The Better Deal for Data^TM Standard

The Better Deal for Data Declaration and Commitments

Declaration. We make the following commitments to “You,” all of the individuals or organizations that we serve and whose data we touch. We make these commitments to You about “Your Data,” nonpublic information related to You which we collect, analyze, store, and/or share.
 

1. Purpose. We are using Your Data to benefit You, your community, humanity, and the planet, not for private gain or profit.
2. Ownership. We don’t claim ownership of Your Data.
3. Control. We will delete Your Data, correct it, or transfer it to You if You ask.
4. Monetization. We will not monetize Your Data by providing it to third parties for compensation.
5. Protection. We will steward Your Data with care, and comply with applicable data privacy laws.
6. Research. If we or a trusted partner do research based on Your Data, we will follow best practices around the anonymization of personal data, and published research papers or reports will be made available to You for free.
7. Binding. We will be legally bound by these Commitments, and anyone we share Your Data with will be similarly bound.

The Better Deal for Data Standard

Introduction

The Better Deal for Data (BD4D) is a lightweight data governance standard for the social sector. It offers a practical alternative to the norm of collecting extensive data on individuals and organizations, and often using that data against their interests. In adopting the BD4D, and publicly declaring that they will uphold its seven Commitments, organizations will demonstrate that their data practices are trustworthy.

At the core of the BD4D is its Declaration and seven Commitments. These are plain language statements about an organization’s use of data. The Commitments are supported with explanatory text that details when the Commitments apply and don’t apply, and what an organization needs to do to comply with each. The Declaration, Commitments, and explanatory text make up the BD4D Standard.

Trust is key to the Better Deal for Data. The BD4D is not formulaic legal language, although adopting organizations are expected to be legally bound to the commitments they are making. BD4D is not a technical standard, with extensive specifications on what is and is not permitted in data handling. It is a trust standard, defined by a set of principles that the great majority of nonprofit leaders would find reasonable and consistent with their nonprofit mission.

We believe that the concept of “no surprises” is essential to trust: that the individuals and communities served by an organization should never be surprised by its actions when it comes to data. Thus, a BD4D Adopter should provide information about its data handling in a spirit of honest transparency. Its community should find that the organization’s use of their data is clearly consistent with its social mission. Organizations looking for a loophole, or to do the bare minimum on data responsibility, are not good candidates for BD4D adoption.

We encourage organizations to see the BD4D Commitments as a floor, a set of minimum requirements that could and should be exceeded, and never as a ceiling that limits their commitment to ethical data practices. Organizations in many fields and jurisdictions will have more stringent practices or requirements placed on their data activities, and we see complying with such as being wholly consistent with the BD4D.

The last two years of our user research and outreach efforts have focused on nonprofits. This version 1.0 of the BD4D Standard has not been particularly designed with government agencies or for-profit businesses in mind, but we certainly would not discourage them from adopting these principles. If version 1.0 is successful with nonprofits, we hope to expand its scope in future versions.

We offer the BD4D Standard version 1.0 to the social sector in a spirit of co-creation. We hope it fills a major gap in data governance norms for nonprofits, helping establish practical and reasonable data use policies for the field. As additional organizations adopt BD4D, we expect to get more feedback on what could be improved to make it better fit for purpose.

Declaration

We make the following commitments to “You,” all of the individuals or organizations that we serve and whose data we touch. We make these commitments to You about “Your Data,” nonpublic information related to You which we collect, analyze, store, and/or share.

What this means in practice.

In adopting the BD4D Standard, an organization makes and upholds a set of promises to all the people and communities it serves, and specifically to those whose data it collects, uses, and shares.

Defining the parties and the data.

