Tag Archives: data privacy

Nonprofit Radio for May 5, 2025: PII In The Age Of AI & Balance AI Ethics And Innovation

Kim Snyder & Shauna Dillavou: PII In The Age Of AI

Artificial Intelligence and big data have transformed privacy risks by enabling malicious, targeted communications to your team that seem authentic because they contain highly accurate information. Kim Snyder and Shauna Dillavou explain the risks your nonprofit faces and what you can do to protect your mission. Kim is from RoundTable Technology and Shauna is CEO of Brightlines. This continues our coverage of the 2025 Nonprofit Technology Conference (#25NTC).

 

Gozi EgbuonuBalance AI Ethics And Innovation

Gozi Egbuonu encourages you to adopt Artificial Intelligence responsibly, in a human-centered approach. First, be thoughtful with the threshold question, “Should we use AI?” If you go ahead: Create a thorough use policy; overcome common challenges like staff training and identifying champions; manage change intentionally; and more. Gozi is with Technology Association of Grantmakers. This is also part of our #25NTC coverage.

 

Listen to the podcast

Get Nonprofit Radio insider alerts

I love our sponsor!

Donorbox: Powerful fundraising features made refreshingly easy.

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Welcome to Tony Martignetti Nonprofit Radio, big nonprofit ideas for the other 95%. I’m your aptly named host and the podfather of your favorite hebdominal podcast. Oh, I’m glad you’re with us. I’d turned dromatropic if you unnerved me with the idea that you missed this week’s show. Here’s our associate producer Kate to introduce it. Hey, Tony. Our 25 NTC coverage continues with. PII in the age of AI. Artificial intelligence and big data have transformed privacy risks by enabling malicious targeted communications to your team that seem authentic because they contain highly accurate information. Kim Snyder and Shawna Deleu explain the risks your nonprofit faces and what you can do to protect your mission. Kim is from Round Table Technology, and Shawna is CEO of Bright Lines. Then Balance AI ethics and innovation. Gozi Egbuonu encourages you to adopt artificial intelligence responsibly in a human-centered approach. First, be thoughtful with the threshold question. Should we use AI? If you go ahead, create a thorough use policy, overcome common challenges like staff training and identifying champions, manage change intentionally, and more. Gozi is with Technology Association of Grantmakers. On Tony’s take 2. Tales from the gym in addition to my gratitudes. Here is PII in the age of AI. Hello and welcome to Tony Martignetti Nonprofit Radio coverage of 25 NTC, the nonprofit Technology Conference. We’re all together at the Baltimore Convention Center, where our coverage of 25 NTC is sponsored by Heller Consulting Technology services for nonprofits. Our subject right now is PII in the age of AI. Personally identifiable information in the age of artificial intelligence, safeguarding privacy in a data powered world plus we’re adding in the topic. Alright, already the show’s over. I wanna thank you all for coming. Uh, we’re, we’re here all week. Uh, be sure to tip your servers, um, and we’re adding in the topic a little more privacy please. Colin, diving into data privacy. All right, because, uh, our guests, um. Ask to combine topics which made a lot of sense. Um, but, uh, before I introduce the guest, well, now, let’s do it this way. So we have, uh, stand by there. We have, uh, first is, uh, Kim Snyder. Kim Snyder, um. I gotta take a deep breath. I do, uh, Kim’s title. I’m gonna hyperventilate trying to get enough air to oxygen in. I’m only 140 pounds. I don’t carry enough in my lungs to carry this, to carry this title of virtual digital privacy Project and program officer. You know Joshua Pesca is thanked for that word salad of it’s all nouns. It’s all it’s all one adjective. 12 nouns. Joshua, you’re, you’re out. Anyway, and then CEO doesn’t get any easier. OK. Also with us, uh we have a special guest who’s gonna give a couple of syllables. Uh, let me introduce Miles. Miles, say hello. Hi everyone, it’s Miles with Fundraise up. Thanks Tony. My pleasure. Miles is sponsoring the hub next door at Fundraise Up, so I, I thought I’d give him a little. He asked to give a shout out, so I said sure. And uh they’re giving away free socks. That’s what fundraise Up is all about socks and what else do you do at fundraise. Right, so we help nonprofits raise more money with AI and we do that by not using any identifiable information and are completely compliant across the globe. All right, that’s what a segue and not even reversal incredible. All right, you’ve overstayed your welcome. That’s enough. OK. OK. OK, thank you, Miles. No, thank you. I, he was, I, I did invite him after he pleaded. OK. So we are talking about PII. So Miles, a perfect segue, beautiful segue into personally identifiable information. Uh, Amy, we’re gonna do the overview, so I’m gonna ask Kim. Virtual digital data, virtual digital privacy project and program officer. I’m gonna ask Kim Snyder. No, I’m gonna, no, I’m hitting it hard. Uh, so for an overview, why, why do we, why do we combine these two topics? What are our issues around personally identifiable information and, uh, and artificial intelligence? Kim Snyder. So they both center on the issue of personally identifiable information. So on the one hand we’re talking about what kinds of regulations exist, how do you manage your data I’m too far away. Don’t whisper, Kim. Everybody hears you. Oh, go ahead. I’m waiting. Um, now you, you edit this, don’t count on too many edits. Oh dear, OK, alright, so, um, we’re talking about personally identifiable information which for quite a while for the last couple of NTCs have been talking about this here and. For quite a while it’s been about more about regulation this year I have to say it’s about having our data out there and vulnerability and so looking at data management and how do you start to take stock of your data so that it is less vulnerable and the person the people whose data it belongs to is also less vulnerable and the other topic which I’m here with my co-facilitator um. Uh, Shawna is with all the amens and I’m here. I’m just like I’m a man, yeah, in the, yeah, so, so talking about how that what constitutes personally identifiable information, how much that’s expanded in recent years and Shawna, what’s what’s your bright lines, how are you related to. Yeah, yeah, so Bright Lines, I founded it 4 years ago. We are a doxing prevention company for folks who don’t maybe know what doxing means. Yeah, it’s define it please. When folks will use your personal information or sensitive information, they’ll post it publicly, essentially posting your documents, that’s where doxing comes from with the intent to incite others to do you harm. So there’s like a malevolence there, right? I don’t usually consider it doxing if someone posts like. A relatively available email address from like a professional setting. I do consider it doxing when it’s your personal email address and the intent is to ask others. It could be your birthday, it could be, could be your wife’s or my man right here, yeah. the PII PII is an expanded. No, I never, no, no, actually I came out of US intelligence community. I was there as a much younger person and in a different age in the United States and in terms of our national security. It was really progressive national security person, um. The whole community, yeah, the I I’ll just say the I mean the intelligence community, yeah, yeah, I don’t usually get too granular with that um but the. Was it in the session description it would have said OK yeah we can talk about that. OK, well, I, I’m not sure I’m, I’m pretty sure, but there again it’s one thing when it’s like out on the airwaves. First is when it’s in like a session thing yeah and at at the time when I was there I was detailed out to the DEA this might have been what you read, to train them on finding their targets on the US side of the border of drug trafficking organizations so we were using these same techniques. I was training them in these like techniques to find people. We reverse engineered that now four years ago after the 2020 election when. Folks were going after Ruby Freeman and Shay Moss for just passing a piece of gum while tallying ballots in Georgia they have a penthouse in Manhattan now have the