Learn what Defines Personal Information
States like Arizona and Massachusetts have created laws to hold organizations more accountable with personal information. The guidance for declaring just what is personal information is goes like this in the States of MA and AZ; generally great guidance.
It begins with a natural/ human person's First name or First initial and Last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
Social Security number,
Driver's license number or identification card number, and
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Source: Non-profit Times - http://www.nptimes.com/08Nov/npt-081115-3.html
How to Start a Data Privacy Program
So where does a non-profit start? Start at the top!
According to Non-Profit Technology News, organizations can begin doing the following to lower the risks associated with collected data:
Begin with a top-to-bottom review of all sensitive or confidential information that's in-house;
Assess what data must be kept, what can be stored in (and easily accessed from) a remote location, and perhaps most important, what can be discarded; Determine who needs access to the data and why, and provide only those people with password-protected access to the data;
Make sure that the data you do have is backed up on a regular basis in a secure, remote location;
If your organization can afford it, hire an independent security expert to review your data security policies and procedures. ("It never fails to surface things that never really were an issue to anyone," says Hart.)
Don't store complete credit card information on site;
Limit physical access to servers;
Be aware of what confidential and sensitive information is on printed (paper) files, and make sure that all such files are kept secure at all times; Make certain that your Web site complies to fundamental, industry-standard encryption and security measures in the processing of personal information and donation collections.