• “We” is defined as the organization that has adopted Better Deal for Data (the “BD4D Adopter”). This may be an organization that collects data directly, an organization that stores data, an organization that analyzes or processes data, or an organization that uses data to create additional products such as datasets, reports, or AI models based on the data. A single organization may engage in one or more of these activities, and several organizations might touch the same raw or processed data. Data is often processed in sequence by multiple entities, and the BD4D Adopter may be touching data considerably downstream from the original data collector.
• “You” is defined as the people and organizations served by the BD4D Adopter organization, and whose data is being collected, analyzed, stored, and/or shared. These people and organizations have a right to be concerned about how data about them is used. Multiple levels of people and organizations might be considered “You” with respect to the same data.
  • For example, imagine a BD4D Adopter that offers a software tool for community-based organizations to collect data about individuals in their communities. In this case, the “You” includes both the community-based organizations and the individuals in those communities.
• “Your Data” is defined as data and information where “You” would have an expectation that the data would not be made public. This includes data which is collected from, and about, individuals. In short, any nonpublic information that could be reasonably linked to an individual or their household is part of “Your Data.”
  • Examples include personal and sensitive data such as name and address, employment, financial, or medical information, identifiers such as a driver’s license or passport, geographic location, property records, physical characteristics, biometrics, behavioral data, the content of communications, and more.

In addition, the data of organizations, such as information about their internal operations, or their employees, customers, beneficiaries, or users, would also be part of “Your Data,” unless it was collected or shared with the expectation that the data would be made public.

What a BD4D Adopter needs to do:

In making these Commitments, an organization must ensure that its operations and data practices fulfill the requirements of the BD4D Standard, particularly with respect to its handling of the data of individuals, groups of individuals, and organizations, referred to in the Commitments as “You.”

• It must ensure that its consultants, subcontractors, and vendors meet applicable requirements of the Standard.
• It must respect any additional commitments made to data subjects and stakeholders regarding further restrictions on data access, publication, or sharing.

When does this Declaration apply?

This Declaration applies to all data-related activities of a BD4D Adopter for nonpublic data which meets the definition of “Your Data” above. This includes data collected, stored, or shared in analog or digital forms. The Commitments apply equally to paper and printed data, locally saved documents and spreadsheets, and large datasets stored with a cloud service. This Declaration also applies to human and machine data processing that is not specific to collection, analysis, storage, and/or sharing.

When does this Declaration not apply?

This Declaration does not apply to data that cannot be directly associated or linked to an individual, organization, or community.

“Your Data” does not include:

• Processed or downstream data which is no longer linked to an individual or community.
• Datasets or reports that effectively anonymize the data, such as a nonprofit impact statement (“we served more than one million hot meals in 2025”), or a research report (“a transition to no-till farming practices resulted in an average fertilizer expense reduction of 22%”).
• Data collected with the expectation that it would not be kept as confidential, such as information being gathered for a public directory, as long as that expectation was explicitly communicated and agreed to by the data stakeholders who meet the definition of “You.”
• Data which was collected with the explicit intent of making it open, as long as that intent was fully communicated to data stakeholders who meet the definition of “You.”
• Responsibly sourced data which has been made open or publicly available through the deliberate action of the associated data subjects, including public government data or records.
• Collections of de-identified data which are only made available to third parties who agree to not re-identify the underlying data.
• AI models (including weights) built on top of, or trained on, data, as long as the original data cannot be extracted from such a model.
• Data about third parties who are not providing data directly to, nor are served directly by, the BD4D Adopter or its partners, where the purpose of this data collection would be to support the interests of the communities served, and not the third parties. For example, a human rights organization that serves victims and witnesses, and collects information from them about human rights abusers, does not need to make the BD4D Commitments to the abusers about their data provided by the affected communities.

1. Purpose

We are using Your Data to benefit You, Your community, humanity, and the planet, not for private gain or profit.

What this means in practice.

The Better Deal for Data starts with the good intent of the organizations that adopt the BD4D Commitments. These adopters back up this good intent with their actions, using data to support and improve the welfare of the individuals and communities they serve, rather than to create commercial value to enrich themselves. No one should be surprised about the data practices of a BD4D Adopter, especially not stakeholders who meet the definition of “You” in the BD4D Declaration.

What a BD4D Adopter needs to do.