keys to that penthouses. Um, OK, interesting. So reverse engineer I see reverse engineered your, uh your prior prior work. All right. um, so referring to your session description, uh, how AI and big data are transforming privacy risks by enabling aggregation. So your concern is that the, the. Attempts at uh. Spamming people, not spamming but spoofing, fishing, they can, it can be so granular and so accurate that they, they look more and more real. This is a part of our problem, right? OK, and people and agencies, people are using artificial intelligence to gather this information and then and then put it together and collate and then threaten. So they will, so I think we could probably tag team on this. Do you wanna do the production part? So what we see is them gathering data. There’s a lot of data that’s out there about all of us, and I will. If there’s one point folks take away from me talking today in addition to my hype madness, it’s that this is not your fault. Our clients come to us and they say, oh, if I just hadn’t shared so much on public on social media publicly when I was younger and it’s like no no this had nothing to do with you. Your public records are being scraped by data brokers every day. If you own a property, if you’ve ever registered to vote someplace, if you have a driver’s license, which you have to have if you wanna get on an airplane, that data is being sold or scraped. So that’s the data that’s the source data for data brokers. So yeah, sometimes for free, for a, yep, OK, but publicly available, you don’t need to be, not an agency there’s no kind of like legal process to gather it exactly. This is why law enforcement officers, like certain law enforcement agencies now go around legal process and we’ll just buy data from data brokers. Oh, so much easier than defending a subpoena. to prove it to a judge to prove it to a judge and then if this if they move to quash the subpoena, you have to defend it. Exactly. So AI can now gather data from various sources, so it could be used to scrape these sites. It can then be used to connect data. Let me share a story. We got a phone call like a very concerned client. They had just received a phone call themselves from someone who claimed to have. Photos of theirs compromising photos from an old Snapchat account and on the call they described a photo that this that our client knew they’d taken right it was a photo of a room they were describing a room and the clients like, I remember that room. I remember that poster that they’re describing. I think I might have posted it on Instagram one point it was public, but how did they get my number? How do they know where I work and. My response was like, this is a scam. Someone scraped, someone bought a scra of LinkedIn. Maybe they connected that to your phone number. Maybe you have your phone number connected to LinkedIn because you use it from MFA for multi-factor authentication. They connected that to a handle on Instagram, probably using your face, a facial recognition. And then they just made this phone call and talked to you about your employer finding out about these photos, which was a bluff because your employer’s name is listed on your LinkedIn profile. It’s terrifying for her. And Kim has taken it a step further. So you can stitch all this together, right? and you can process all this data at speeds that never were possible before, but you can also use generative tools to create things so you can. Easily mimic a style of someone so you can also so you part of that data that you grab off of LinkedIn or social is somebody’s writing style so you can, you know, generative AI is really great tone and style and also events. So if you’re posting about events and things happening you could get. An email from your purportedly from your executive director or a colleague referencing that event and things that happened and people who were at that meeting it depends on how public the data is and then you know that can be used as a basis for a you know phishing email um that is a lot more convincing phone call yeah or a phone call this person that called our client was a human but they don’t have to be we’ve seen cases where EDs are being impersonated. And it’s video and it’s audio of them that is so convincing to the people that they’re reaching out to and this is it’s trivially easy to do right in our session in fact we had which one is the real Kim and there were two videos of me and one of them was not me um it was AI me but that cost me $29. To take that, so it’s not inaccessible. These tools used to be it used to be like really hard to do this or 25 cents and it’s like a photo in 3 seconds of audio, and they can make those videos, yeah, and you can have me say you don’t even need me saying the alphabet or or Kim’s title for Christ’s sake or half of Kim’s title. I did say you could swear. I didn’t say you could take the name of the Lord. There’s a difference. There’s a difference. There are boundaries even on nonprofit, there are boundaries. This is Chris. I’ve, uh, I’ve gotten, I’ve gotten these, uh. Dear Tony, I know I could have called you at my number or or written to you at my address accurately, uh, but I chose this method instead. So now I know they’ve got my email and my phone and my address, uh, included a picture of my home, which they probably got from Google Maps or, or right, and, uh, I, I some kind of bitcoin bitcoin scam. But how did that make you feel uh the first one I was a little like. Yeah, I was a little nervous, but, but I’ve gotten, uh, we all have gotten Bitcoin scams in the past, but this one had, like, you know, like you’re concerned that amount of information a lot of, yeah, yeah, it had the right and uh I, you know, I, I ignored it with some trepidation and then like a day or two later I got another one and you know I knew I was just kept coming. It was bullshit. Yeah, I saw one of those from one of our threat intelligence partners, someone who swims in this every day, and it terrified him and his wife. Yeah, because it’s so it’s so close to you. It’s why receiving one of those phone calls or back in the, I would say back in the day I got really energized around Gamergate started to try to support the folks who are being targeted by Gamergate. This is back in 2015, and they would describe what it was like to have like, you know, I sleep with my phone next to my bed. And or under my pillow and to have that be the stream of all of this like directed hate messages like you should kill yourself or I’m gonna do this to you or I’m going to do this to your parents or whatever the case might be. It’s so proximate that technology removes what feels like barriers between you and everyone else, and the issue with doxing so terrifying is that you don’t know who it is. It could be anybody. How do you walk down the street? How do you like sleep in your home, not terrified? You don’t know. I never thought about that. Who’s coming after you? Thank you. I never thought you bet new nightmare unlocked. Yeah, no, no, you know how, but Tony, so you get these things because you’re you’re killing me. It’s supposed to be reassuring us here on nonprofit radio. Well, you’re terrifying. We’ll get to that. We will get to that party eventually we’re we’re great parties, but, but, OK, so you’re, you know, more public person, uh, you, you know, nonprofit radio, so, so you. Get these things it’s a little unsettling and unnerving for you, right? yeah like so imagine how like a nonprofit staff person who happens to be working in an organization that may be more targeted by malicious actors, OK, so one is so your staff member starts to experience this and this may this could freak people out, right? So that’s who we’re thinking about. Um, and kind of raising the awareness, OK, yeah, I mean these are folks already dealing with some level of cortisol at a on a regular basis because of work because of their mission. I think we’ve spent enough time on motivation, and let’s let’s, uh, let’s let’s transition, uh, not subtly very abruptly to what the hell do we do? What do we do it already. Is it already too late? It’s never too late. I’m sure you’re not gonna say it’s too late. No, I wouldn’t be here. Yeah, well, I also believe it and I’ve had those moments. Listen, I live in DC and DC DC Health Link had their data leaked and taken a number of years ago and my child who had not even turned a year old had her social security number