Playbook: The BD4D Standard

Protection. We will steward Your Data with care, and comply with applicable data privacy laws.

Adopters of the BD4D Commitments have a duty of care to be diligent, with the resources they have, to adhere to best practices and legal requirements for data privacy, protection, and security.

• An organization that has adopted the BD4D Commitments must establish reasonable administrative, physical, and technical safeguards so that data covered under BD4D is kept securely, and cannot be accessed by unauthorized parties.
  
  • For example, emailing an unprotected spreadsheet of donor, client, or employee records puts that data at risk of exposure, and would not be acceptable. Sharing that data via a link to secure document storage, with access limited to authorized users, would be.
• The organization must follow best practices for data minimization and retention, collecting only what data it needs for its stated purposes, and retaining it either (a) only as long as is necessary for the organization’s intended work, or (b) as long as required by applicable law.
• All staff, advisors, and volunteers who can touch the data must be trained in proper data handling procedures, including confidentiality and security.
• If a data or security breach results in unauthorized disclosure of sensitive data, affected data stakeholders should be notified as soon as reasonably possible or as required by law.
• Depending where an organization operates, and who its data stakeholders are, it may be subject to one, or many, (sometimes conflicting) regulations with regard to data privacy and protection. It is the responsibility of the organization adopting BD4D to be aware of the laws that apply to it, and to take steps to protect all of its clients or users equally.

• This Commitment applies to data in both analog (e.g. paper) and digital forms.
• It applies to data in use, meaning data being actively worked with, in transit, meaning data which is being moved or transmitted, and at rest, meaning data which is being stored in a cabinet, on a device, or in the cloud.
• When using online tools, including AI, data storage, records management, email services, or social media, an organization must maintain the same level of confidentiality as it would offline.
  
  • For example, the organization must ensure that its staff do not include confidential or personally identifiable information in insecure channels, such as posting such information on social media without permission, or inserting such data into a chatbot or generative AI prompt, where such confidential data is likely to be retained by the vendor, or worse, used to train commercial AI products.

This Commitment does not apply to data which is already public information, such as in a government publication, or to data which has been made open with the express consent of its data subjects.