• A BD4D Adopter must consider the people it serves, and collects data from, to ensure that its data activities clearly align with the community’s best interests, and that the benefits of the organization’s work actually flow back to those individuals or communities.
• It must engage its community to understand members’ expectations, ideas, and concerns about data collection, use, and sharing, aligning its activities accordingly. Its community should not be surprised by the organization’s data practices or activities.
• It must balance the potential for social benefit with the risk of human exploitation or harm resulting from its data practices when making decisions about data use.
• It must communicate sufficiently to all its stakeholders about how, and why, collected data will be used, shared, and stored. This often includes transparent disclosure about the organization’s data uses and data management practices, and the partners, vendors, and others who may also access that data.
• It must provide channels for its community to communicate directly with the organization about the organization’s activities or data practices.
• A BD4D Adopter must be consistent: it cannot publicly declare its intent to abide by the Commitments, and then make material exceptions to those Commitments, whether explicitly in practice, in its terms and conditions, or in separate policy statements.

When does this Commitment apply?

• Data use is contextual: what is appropriate for one organization might be entirely inappropriate for another. There are, however, some common practices that are generally acceptable or unacceptable for a BD4D Adopter.
  • For example, analyzing data about how people interact with a service in order to improve a program’s benefit, or sharing aggregated and anonymized data for funder or regulatory reporting, would both be acceptable.
  • Conversely, selling or trading a list with the names and phone numbers of program clients or donors, even if the list is being sold or traded to an aligned nonprofit organization, is not acceptable.
• Private gain or profit in the context of this Commitment pertains to for-profit activities, or the active selling or trading of nonpublic data that meets the definition of “Your Data.”

When does this Commitment not apply?

• This Commitment does not apply to an organization’s use of public government, open, or responsibly sourced commercially available data or information.
  • For example, a public interest organization compiling public data and offering it for a fee does not contradict this Commitment.
• This Commitment does not apply when an organization generates revenue through programs that include, or are informed by, aggregated data, as long as that earned income is then used to support the organization’s programs, for the benefit of the organization’s community, or for greater social good.

2. Ownership

We don’t claim ownership of Your Data.

What this means in practice.

• When an organization collects data from individuals or communities under the Better Deal, that organization does not assume legal ownership of the raw data provided by those individuals or communities.
• This also means that the individual or community that provided the data may also use their own data for any other purpose, including contributing it to a commons, making it open, or monetizing it if they have a way to do so.

What a BD4D Adopter needs to do.

Organizations adopting the Better Deal for Data should not assert an ownership interest in data that meets the definition of “Your Data,” in contrast with the practices of many for-profit companies.

When does this Commitment apply?

This Commitment applies to any data that would qualify as Your Data under the Declaration, even if the individual or community providing the data was compensated for their time or participation.

When does this Commitment not apply?

• A BD4D Adopter may transform collected data through aggregation, anonymization, or other means, so that individuals or communities can no longer be reasonably identified or linked to the new dataset. This “processed data” may be used in many different ways, from creating new programs, reporting, or research, to informing policymakers, or being shared with other organizations that similarly align with the BD4D Commitments.
• Processed data, and any products or services that are derived from it, are owned by the organization that created them. However, this processing does not remove the obligations of the Purpose and Research commitments.

3. Control

We will delete Your Data, correct it, or transfer it to You if You ask.

What this means in practice.

Individuals or communities whose data is being collected, stored, used, and/or shared by an organization adopting the BD4D Commitments must also have the ability to request that their data be deleted, corrected, or provided to them.

What a BD4D Adopter needs to do.

• The organization must have a way for someone to submit such a request (often referred to as a “Data Subject Request”), if it holds data meeting the definition of “Your Data.” This may be via a general, regularly monitored email account, or it may be part of a larger, more complex compliance and fulfillment system.
• When a request is received, the organization must acknowledge it and respond in a reasonable timeframe. If an organization has the data described in the Data Subject Request, it should verify the identity and authority of the individual (or organization) making the request; however, care must be taken to minimize the amount of personal information needed to do so.
• Internally, there must also be a process in place with which to identify the requested data and all its locations, and then to remove, edit, or provide it securely to the data subject in a usable digital format, all at no cost to the requestor.