lost in that breach and I was like, oh man, she’s not a year old, you know, like how is this? This is the world we live in, right? And I turned to my partner and I was like, this is just, I don’t even know why we bother. And she’s like, you can’t, you of all people can’t have that feeling. It’s OK that you do right now, but you have to keep going. No, there are plenty of ways to ameliorate it. Yes, let’s get, let’s get into them. So what we’re with you. Why don’t we start? Go ahead and then we’ll go to Kim. Yeah, I think you can think about this so the individual as the vector to threat to the organization that can be reputational financial threats to the organization could make it hard to fundraise if you don’t support that person very well. Um, you, you would harm your reputation, say, or, um, it could make you look illegitimate to your funders, right? So if you can think about where the risks are to the organization, that’s one set of what to do, right, action items, and I might leave that with you and speak more to the personal. So when it comes to protecting yourself as an individual, there are plenty of ways that you can work to remove your data online was referring to Kim, not me. Oh yeah, no, Tony’s not gonna take that part no Kim’s got that, um, Kim. I won’t try your title um when it comes to the individual, listen, all of us have data out there again it’s not our fault we have lived a life, right? Like we’ve done things it’s, I think it’s a betrayal of trust in our own local governments that they sell this data and no one’s ever asked us for consent they’ve never informed us, etc. etc. etc. OK, so what do you do? You can sign up for one of those services that removes your data from data brokers we consider that like um. Like taking Advil, right? Like it’s like kind of taking care of some of the pain and some of the symptoms. What we also recommend is like looking back to the source data itself. So if you own a property that you live in, we always recommend that people consider moving it into a revocable trust that they don’t name for themselves. You’ve seen too many estate attorneys call it the Tony Martignetti revocable trust. Exactly exactly a different a different name to the revocable trust. That’s it. So now the ownership is obscured its data that’s already out there from prest. This is the argument that our interstate attorney always gives us and we have to educate them on this. They’ll say, oh, but it’s your name’s gonna be on the document granting it to the trust, but your name was there before on tax documents. The way data brokers work is that they’re constantly pulling this data down and renewing their data set. So when the new data comes down at this address, they want the most accurate, the most recent. they’ll overwrite it. So it may be that you lived at that address at one time but you don’t any longer and if someone’s looking for that address, it’s not your name on it. So it will get overwritten, especially over time. What we’ve seen wildly enough is that when that piece comes out, it’s like a house of cards. When you pull that property record out the rest of it tends to fall apart. We see our clients less and less on ownership is kind of a uh. a core or a hub to to other data yeah absolutely yeah I think there’s some connections happening there with like app user data that’s also on an ISP that’s connected to the house, etc. etc. is there other pieces about that location um that create profiles anything else we can do on an individual level besides the uh property ownership. Another big vector is voter data and I know that’s probably not popular in this audience because a lot of folks believe a lot in the voter file and voter data and using it and I, we often see voter data on getting used mm. Getting bought and getting scraped and so we will recommend that folks apply for programs in their states called address confidentiality programs or safe at home programs they’re always set up in with uh survivors of intimate partner violence in mind but a lot of the programs are pretty expansive, so if folks are concerned about stalking or harassment they can also apply and that then gives them a proxy address in some states like in New York across all agencies. So the DMV is now not going to sell your home address and your name. They’re going to sell your your name and your proxy address together. And and shout out the names of those programs that you would look for at your state. Address confidentiality program or safe at home. If you’re interested, the National Network to End Domestic Violence NNEDV.org has a comprehensive up to-date list of those programs. OK, awesome. Kim, uh, before we turn to Kim, uh I think you’re the perfect question perfect question answered. Person, you’re a person, you’re a person. You’re neither a question nor an answer. You’re you’re just a person with a lot of answers. Um, I read once, it’s so hard to unforget, you know, to unlearn things that, uh, the value of, of stolen data is really in the future is more financial like so that the bad actor can act without you tying it to a specific event. So my credit card, let’s say a credit card number is compromised, it’s of more value if it’s 3 years old than if it’s just a couple of weeks it was just stolen a couple weeks ago. Is that true or is that incorrect? I can see that. I can see that being true. Maybe we’ve gotten a little bit better banks and credit cards have gotten better about just reissuing new cards. Websites tend to push you to change your password when they’ve alerted you that there’s a breach, so I, I think. The private companies more so in government agencies but private companies I think have caught on to that a little bit and I think there is some truth if it’s not for financial means but really someone trying to go after you, we call that a ideologically motivated attacker. What we saw you used the word vector before I did, yeah this is my background so they um. What we found with uh a university, a client that’s a university, their students were being targeted. Some of these outside groups showed up to student houses over the summer. The students had already graduated. We’ve gotten some of their address stuff removed. The addresses weren’t available in connection to their names online any longer. So what we think happened was that those addresses that was screenshot and saved. That can happen, yeah, so it’s not a perfect fix. However, what if you have one as an intelligence officer, if you have one data point, so you have that screenshot, but then you have all these other things telling you that Shawna Dilla no longer lives at that screenshot address, you might show up there, but you’re not gonna spend a lot of time on it because you can’t verify it. You can’t confirm it with another source. Makes sense? Yes, thank you, thank you. All right, Kim, let’s turn to you on the organizational level. What, uh, what can we do, uh, there to. Protect ourselves from what’s already out there. How do we help nonprofits and small and midsize are our listeners. Alright, so for many years the the kind of mantra has been to verify, verify, verify verify. I thank you very much, that’s Kim Snyder and Shawna. No, I’m joking. She’s like I’m we’re out of time. No, we’re out of time. Are we out of time? No, I’m only child I fall for jokes very easily. I wish I had known. I wish I had so many. I had so many more. I had so many more in mind for you specifically talking about a targeted attack. Oh my, talk about a vector vector I was coming right at you. I could have written that you’re you’re putting this on the airwaves. You know how vulnerable you are. Oh man, I got all kinds of advantages. All right, I’m sorry, I interrupted you. What was I talking about dying. Go ahead. OK I’m sorry. OK, so we used to talk in cybersecurity world about, you know, verification verify, verify, verify that was the mantra, right? So now we kind of reshape that so that it’s vet and verify so have kind of multiple ways of verifying especially incoming requests. Anything kind of trust your spider sense is what I’d say if something seems a little bit off like what what are we talking about? So if you receive an email, if an email comes and it, you know, it comes from your development director who’s saying who’s referencing something that you just went to the panel or if it comes from accounting, write a check if any money is involved. And it wasn’t like