A business professional uses a laptop located on a table with a notebook on it.

How to Protect Donor Data During Online Fundraising Events

Online fundraising events have revolutionized charitable giving, enabling donors from around the world to contribute to causes they care about with ease. However, these events come with a significant responsibility—protecting sensitive donor data.

There are stringent regulations in place to protect an individual’s privacy online, and failing to secure donor data can result in legal consequences.

In this guide, we’ll explore four strategies for protecting donor data during online fundraising events. Whether you’re hosting a virtual silent auction, walkathon, or gala, these insights will help you take a responsible approach to fundraising and foster trust with your supporters.

Use Secure Platforms

The first step in hosting an online fundraising event is to invest in secure platforms that can facilitate giving while protecting sensitive information. These solutions may include:

  • Event hosting platforms and websites: The platforms and websites hosting online fundraising events are susceptible to various cyber threats. Implement web application firewalls (WAFs) and encryption (HTTPS).
  • Payment processing systems: Payment processing technology is at the heart of online fundraising, handling credit card transactions and other payment methods. It’s crucial to ensure that these systems encrypt data and are PCI-compliant.
  • CRM software: A Customer Relationship Management (CRM) system stores sensitive donor information, including contact details and donation history. To protect this data, conduct regular software updates.

Contact your software provider’s customer support team to inquire about their specific security measures. Understanding their security protocols will allow you to assess potential vulnerabilities and make informed decisions about your investment.

Implement Strong Access Controls

Access controls serve to safeguard donor data by regulating who can access, modify, or view sensitive information within your nonprofit’s systems. Take these steps to implement strong access controls:

  • Use strong, unique passwords: Encourage staff to use a password manager to generate and store unique passwords. Additionally, when asking donors to create login information for your event, ask them to create passwords that are difficult to guess by combining upper and lower-case letters, numbers, and special characters.
  • Implement two-factor authentication (2FA): Require donors, as well as your fundraising team, to use two-factor authentication when accessing donation portals or event management systems. This additional layer of security helps prevent unauthorized access, even if login credentials are compromised.
  • Restrict access: Only authorized personnel, such as administrators and trusted staff members, should have access to donor records. Conduct a thorough audit of your team to identify who requires access. Next, categorize donor data based on sensitivity, assigning appropriate permissions to each user role.

To ensure the continuity of fundraising efforts, establish procedures for emergency access in case of unforeseen circumstances or personnel changes. For example, before hosting an elementary school fundraising event, you might designate all permissions to the principal in the event that the fundraising team is out sick.

Educate Your Team

When it comes to data security, it’s important to ensure that your team understands the importance of safeguarding sensitive data and knows how to prevent breaches. Provide guidance on how to:

  • Avoid phishing. Train staff to recognize phishing attempts, which are often used to steal login credentials or distribute malware. Emphasize the importance of verifying the legitimacy of emails and links, especially those requesting financial information or login details.
  • Maintain data hygiene. Clean and up-to-date data is easier to monitor and analyze for signs of suspicious or unauthorized activity. Implement data hygiene best practices, including removing duplicate, outdated, or inaccurate records, to maintain data accuracy and integrity.

It can also be beneficial to conduct hands-on training sessions for your specific software. School Auction.net recommends designating a software lead to provide insight into each tool’s security features before and during the event.

Limit Data Collection

During the event, avoid collecting extraneous information that could put donor data at risk or complicate your data management processes. In most cases, you will only need to collect:

  • Contact details: Gather the donor’s contact information, such as email address, mailing address, and phone number. These are essential for sending donation receipts, event updates, and future communications.
  • Payment information: For processing donations, you’ll need the donor’s payment details, such as credit card number, expiration date, and security code. Ensure that you use secure payment processing methods and comply with PCI DSS standards to protect this sensitive information.
  • Donation amount: Record the specific donation amount or contribution made by the donor. This is essential for accurately acknowledging the gift, maintaining financial records, and cultivating relationships with donors.
  • Gift designation: If donors have specific preferences for how their contributions should be used (i.e. for a particular program or project), collect this information to ensure their wishes are honored.

According to NPOInfo, you may also need to collect information about donor communication preferences. Be sure to obtain explicit consent from donors if you plan to use this information for marketing purposes or share it with third parties. This is especially important in regions with strict data privacy regulations.


Remember, protecting donor data is not just a legal requirement; it is a testament to your organization’s integrity. Remain committed to data security before, during, and after hosting a nonprofit event and you will gain the trust of your donor base.