When does this Commitment apply?

• This Commitment applies both to data that was initially collected or originated by the BD4D Adopter, and to data that the organization received from others that meets the definition of “Your Data.” If this data was received from others, the adopting organization should generally forward the request to the original data collector, regardless of whether they have also adopted the Commitments.
• Likewise, if the data has been shared by a BD4D Adopter to others, then the adopting organization should pass the request to the data recipients for appropriate correction or deletion.

When does this Commitment not apply?

• In all cases, the BD4D Adopter must respond to the request. However, there are some cases where the request itself may not be fulfilled, as noted below.
• If an organization does not save the data it collects, or no longer has access to it in a form where it can be identified for deletion, correction, or transfer, then any requests to do so cannot be fulfilled.
• Some organizations, especially in regulated fields like finance or healthcare, may be subject to data retention or records laws which require them to retain copies of the data for a certain amount of time. In this case, the organization must still respond to the requestor, explaining any such limitations.
• Data may have been made public, with the explicit permission of the data subject, or been aggregated as part of a larger dataset, such as those used for research or reporting. In these cases, a request to delete or correct the data will only affect any future updates or uses of that data in its original and identifiable form, not any existing aggregation, anonymized dataset, or publication.

4. Monetization

We will not monetize Your Data by providing it to third parties for compensation.

What this means in practice.

The first of the BD4D Commitments speaks to their Purpose: that data will be used for good and not for profit. This Commitment expands on the monetary element of that Commitment.

What a BD4D Adopter needs to do.

• A BD4D Adopter must not actively sell any data it has collected that qualifies as Your Data, or that can be reasonably linked directly to the individuals or communities it serves.
• An organization must consider its data sharing practices to ensure that it does not make such data available as part of partnerships or transactions involving financial, in-kind, or quid pro quo consideration.
• If a BD4D Adopter shares aggregated or de-identified data for economic gain, it must clearly communicate that it does so to those whose data is involved.
  • For example, a BD4D Adopter operating a subscription-based data exchange platform which includes de-identified data subject to the BD4D Commitments must ensure that it has communicated such use to those whose underlying data (“Your Data”) is included in the platform. It must also ensure that its subscribers and partners have agreed (a) not to re-identify the data, and (b) to the applicable BD4D requirements, such as those set forth in the Binding commitment.

When does this Commitment apply?

This Monetization commitment applies whenever an organization that has adopted the BD4D Commitments actively exchanges or shares Your Data, or makes it available to others who may directly profit from it.

• Sharing raw data about an organization’s beneficiaries in exchange for compensation or economic gain is not acceptable under this Commitment, even if those funds are intended to support the organization’s services. For example, sharing the personal contact or case information about a group of clients to a company that markets related services to those clients is not acceptable.
• Similarly, receiving payment or discounts for providing donor lists or email addresses to a company that specializes in lead generation is not acceptable under the Better Deal, nor is providing those lists in exchange for access to funder leads from that same company.
• Marketing partnerships that depend upon a third party placing a web beacon on an organization’s website specifically in order for that third party to track and monetize individual visitors’ behavior are not acceptable under this Commitment. Cases where the organization earns revenue based on purchase behavior of the people and organizations it serves, such as clicking a third-party link on the organization’s blog to buy a product the blog recommended, are allowable only if such links are clearly marked as compensated.

Data subject to the BD4D Commitments should not be treated as a data asset if an organization shuts down, receives investment funds, or enters into a joint venture, merger, or acquisition. While in some cases this may be legally mandated, a BD4D Adopter must make best efforts to notify those whose data is affected, and provide them adequate opportunity to delete their data prior to this type of transaction.

When does this Commitment not apply?