completely expected even if it was a little expected actually I’ve seen I’ve seen this happen where people got into um nonprofit systems and using AI can scan what’s going on very quickly. And then target things that are about to happen from kind of things that are OK, so, so I would, so the instinct instinct, OK, use your, use your instinct but also make it a policy, make it a process that you just follow uncomplicated process for verifying like any financial transaction needs to be verified even if it’s expected, yeah, so yeah, so you wanna walk through that. You just get much, much more deliberate. About verification and and who is it coming from and you don’t want to. Confirming, did you send this email or not replying to the email, but my phone yeah exactly yeah you you send this email about this rush transaction or or routine transaction. Do it in a different format right different channel, yeah, so you know, and even though the instinct may be email back quickly but no right um but then what you do also is create a culture in your organization where that’s OK to do where it’s OK to take that extra 30 seconds minute to you know verify to ask someone for their time to say I just wanna check, did you send this to me? Um, and in that way it’s OK even if it’s because he’s actually director you can say, did you send this to me? I just wanna make sure and so that that’s an OK thing to do. In fact, that’s a good thing to do. Now we can’t they have to be boundaries around this because we can’t do it for every, every message we get so you mentioned. financial financial transactions and no no no not nervous at all financial no no no financial transactions, any kind of initiated correspondence where they’re asking you for something or for some information. I saw a scam recently where the uh an an old employee was trying to be reinstated and wanted to go around HR to IT to get their accounts reset up like I’m I’m coming back and it was like using the person’s middle name so it’s already a little bit fishy but. They went all the way up to the CTO of the of the company and said hey so and so and these people were friends on LinkedIn and like had shared messages back and forth so the attacker knew this was a personal relationship. hey so and so I’m trying to get reinstated. They’re telling me you need to go to HR, but like I but I can do this. I just need to get my account access back up and online and the CTO is like no. Oh bro, you gotta go through HR. I can’t do anything because they had those controls in place, but small and let’s be fair, small and medium sized organizations don’t, so I’ll just take care of it now or we don’t have a, we don’t have a we don’t have any clear guidelines that we give to people for all requests we need to go to HR. I thought of another. Potentially nefarious request you send your logo. Could you, could you, I need a I need a high def for the logo, you know, the, the, the, the JPEG I have is, is not good. I need a high definition logo that could be that could be to produce a check that could be to make a spoof a spare a spoof website, um, OK, I mean, but it seems innocuous send a logo, yeah, it’s very easy to spoof a website, right? So you know, you know, check. Also check where it’s coming from, right? So you know I’ve had an organization where there were two spoofed, um, there’s spoofs on both ends a spoof of the funder, a spoof of the the grantee. Can you tell us more about that story? It’s a really good one. So yeah, so they, they got into an organization’s, um, you know, Microsoft environment. I asked the questions here whoops. Go ahead. Uh oh, off the mic. 3 like 30, go ahead. So, um, Anyway, that’s late in the day. And I’m thirsty. Yeah, late in the day it’s not it’s, it’s well it’s almost 3 o’clock. You’ve been going since then nonstop. Um, anyway, all right. So the organization had someone get into their systems for a very short time, but in that short time they were able to tease out some information again this is AI can help with this kind of analysis short you know canal is a lot of data that it can grab very quickly and um identified some upcoming financial transactions which were rather large and so um in order to kind of trick. The person to sending to the wrong place, they set up fake websites, fake websites for the foundation, fake websites for the grantee, and domains not websites domains, and so then they had emails coming back and forth you could hardly see the difference and so the, the, the real people, the real people were communicating with the bad actor on both sides and the money. And he got sent to the wrong place, OK. Yeah, that was, that was actually no they did great, but, but it was that was a happy ending, but not necessarily. We started with Shawna, so we’re gonna end with Kim. give us oh no we did OK well I’m not Shawna, your mic is down but that she still gets through. She talks and laughs so loud you hear her over Kim’s mic. No, I didn’t, I did not but one more thing before, before we unless we’re totally out of time, um, don’t shoot the messenger. So create a culture. This is another thing that’s any size nonprofit can do where if something happens, if you click on that thing, if you did that thing that you feel like uh. That was really dumb, right? Make it OK to report that and you don’t get in trouble and there’s no shame and blame because it happens so but yeah the the no blame kind of we encourage you to. You know, say it, yeah, call yourself out, yeah, and there’s no punishment, you know, some organizations like they don’t want bad news at the top, so. All right, we’re gonna leave it there, OK? All right. That’s Kim Snyder. Virtual digital privacy project and program officer Roundtable Technology and Shana Dela Vu, CEO CEO Bright lines. Thank you, Kim. Thank you, Shawna. It’s a pleasure. Shawna laughed her ass off. I’m a good sense of humor. All right, I love it. Uh, and thank you for being with a, uh, well, whimsical, I’m not sure it covers it. Raucous maybe, uh, at one point, uh, uh, uh, anarchical because, uh, there was a question that I did not answer. Uh, session. Uh, thank you for being with us at uh 25 NTC for this episode sponsored by Heller Consulting. Technology services for nonprofits, virtual digital privacy project and program officers. It’s time for Tony’s Take-2. Thank you, Kate. A new tales from the gym episode just happened this morning, this very morning. I was minding my own business as I do on the elliptical. And overheard two women talking. One lives here permanently, and the other one who said her name. Sandra Lynn, uh, she lives in North Carolina, but not here in Emerald Isle. She lives, uh. In the Raleigh area, like that’s about 3.5 hours, 4 hours away, roughly. And she was lamenting, Sandra Lan was that uh that she can’t live here full time, house prices are high. And she also still has, uh, her mother and her father-in-law, so her husband’s father are still both alive, and so she needs to stay in that area, but she was, you know, looking forward to retiring here sometime but lamenting that she couldn’t live here now. And that got me thinking as I was on my. 6th or 7th uh interval on the elliptical. I do 88 episode 8, Not episodes. What did I just say? 8 intervals. I do 7 intervals of a minute, take a minute in between, and then the last interval is 2.5 minutes. I was toward the end and it got me thinking, listening to Sandra Lynn. That, uh, I’m grateful that I do live here full time, permanent. This is my home. And that, you know, it’s that there are other people who don’t live here who wish they could, you know, so, uh, you know, I, I add, I have, I have a long list of gratitudes, but I don’t specifically say grateful that I live here in Emerald Isle full time. So I’m gonna add that to my gratitudes that I do every, I guess I’ve told you every 2-3 times a week. I’m adding. Gratitude that I live here in Emerald Isle full time in this beautiful place and I have the ocean across the street. Uh, your own gratitudes. I hope you’re, I hope you’re doing your gratitudes out loud, at least a couple of times a week. That is Tony’s take too. Kate. You do sets. Uh, well, sets are for, yeah, no, that’s different intervals. Intervals on an elliptical, you do a minute hard and then a minute resting. And then a minute hard and a minute resting, it’s called high intensity interval training, HIIT high intensity. It just means you do intervals of