Playbook: Adoption Guide

BD4D in Practice

As your organization begins to operationalize the BD4D Standard, you may find yourself wondering how certain practices align with the BD4D Commitments. In this section, we offer some pointers and examples.

icon: gear and wrench

BD4D and Third-party Tools

Most organizations use a variety of third-party services in the course of their day-to-day operations. Online platforms provide convenient, cost-effective tools for nonprofit administration. Unfortunately, some of the companies that provide these tools also use and trade your organizational and stakeholder data for their own growth or profit. A BD4D Adopter does not have to stop using these tools, but they should take all reasonable steps to protect Your Data as they use them. Many tools offer privacy and security settings which provide stronger data protections than are required by the Better Deal, and BD4D Adopters should choose these options whenever stakeholder data is at risk of being shared.

For any service that relies upon Your Data, the most basic question to consider is whether your community would be surprised by what happens to the information they’ve entrusted to you. For example, Facebook is known to be part of an extensive online surveillance ecosystem involving thousands of companies, and tracking billions of users’ actions. Its social media platforms are also used by many nonprofit organizations to engage with their communities, because that’s where their constituents are online. Thus, a nonprofit’s community members should not be surprised that Facebook is tracking their interactions with the organization.

We’ve listed several common categories below, along with recommendations for aligning your usage with the Commitments. If you use others that should be included, please let us know.

AI

It’s difficult to discuss third-party technology services without addressing machine learning and artificial intelligence. AI is now enhancing many commonly used tools, from writing and editing to video and web conferencing. While it can offer tremendous efficiencies, it can also put organizations, and their stakeholders, at risk.

  • Review vendor data and privacy policies to ensure that prompts or other information related to your outputs are not being retained or used to train public AI models.
  • Avoid entering confidential or sensitive data into commercially available chatbots or generative AI tools, or using these tools to analyze information which should not be made public.
  • If using notetakers, recording, or transcription tools, such as those for live or video meetings, ensure that you inform, and gain permission from, all participants, and respect any requests to stop their use.

Analytics

Website analytics services can offer a wealth of information to help nonprofit organizations improve site visitor experience, test new messaging, tailor their content, and more. These services work by tracking the behavior of people who visit your website, potentially raising data privacy concerns.

  • Ensure that the service you use is transparent about the data they collect, and how it is used and stored. Choose vendors that explicitly respect user privacy settings such as Global Privacy Control.
  • Limit the amount and granularity of data you track about each visitor: are you using that information to their benefit?
  • Disable or opt out of settings which identify your visitors, or allow the provider to sell or share visitor data to data brokers or other third parties.

CRM and Donor Database

Customer (or Constituent) Relationship Management and donor databases work in similar ways, and are invaluable for everything from case management to fundraising campaigns to records storage. As such, they are usually a central repository for large amounts of Your Data and sensitive information, accessed by many members of an organization’s team.

  • Confirm that constituent and donor information and financial records are not mined for vendor’s use, or shared to a provider’s advertising network or that of their partners. These lists should not be bought, sold, or traded by your organization or by your vendor.
  • Verify that information which includes Your Data or other confidential information–such as a custom view or an internal report–is private, and not accessible or sharable without authorization or on a public web page.
  • Practice regular “database hygiene” tasks: update contact records, delete records which are no longer needed, and ensure that user access permissions are current and appropriate.

Email Marketing

Email is an indispensable communication channel for announcements, newsletters, and outreach. Several email tools are built specifically for nonprofits, making it simple to create visually attractive designs, and easily manage both content and subscribers. Some of the most popular services also provide strong data privacy controls, which BD4D Adopters should enable as a default.

  • Your subscribers should all have opted in directly to receive your communications, and have a way to easily unsubscribe. Unsubscribe requests should be processed immediately, without creating a burden on requestors.
  • When setting up new campaigns, consider what performance data you actually need, and disable unnecessary tracking.
  • As with your databases, confirm that your recipients’ personal information is not combined or connected with a provider’s own database or advertising network, or to those of their partners. Subscriber lists must not be bought, sold, or traded, by you or by your vendor.
  • If sending bulk email without using an email marketing platform, use the BCC field to make sure your subscribers’ names and email addresses are not visible to other recipients.

Social Media

Social media has become a key channel to increase visibility for social sector organizations and their missions. Popular platforms, used responsibly, provide highly effective ways to actively engage a community, attract donors, staff, and volunteers, manage and promote events, and share milestones and stories.