• All organizations require funding to operate. For many, this requires grant proposals, impact reporting, and third-party audits, many of which contain data about programs, beneficiaries, staff, or donors. Thus, this Commitment does not apply to anonymized, aggregated, or other processed data provided in order to receive funding, or fulfill grant requirements–as long as the data cannot be linked to a specific individual.
  • For example, reporting that “our programs delivered services to 25,000 children last year,” or “more than 100 donors contributed nearly $1MM during our general campaign,” are acceptable under this Commitment.
• This Commitment does not apply to identifiable data that may be provided to auditors or attorneys, who are legally obligated to keep such data confidential.
• This Commitment does not apply when an individual, organization, or community voluntarily chooses to share their own data for their own benefit, including economic rewards.
  • For example, a rancher might elect to share information about their rangeland, herd movement, forage, and grazing patterns in exchange for payment to them or their community, or to receive services using that data. In general, the BD4D supports data sharing that economically benefits parties meeting the definition of “You,” where the party in question is actively choosing to share such data.
• Furthermore, an organization that facilitates such an exchange may retain a reasonable fee to defray their costs of providing this assistance or service, as long as its primary objective is to benefit the individual or community and not private enrichment or profit.
• This Commitment does not apply to datasets which include data about individuals or organizations that is publicly available and responsibly sourced.

5. Protection

We will steward Your Data with care, and comply with applicable data privacy laws.

What this means in practice.

Adopters of the BD4D Commitments have a duty of care to be diligent, with the resources they have, to adhere to best practices and legal requirements for data privacy, protection, and security.

What a BD4D Adopter needs to do.

• An organization that has adopted the BD4D Commitments must establish reasonable administrative, physical, and technical safeguards so that data covered under BD4D is kept securely, and cannot be accessed by unauthorized parties.
  • For example, emailing an unprotected spreadsheet of donor, client, or employee records puts that data at risk of exposure, and would not be acceptable. Sharing that data via a link to secure document storage, with access limited to authorized users, would be.
• The organization must follow best practices for data minimization and retention, collecting only what data it needs for its stated purposes, and retaining it either (a) only as long as is necessary for the organization’s intended work, or (b) as long as required by applicable law.
• All staff, advisors, and volunteers who can touch the data must be trained in proper data handling procedures, including confidentiality and security.
• If a data or security breach results in unauthorized disclosure of sensitive data, affected data stakeholders should be notified as soon as reasonably possible or as required by law.
• Depending where an organization operates, and who its data stakeholders are, it may be subject to one, or many, (sometimes conflicting) regulations with regard to data privacy and protection. It is the responsibility of the organization adopting BD4D to be aware of the laws that apply to it, and to take steps to protect all of its clients or users equally.

When does this Commitment apply?

• This Commitment applies to data in both analog (e.g. paper) and digital forms.
• It applies to data in use, meaning data being actively worked with, in transit, meaning data which is being moved or transmitted, and at rest, meaning data which is being stored in a cabinet, on a device, or in the cloud.
• When using online tools, including AI, data storage, records management, email services, or social media, an organization must maintain the same level of confidentiality as it would offline.
  • For example, the organization must ensure that its staff do not include confidential or personally identifiable information in insecure channels, such as posting such information on social media without permission, or inserting such data into a chatbot or generative AI prompt, where such confidential data is likely to be retained by the vendor, or worse, used to train commercial AI products.

When does this Commitment not apply?

This Commitment does not apply to data which is already public information, such as in a government publication, or to data which has been made open with the express consent of its data subjects.

6. Research

If we or a trusted partner do research based on Your Data, we will follow best practices around the anonymization of personal data, and published research papers or reports will be made available to You for free.

What this means in practice.

This Commitment means that researchers conducting primary research on behalf of, or together with, an organization adopting BD4D must take appropriate technical safeguards to protect any nonpublic data relating to individuals, and that those individuals or communities whose data is studied can access published work that is based on their data at no cost.

What a BD4D Adopter needs to do.