things like you sprint, yeah, I don’t run, I’m on elliptical, but you might sprint and then walk, and then sprint and then walk and sprint and walk. Those are called intervals. Sets are like you do 3 sets of 10 if you’re, if you’re on a weight machine or something like that, or maybe pushups, might be 3 sets of 10 or something like that. I don’t know, they seem, there seems to be a different, well, I think the interval is because you’re still active, you’re just resting in between the high intensity intervals. Gotcha. That makes sense? Yes, and I am grateful that you have a beach house. Yeah, because you get to, yeah, you get to visit and uh laze around and uh. What is the word I’m looking for, uh, not schmooze, but, uh, you get to, uh, I don’t know. I can pretend that it’s my beach house. Yeah. You can for a week, yes, but then, then I’m very happy to say goodbye. After a week. Love you too. We’ve got bou but loads more time. Here is balance AI ethics and innovation. Hello and welcome to Tony Martignetti nonprofit Radio coverage of 25 NTC, the 2025 nonprofit Technology Conference, where our coverage is sponsored by Heller Consulting technology services for nonprofits. With me now is Gozi Egwanu. Gozi is director of programs at the Technology Association of Grant Makers. Gozi, welcome to nonprofit Radio. Awesome. Thank you for having me, Tony. Pleasure. You’re welcome. Your session is AI strategy for nonprofits, navigate ethics and innovation. We have plenty of time together, but can you give me a high level view of the the topic and the session that you did? Sure. So the session was really, um, and was really spearheaded by Beth Cantor, uh, and it basically provides uh a balcony view of where we are in the sector in terms of AI adoption, ethical responsible AI adoption, the nonprofit and philanthropy sector. And so, uh, we really start with what we found in the Technology Association of Grantmakers state of Philanthropy tech survey that we did in 2024. In that survey we found what many grant makers are currently doing with AI as far as you know are they testing are they experimenting? Has anyone rolled it out enterprise level, which is, you know, at the organization wide level and what we found is that. And which mirrors quite what we’re seeing in the nonprofit world is that most folks are not using AI in terms of, you know, anything that’s crazy, you know, innovative at this moment it’s really just kind of, you know, meeting summaries, you know, taking notes, that sort of thing, um, and so and but in addition to that we found that while 81% of folks are using AI, uh, sorry, while, uh, oh sorry, 81% are using AI but only 30% have AI use policies, so. You’re using it but you don’t have any guard rails you have no way to tell your teams or your staff, hey, this is what we don’t put into the AI this is what we do put in so you’re really running the risk of having your information potentially used in a way or trained uh an AI model that, um, you know, could potentially put your members at risk, your grantees at risk, whatever the case is for your organization and so. With that little bit of an overview it basically came down to the importance of AI experimentation and really do starting slow starting at the very base level working with your teams to kind of talk through should we use AI if we did use AI what would that be for? So thinking about the use cases, the business, um, the business use like what what would be the business case for it and then you know assembling a nice team of folks, you know, as advisers or experimenters and champions at your organization. Uh, to really kind of help you all start doing that experimentation in a safe and low kind of like low risk way, um, and then from there really defining whether or not AI is your, your next move and then once you do have decide that AI is the next move you wanna move into that next level of the AI maturity which Beth, you know, covers really um really well uh you know you go from that exploration to discovery and then you move into experimentation and ultimately enterprise eventually. Um, but what we’re finding is that most folks are not there yet. They’re still very much experimentation early stage, very early stage, um, and, uh, you get to kind of get to see a case study of it through the work that Lawan did at her organization United Way Worldwide. OK, well, we don’t have with us, but you can provide a lot of context, lot of, lot of detail, I just said you could talk. All right, um, are, are we, do you know the you might not be part of what you surveyed, but was there even intentionality around should we, should the should we use question or did it just kinda happen because people started, people started hearing about it using chat GPT. Well, you know, with one of the questions that we did on the survey, we found that like there’s quite a few folks that are using it in what we call shadow use or shadow AI, which is basically you’re using AI but your organization doesn’t know what you’re using. I see. Alright, so that’s not intentionality at the organization level. No, no, no, I would say not, not. Uh yeah, so we really want to encourage the intentionality which is don’t start using the AI unless you all have that collective organizational conversation of is this something that we should be doing? Is it useful? Is there a business case to go with it? Is it relevant? Does it make sense? Is it safe for our organization? does it align with our ethics? And then consider going into experiments. OK, let’s explore that question a little bit uh now in 2025 because I, I suspect at 26 NTC we won’t be asking the threshold question, should we, should we use? So what, what, what belongs in the conversation if we’re, if, uh if we’re at the stage where Well, uh, individuals may be using it, but we don’t know. Or if nobody’s using it and we’re trying to decide enterprise wide, you know, is there not, we’re not even at the is there a use case like but should we, should we explore it? What goes into that conversation? Sure, um. Again that you know, really thinking about the business case. So when you’re having that conversation about should we use AI, then you have to think about what would be the specific usage of it, right? So say you’re the finance team and you’re considering using AI, what would be the benefit of using AI versus doing the doing the the work flow or process that you currently have and you’re thinking of having AI do? so you really. Kind of have to have that conversation like an in-depth conversation about the process that you’re doing right now. Is there anything wrong with it? Are we losing anything? Could we gain, uh, productivity, time in our days and our schedules if we were to move to using AI to do this one process or this one, this one work flow? Then at that point you think about, OK, maybe we do get a benefit out of it now that we get a benefit out of it. What are some of the things that we have to be concerned about now that we have a benefit is it that now we don’t wanna make sure we wanna make sure that any financial information that could be sensitive to any of our donors or their their personal information, do we not want to have that being able to be, you know, used in the AI model or whatever system that we’re using so you know, you, you start with here’s how we do. Things here’s how AI could potentially benefit and then you move into that conversation. OK, if we did, what are some of the risks and concerns really thinking through all of them as much as you can, we know that you can’t think for every single possibility, but as much as you can kind of write it out and map it out as a group with several folks in the room, the better that you are at being able to say yes or no on moving on with AI as that. Potential new solution. OK, and a part of what goes into this intentionality is a usage, a use policy, your, your, you know, you want us to be thinking about ethical uses. OK, uh, what, what are the, what are, what are the ethical concerns? How can you, how can we talk through those? Well, you know, one of the key ethical concerns is that we know that most AI models that exist now, including open AI, were trained on the internet, and we know the internet can be, uh, wildly biased, wildly biased, filled with lots of terrible things. Not only biased but misinformed, misinformed wrong yeah complete nonsense in a lot of cases, um, and so if you’re