  • Disable settings that allow a platform to track your followers’ behavior beyond the platform itself.
  • If you link to your social media from your website, manually create a link to your page instead of using the platform’s widget or sharing feature, as these can often (re)identify individuals once they’ve left your website.
  • Do not allow ad or content targeting based on Your Data. This is true whether selling ads on your page or placing ads on others’.
  • When posting content that features your community, make sure you have received permission to do so. This is especially true when tagging individuals in photos, videos, or posts that show location.

BD4D Commitments in Practice

Declaration

We make the following commitments to “You,” all of the individuals or organizations that we serve and whose data we touch. We make these commitments to You about “Your Data,” non-public information related to You which we collect, analyze, store, and/or share.

decorative checkmark

Do

  • Announce that your organization has adopted BD4D, and encourage your partners to adopt it as well.
  • Make BD4D part of your employee, consultant, and volunteer onboarding and regular training.
  • Regularly and systematically review how you work with Your Data.
decorative "x"

Don't

  • Announce that you have adopted BD4D and then never think about it again.

Purpose

We are using Your Data to benefit You, Your community, humanity, and the planet, not for private gain or profit.

decorative checkmark

Do

  • Clearly communicate your mission, and how and why you use Your Data, being transparent about your organization’s intentions and goals.
  • Encourage mission-driven organizations with whom you share data to also adopt the Better Deal.
decorative "x"

Don't

  • Obscure important information about your data use in jargon, legalese, or “fine print.”
  • Establish new policies, partnerships, or programs without thoughtful consideration of how they align with the BD4D Commitments.
  • Allow even anonymized data to be used in a way that creates risk or harm to those you serve.

Ownership

We don’t claim ownership of Your Data.

decorative checkmark

Do

  • Review data, partnership, and technology agreements and other legal documents to ensure that none claim ownership of data that meets the “Your Data” definition.
  • Communicate major changes in organizational mission or structure to your constituents promptly, with adequate means to request data deletion or transfer.
decorative "x"

Don't

  • Enter bankruptcy, shutdown, or corporate transfer proceedings that include Your Data as an asset.

Control

We will delete Your Data, correct it, or transfer it to You if You ask.

decorative checkmark

Do

  • Respond in a timely manner to inquiries about Your Data, including requests to delete, correct, or export it, even if you are unable to fulfill the request.
  • Provide any requested data in a format that can be accessed and used by a majority of non-technical users.
decorative "x"

Don't

  • Delete, correct, or transfer only part of the requested data without providing an explanation with reasonable details to the requestor.
  • Require payment or compensation for correcting, deleting, or transferring Your Data.

Monetization

We will not monetize Your Data by providing it to third parties for compensation.

decorative checkmark

Do

  • Review business transactions, relationships, and software tools to ensure that Your Data is not being analyzed, mined, or shared in exchange for economic value.
decorative "x"

Don't

  • Buy, sell, or trade donor lists or “lead lists” to companies brokering contact information or personal data.

Protection

We will steward Your Data with care, and comply with applicable data privacy laws.

decorative checkmark

Do

  • Limit access to sensitive data to those with a need to know and who also have strict confidentiality commitments.
  • Secure both analog and digital forms of Your Data.
  • Provide timely notification of any data breaches or unauthorized access to your community.
decorative "x"

Don't

  • Send unprotected documents containing Your Data via email or other insecure channels.
  • Assume that data privacy or protection regulations don’t apply to nonprofit organizations.

Research

If we or a trusted partner do research based on Your Data, we will follow best practices around the anonymization of personal data, and published research papers or reports will be made available to You for free.

decorative checkmark

Do

  • Proactively notify stakeholders if you use their data in research projects and publications, and provide them a simple way to request a copy.
  • Release publications and reports under “open access” provisions.
decorative "x"

Don't

  • Require data stakeholders to pay for access to research papers based on their data, or condition access on a value exchange.
  • Allow research partners to violate the terms of this Commitment.

Binding

We will be legally bound by these Commitments, and anyone we share Your Data with will be similarly bound.

decorative checkmark

Do

  • Ensure that data recipients’ data agreements and data uses align with BD4D whenever you share Your Data.
  • Immediately address practices that don’t meet the Commitments, and make reasonable efforts to rectify any damages.
decorative "x"

Don't

  • Ignore a stakeholder who asserts that you are misusing Your Data.
  • Publicly adopt the Commitments, but intentionally violate them in your organization’s day-to-day practices.
Previous

Implementation

Next

Resources