• Researchers associated with an organization that has adopted the BD4D Commitments must follow then-current accepted best practices for anonymization and de-identification of any nonpublic or other data related to an individual person which is used in its research.
• Organizations should consider which data is actually required, and how different data practices may affect risk. For example, collecting location data may not need to be precise, as it can often be linked to an individual person. Similarly, the practice of data aggregation requires well-populated categories to be effective, because even with aggregate data there is a risk of re-identification.
• BD4D Adopters who are collaborating with external research affiliates or partners must ensure that those “trusted partners” have either (a) adopted the BD4D Commitments themselves, or (b) have agreed to similar terms under a formal agreement governing data sharing, in accordance with the BD4D Binding commitment. These may include other nonprofit organizations, academic institutions, think tanks, and for-profit companies.
• Release of anonymized data is not allowed if there is any possibility of re-identification (which is often the case with detailed data). If there is such a risk, such data must not be released publicly, and any third party given access to such data must agree to not attempt to re-identify the data subjects.
• The free access requirement can be met by open access publication, or sharing on a public website, as long as the resulting publication can easily be found by data subjects. Otherwise, organizations must provide research subjects with a channel to directly request published papers or reports.
• In general, a BD4D Adopter should be transparent with its data stakeholders about the research it conducts based on their data, and why this research is beneficial to its community or society at large.

When does this Commitment apply?

• This Commitment applies to publications or reports that are published externally, or shared openly with third parties, by a BD4D Adopter. It does not require a BD4D Adopter to generate new reports or publications.
• It also applies to research conducted by an affiliate, partner, or recipient of data from a BD4D Adopter, if that research is carried out using data that is subject to the BD4D Commitments.

When does this Commitment not apply?

• In the case of research that is being conducted by a BD4D Adopter under Institutional Review Board (IRB) oversight, the research data practices required in this Commitment would not apply if the IRB requirements conflict with those contained in the Better Deal for Data. In this case, all other BD4D Commitments still apply, and the research organization must still make published research papers or reports available to those whose data was used in the study.
• This Commitment does not apply to research that is conducted only for internal usage (such as internal program improvement or impact measurement), or that is only shared confidentially with external program evaluation consultants or auditors.
• This Commitment does not apply to research conducted solely with public data, secondary sources, or other data that is not subject to the BD4D Commitments. For example, a research study or review article analyzing or interpreting others’ existing research on a topic, which does not include primary research sources under BD4D, would not be subject to this Commitment.

7. Binding

We will be legally bound by these Commitments, and anyone we share Your Data with will be similarly bound.

What this means in practice.

In adopting the Better Deal for Data, an organization is making a binding promise that it will follow these Commitments with respect to its data practices, and that it will require organizations with whom it shares that data to agree to the BD4D Commitments or similar data use policies. This promise may be legally enforceable in many regions.

What a BD4D Adopter needs to do.

• A BD4D Adopter must display, post, or link to the BD4D Commitments where they can be easily viewed by its staff and anyone whose data the organization collects, uses, or shares. For example, the Commitments may be published on a page on the organization’s website, incorporated into its data use or sharing agreements or policies, referenced in legal terms of service or privacy policies, and/or placed directly into an app or tool operated by the BD4D Adopter.
• Organizations that share data, as allowed under the Commitments, must ensure that the recipients of this shared data have committed to data practices that are consistent with the Better Deal for Data, or are BD4D Adopters themselves.
• If an organization ends its adoption of the Better Deal for Data, it must notify affected data stakeholders, and provide adequate time for them to request data deletion. Data collected, used, or shared prior to such notice shall continue to be subject to the BD4D Commitments.
• This Commitment does not require a BD4D Adopter to create new legal agreements. However, for the avoidance of doubt, organizations adopting the BD4D Standard should consult their own counsel for specific legal guidance.

When does this Commitment apply?

This Commitment applies to all organizations that adopt the Better Deal for Data.

When does this Commitment not apply?

This Commitment does not apply to the extent it conflicts with, or is legally superseded by, law or regulations that apply to a BD4D Adopter. Generally, in order to avoid negative surprises to affected data stakeholders, a BD4D Adopter should be transparent about any exceptions based on legal compliance.

Better Deal for Data Standard, Version 1.0

This work is licensed under CC BY 4.0. To view a copy of this license, visit http://creativecommons.org/licenses/by/4.0/