using these open AI sources that have been trained on the internet, then you have to be really careful about deciding to use it against, say your theory of change. So if you’re an organization that is er. Be uh vulnerable populations groups that are already kind of under attack, whatever the case is, do you want to have AI making or informing your decisions related to work that you’re doing with these vulnerable groups? More than likely no because the AI may choose to do things that are more in line with the group that is. Biased that may have you know may be unethical and so you want to make sure that whatever you’re using the AI to do that it isn’t putting the organizations and the people that you support and serve in harm’s way so really thinking through, hey, if we’re gonna use it in this way, maybe we need to use it in a way that does not put these groups in harm. Maybe we just focus on using it internally like folks do for the meeting. Notes because that’s a very low risk thing whereas if you’re you know input you know uh decisions about whether or not to continue funding an organization or trying to measure or not whether or not their impact is aligning with your organization’s missions and values some of those those questions are not as clear cut as yes or no, whereas an AI that is trained on purely just wanting to see impact, purely wanting to see a return on investment, which is not always the case of what happens in philanthropy. Then you really have to take, take a step back and say is this the most ethical decision to go forward? Could we be putting organizations in harm? Now you can control what a model is trained on, yes, but that requires something proprietary, right? You have, you have to pay a developer to, uh, to create that. I get I don’t know it’s called a small language model. I don’t know what it’s called, but something that’s trained only on your own data, but your own website, maybe your own documents that you that you provided, but that, that requires a fee and a and a developer. Exactly, it it can it can cost, it can be expensive. The other option is if you don’t want to go the route of creating your own AI you do a paid version because we know the free versions of AI specifically I’ll talk about open AI there’s not a whole lot of freedom or flexibility in turning off the settings to prevent it from training the model on the data that you input. And so in that case you definitely need a use policy because some folks would probably just be like I really need to you know analyze all of this data on all of the groups that we served in this, you know, community that is already really, you know, under attack or potentially in in harm’s way and then now you’re putting that information into the AI to have it, you know, into the free AI to start doing it’s now. and now the AI has all of these people’s information and can now use it to provide it to other people who may look them up or want to find data on. That’s you’ve you’ve shared data that it’s gone. I mean it’s yeah yeah yeah there’s no control. So yes, enormous intentionality, care, um. And what if we don’t have a, you know, we don’t have a, a chief technology officer, chief information officer, you know, it’s an executive director, CEO, and, and maybe decent sized staff. I don’t know, 35, 40 people, but they still don’t have a chief technology officer. How do we, how do we uh ensure the intentionality and care that you’re, that you want us to? Yes, um, there’s a couple of ways, and I think oh good, I think at the core of it you don’t have to have a CTO and even yourself you don’t have to be a technologist. I would never classify myself as a technologist, but we can, there’s ways to find training. There’s plenty of training and 10 it has fantastic training for AI certifications for professionals in in the nonprofit sector, um, and I’d love to share that and 10 and tag are teaming up and we will be offering one for philanthropy professionals very soon. And so these are opportunities, a very, you know, relatively easy ways for people who don’t have that technical background to learn about the AI itself, get themselves familiar familiarized with, you know, what they need to be doing to protect themselves and their staff, ways that they can start to experiment in a safe, you know, safe space, um, so and there’s plenty of also free tools, free education. I will, you know, even I, even though I’ve talked. About OpenAI a lot. OpenAI just announced their OpenAI Academy which has all free resources and tools for learning how to utilize AI for anyone and so there are plenty of free resources out there and people online, you know, uh, there’s plenty of folks on LinkedIn that I see on a regular basis that are sharing information and providing some guidance for nonprofit leaders as well as, uh, folks. That are just not technically inclined so there’s ways that you can kind of upskill and train yourself to understand how to use AI even if you don’t have that technical experience in house. Say a little more about this partnership, can you uh and it’s technical association of grant pardon mechology Association of grants thank you um. Yeah, so I don’t have a whole lot of details to share, but essentially if you’ve, if you’ve used any of the great training and certification resources on the N10 website, we are essentially trying to make a parallel version of that same professional certification for nonprofit leaders using AI for. Our foundation leaders and so uh you can expect really a kind of a similar learning process but however it’ll be tailored to some of the different functions and needs that we find at the philanthropy you know at foundations versus what you would see at a traditional nonprofit. OK, so I’m sorry, it’s intended for professionals I should say. Um, Alright, what, so thank you. You know, that’s important ethical considerations, um, anything more on ethics because, uh, then I I want to talk about the policy, what belongs in your use policy, but is there more about ethical concerns? OK, OK, OK, enormous. I mean if you, if, if you’re exposing your data. And, and it’s gone. It’s, it’s out there like you said, right, um, our use policy that, uh, only 13, 30% have, although 80% are using AI. What goes into this use policy? The use policy essentially just outlines what you and your team should be thinking about before you ever use any AI, so. It’s kind of that no go or go kind of conversation so if it’s sensitive data, if it’s information related to any of your members that you just wouldn’t want anyone to have outside of your organizational members probably wouldn’t want to put it into an AI system so it just kind of outlines, you know, essentially guardrails for for teams and and staff to understand how to best utilize it. And I think some folks are also, you know, thinking about the environmental impacts of using AI are really now making sure that their data use policy or the AI policies are also, you know, having folks be ethical about how they’re using when they’re using AI right? so you know if it’s to do something that could take you probably about the same time that the AI does, don’t use the AI um if you’re just, you know, just tossing anything, any old thing and they’re asking questions all day probably also not a very useful. Use good use of AI you really wanna think about AI very strategically and intentionally, right? You wanna make sure that if you’re going to the AI, it’s for something that you know it’s gonna save you significant amounts of time. One of the things that I often will use AI for is drafting, you know, large descriptions for events. That takes me sometimes hours if I give it to AI, I can do it for me in seconds and the key to descriptions of events, yes, like, so we have webinars events that we have on our website, yeah, so you know I, I, I, I don’t wanna sit there talking about all the learning that you’re gonna get out of it and the objectives and this and that and so AI, I’ve trained, I have like a GPT that is based on kind of like my voice that I provide it like hey here’s the prompt, here’s what I’m kind of looking for. It provides me a draft and then I use that draft and I manipulate it how I want. Um, and so you really wanna make sure that you know when you’re prompting the AI or you’re using the AI, it’s they’ve measured it. I think one prompt uses as much energy. I think it’s like an entire city like it’s crazy. It’s