trained administrative manager

His responsibilities:

  • Develop data protection policies
  • Oversee staff training
  • Manage security incidents
  • Update processes

The person responsible can be:

  • A full-time dedicated employee
  • A support team
  • Representatives from each department

His responsibilities:

  • Overall protection strategy
  • Frequent audits
  • Ongoing training program
  • Risk management

3 – Update your consent forms

Your donation and registration forms must now explain why you are collecting the data, while providing the option to choose the information shared or to withdraw consent.

When creating new forms or modifying existing ones, make sure to use simple and accessible language for the users of your website.

Our pilots can help you get started with the Law 25 compliance process:

  • Setting up a dedicated privacy policy page

  • Setting up a consent pop-up banner

  • Setting up the appropriate data collection tags

  • Verification audit for the previous installations.

4 – Secure your data

To ensure additional data protection, we suggest implementing these best practices::

  • Use strong passwords.
  • Make regular backups.
  • Keep your antiviruses up to date.
  • Limit access to authorized persons only.
  • Have two-factor authentication.
  • Provide ongoing staff training.

The data collected must be protected like a space station protects its crew. These best practices are not required by Law 25, but will allow you to limit data leaks and gain the trust of your donors.

5 – Prepare your procedure in the event of a leak

Even the best space stations can leak. Prepare an emergency plan.

Collect the compromised information and the reason for the leak.

Try to resolve the problem yourself or with your IT manager. Specialized skills are often required. Contact external cybersecurity experts to help you.

Your IT team, your legal counsel, your human resources, your public relations team and your board of directors must be informed to adopt a uniform message.

You must inform your donors, volunteers, members and partners affected by the data breach. The Personal Information Protection and Electronic Documents Act now requires it.

What are the risks of non-compliance with Law 25?

Like a spaceship without a protective shield, a non-compliant nonprofit faces serious dangers.

  • Financial sanctions: These sanctions can seriously impact your ability to pursue your social mission.
  • Reputational risks: :You could lose the trust of your donors, possibly leading to a reduction in donations and community support.
  • Operational consequences : Your data collection activities could be suspended and monitored by the CAI (Access to Information Commission).

Compliance with Law 25 may seem like a journey into the unknown, but with the right tools and guidance, your nonprofit can safely navigate this regulatory space. By following these steps, you ensure compliant data protection while building trust with your donors.

Lost in Bill 25? Our pilots will guide you to the right resources, free of charge.