like like it, I, I don’t use my quote me on that, but it’s enormous. There’s quite a bit of energy, and I can actually actually share a link to um one of the stats that came out about it. There’s a researcher that’s been sharing a lot about it, um, and she was just interviewed by, uh, I believe it was Doctor Joy Bullumwini on, uh, by the, um, the. AI justice uh group that she she leads, um, and so there’s a lot of it there’s a lot of energy being used so if you’re gonna use it, you wanna make sure that it’s for something that you don’t need to, you wanna learn prompting good prompting, so you can get what you need out of it and then you can make, you can, you know, refine it and make it better. Sometimes you may have to go back in and ask the AI to refine, you know, what it did, but you really do wanna keep it to a minimum. You don’t wanna be using AI. Constantly because the energy use and the impact on the environment is extreme extreme that gets over to the ethical concerns as well exactly because it’s yeah so yeah you’re you’re just really um basically telling your teams here’s the here’s what we expect out of you when you’re using AI and these are the things that could result in consequences if you don’t follow this policy OK um. What else, anything more about the policy, what, what, what belongs in there? Um, You know, I think the the key things is like you know making your team’s aware of the types of AI that are provisioned because that’s another thing some organizations have taken the decision to block certain AIs that they don’t want you using or even turning off certain AI functions in their uh current tech stack. So, uh, you wanna make sure that it’s really outlined very clearly the types of AI that are in use and also it may, you may wanna include something in there about how you, uh, communicate your use of AI to your teams or other people outside of your organization so. Kind of a, a nice, nice little bucket of what’s internal external, and then also where can you go if AI and where should you not go disclosures to the public um why would there be some uh some platforms or that are that are ruled out? Well, because You know, one of the things that I’ve seen some members talking about within, you know, the tag space is that there are some AI that do not allow you or some systems that do not allow you to turn off the AI function meaning that you don’t have any control of how that AI is taking your data that you have in that tech stack or that tech tool. Oh, you don’t have control no yeah and in in fact there was actually a conversation about a specifically a DAF uh platform that actually. Made this clear to many many many of our members who use it and so that is something that you really have to be concerned about is do you have any level of control if you don’t have any level of control and how the AI is using your data in that system there are organizations that would likely say this is a this is not a system that we would allow you to use. OK, it’s a good example. Um what else uh came out of the session? We still have a couple more minutes together. What else did you talk about in the session that uh that you can share with us? You know, one of the great things that we did was we did these scenarios, um, that Beth Beth put together about, you know, what are some of the things that you would say if you’re in a situation when where, you know, say for instance, uh, your organization is really excited about using AI they wanna jump head first and they just wanna start using AI without, you know, and and they they basically just want you to start rolling it out and get your teams on board. Um, and so in that scenario we really talked through all of the processes, you know, first of all, that first conversation that we talked about, like, should we even use AI that didn’t happen, so that needed to happen. The other part is also, you know, how fast do we wanna roll things out? What are some of the different change management principles that we should be thinking about as a team that could make AI adoption more beneficial and successful so really, you know, starting slow but really starting at the very beginning of like should we or should we not like that should be your because truthfully many organizations do not need AI. It’s true. I mean, it’s just the reality. Some organizations will never probably need to use AI, and then there’s a whole lot of them that probably will. So that question of like, should we do it has to happen first, um, and I think if you’re doing it on your own as a rogue, stop, do it on your own time. You want to practice on it, do it after after hours on a weekend. Exactly, exactly, not on our computers, not on our sisters. Yeah, yeah, if you, and that’s actually one of the things that, um, you know, we’ve seen a lot of our members and foundations, and I think Beth has also seen with, you know, some of the work she’s done in the in the sector is that a lot of foundations are now trying to just get to the staff and say, hey, look, we know that you’re using, can you just tell us and try to make that trust, build that trust with each other and I think that’s gonna be really a good way to help prevent a lot of the issues. Alright, let us know, but then stop. No, there’s no repercussion for reporting yourself, but only, well, only after what you report after the report date, you’re liable. All right, stop it. Exactly. OK, going rogue. All right, um, anything else? Uh oh, questions, any, uh, provocative or memorable questions that came. From the audience I’m trying to think. Um, No, well, you know, the one that had come up was just, uh, you know, there was a, there was someone at the front that had asked about, you know, AI hallucinates, and I was, and, you know, should you hallucinates, yeah, and she and the, the person was basically saying, you know, be careful using it as an organization because it could give you answers that are just factually wrong and so you know our response was like yeah you’re right AI does hallucinate but that’s why it’s incredibly important and I. And I didn’t even say this myself, but at the beginning, which is if you use AI, you always wanna make sure that it’s for something that you have a certain level or high level of expertise or knowledge about. So you know if I’m asking you to write descriptions for me, I know about the event details so that I’m not just gonna let the AI write a description and let it go and put it on the website. Yeah, that sounds good. I’m gonna put it no you review it, you make sure that. The details it’s including are correct. If there’s any statistics or numbers that are being used, you can go and verify those data. So if you’re ever using AI for anything, you should always have a human in the loop. There should be someone that’s able to verify the information, especially if you’re someone that’s not knowledgeable in that specific thing that you ask AI to do. You need someone who is either that or it’s gonna be written at such a high level that it’s maybe that has no value. Exactly, exactly. All right, how about we leave, are you OK leaving it there? Oh, you feel like we covered this? I think we did. OK. All right. All right. Go the Abuno. Euanu Gozi Ebo. Director of programs at Technology Association of Grant Makers. Gozi, thank you very much for sharing all that. Thank you for having me, Tony. My pleasure and thank you for being with Tony Martignetti nonprofit radio coverage of 25 NTC where we are sponsored by Heller Consulting technology services for nonprofits. Next week, 225 NTC conversations to help your fundraising events. If you missed any part of this week’s show, I beseech you. Find it at Tony Martignetti.com. And now the donor box is gone, I miss our alliteration fast, flexible, friendly fundraising forms. Uh, I miss that. All right, well, I am grateful to Donor Box though for 2 years of sponsorship, very grateful, grateful. There’s another gratitude. I’m grateful to Donor Box. Now that they’re not a sponsor anymore, I’m grateful to them. No, I, I’ve been grateful. I just haven’t said it. OK. Our creative producer is Claire Meyerhoff. I’m your associate producer Kate Martignetti. The show social media is by Susan Chavez. Mark Silverman is our web guy, and this music is by Scott Stein. Thank you for that affirmation, Scotty. Be with us next week for nonprofit radio, big nonprofit ideas for the other 95%. Go out and be great.

Nonprofit Radio for June 24, 2024: The Essential Craft Of Leaving Your Job & Data Privacy

 

Karolle Rabarison, Laura Guzman, Leana Mayzlina & Aparna Kothary: The Essential Craft Of Leaving Your Job

This provocative panel shares their real stories to inspire you if working at your job, isn’t working for you. They recommend you leave well, and share their advice for your handover plan along with tips for setting up your successor or team for future success. They also help you manage your emotions. They’re Karolle Rabarison from Online News Association; Laura Guzman at DevGlobal; Leana Mayzlina with The Aspen Institute; and Aparna Kothary, an independent consultant. (This was recorded at the 2024 Nonprofit Technology Conference.)

 

Kim Snyder, Lauren Feldman Hay, Jonathan Gellar: Data Privacy

Kim Snyder, Lauren Feldman Hay and Jonathan Gellar remind you of the fundamental principles of data privacy, as Jonathan reveals his tragic story of data not adequately protected. They encourage all of us to be good data stewards. Kim is from RoundTable Technology. Lauren and Jonathan are with Fountain House. (This is also from 24NTC.)

 

Listen to the podcast

Get Nonprofit Radio insider alerts!

 

I love our sponsors!

Virtuous: Virtuous gives you the nonprofit CRM, fundraising, volunteer, and marketing tools you need to create more responsive donor experiences and grow giving.

 

Donorbox: Powerful fundraising features made refreshingly easy.

Apple Podcast button

 

 

 

We’re the #1 Podcast for Nonprofits, With 13,000+ Weekly Listeners

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.
View Full Transcript

Welcome to Tony Martignetti nonprofit radio, big nonprofit ideas for the other 95%. I’m your aptly named host and the pod father of your favorite abdominal podcast. Oh, I’m glad you’re with us. I’d suffer the effects of tetrachromacy if I saw that you missed this week’s show. Here’s our associate producer, Kate with what’s up this week? Hey, Tony, returning to the 2024 nonprofit technology conference, we’ve got the essential craft of leaving your job. This provocative panel shares their real stories to inspire you if working at your job isn’t working for you. They recommend you leave well and share their advice for your hand over plan along with tips for setting up your successor or team for future success. They also help you manage your emotions. There are Carol Robberson from online news association, Laura Guzman at DEV Global Leanna Masina with the Aspen Institute and Aparna Kari, an independent consultant then data privacy, Kim Snyder, Lauren Feldman, Hay and Jonathan Geller remind you of the fundamental principles of data privacy. As Jonathan reveals his tragic story of data not adequately protected. They encourage all of us to be good data stewards. Kim is from Roundtable Technology. Lauren and Jonathan are with Fountain House on Tony’s take two. If he can go to the gym were sponsored by virtuous, virtuous, gives you the nonprofit CRM fundraising volunteer and marketing tools. You need to create more responsive donor experiences and grow, giving, virtuous.org and by donor box, outdated donation forms blocking your supporters, generosity. Donor box fast, flexible and friendly fundraising forms for your nonprofit donor. Box.org here is the essential craft of leaving your job. Welcome back to the Tony Martignetti nonprofit radio coverage of 24 NTC, the 2024 nonprofit technology conference where we are all convened together in community at the Oregon Convention Center in Portland, Oregon. Our continuing coverage is sponsored by Heller consulting technology strategy and implementation for non profits with me for this conversation are Carol Robson, Laura Guzman, Leanna Masina, and Aparna Kari. Carol is director of communications at the online news association. Laura Guzman is director of Communications at DEV Global Leanna Malina is a senior project manager at the Aspen Institute and Aparna Kari is in an independent consultant. Carol. Laura Leanna Aparna, welcome. Welcome. You can talk into the mic. Yes, thank you. Yes, we’re sharing. It might be some jokes might be a little loud because we’re sharing. There are three microphones and four people, but I did not want to four guests. I, I make five but we didn’t, I did not want to sacrifice this sub just because there’s one mic, fewer than there are a number of panelists. So we’re gonna make it work because nonprofit radio perseveres and they all know each other very well. And so we’re sharing it’s communal and it’s gonna work perfectly because the important topic is the essential craft of leaving your job. All right, let’s start at the far end from where I am with Aparna. Ok. What was the genesis of this topic? What brought the four of you together around leaving your job? I might ping it to Carol as our fearless leader and panel organizer if that’s ok. Ok, Carol, you were the impetus for this. Please tell us why. Yeah. So I’ve been thinking a lot about transitions. I’ve had the experience of leaving a call jobs. Uh, one time with something lined up another time without anything lined up. And in the past year I took a leave a few months leave from my current work. And this happened at the same time that three other colleagues out of a team of 12 were also going on leave within a few months and we had a leadership transition. So the question of how do you leave your job? Well, when do you do that? What do you need to do everything from, um, the sort of very tactical pieces of that process to just how you feel about it has been keeping me up at night or getting me up in the morning, maybe both? Ok. And, and how did you uh convene these three? Uh, well, I just, I, Laura and I know each other from, I think we met at a conference years and years ago and sort of, you know, connected and had followed each other’s work over time. And, um, we caught up recently and I learned that she had recently left a job and I thought that’s perfect because I’m looking for people who had been in an organization for several years and um wanted to invite people to share their stories and use that as part inspiration, part provocation to invite other folks to think about conversations with their team and conversations with themselves about these transitions. Yeah. Your session descriptions, talks about inspiration and provocation. Yeah. Um And then from there, Laura introduced me to Liana and a partner and I recently met a couple of weeks ago. I think we recently connected. Um So, yeah. OK. So let’s turn to Laura. I want each of you to tell your stories. Inspiration provocation. Laura, why don’t you begin? That’s a, that’s a big one. But I’ll start with the role that I most recently left, which was uh I had spent about six or seven years at a nonprofit that I loved and continued to love and support, but realized that my road was kind of running out and I was in a leadership role and a moment of a lot of transition within the leadership of the organization itself. So it was pretty tricky and emotionally loaded, I would say. So I left in September and shortly thereafter, I heard from Carol to speak on this. Prior to that, I’ve kind of left roles in different ways and overseen a lot of transition. So I came at this with a deep care for wanting to talk about how we can do it well and how we can build cultures that support individuals and kind of the resilience of the organization. So you’re saying in your last role, there was a leadership void, but your road wasn’t uh wasn’t toward those leadership positions. I wouldn’t say that there was a void, but we had, we had someone leave for health reasons which just kind of precipitated a few years of just a lot of transition and shifting and changing. We were experimenting with co leadership, which was really powerful for us. I had a co deputy director at the time that I adored working with and I saw myself, the organization kind of going in slightly different directions in terms of my own interests and knew that the best thing for me was to figure out how to exit. And also honestly, the best thing for the ORG was to figure out how for me to exit. So I think it all came from a place of growth and longer term resilience, but it was still, you know, emotionally tough to leave a place I cared about for. So long, yeah, we’ll talk some about the emotions. Leanna please. My most recent transition was about a year ago. I had been at N 10 for almost eight years and left for a new role at the Aspen Institute. Um And, you know, in, in reflecting on sort of all of the prior transitions as well, I realized that in pretty much every single role I’ve held, I’ve been the first person in that role, meaning there were no transition documents for me. Um I was on boarding myself, I was creating a new role for myself. I was sort of establishing what the responsibilities are, what the structure is, cetera. And it made me much more mindful of how I wanted to leave a role um to make sure that my successor in whatever role I might be in actually has some documentation, has some tracking of relationships um so that they’re set up for success when they step in and they understand what the sort of the expectations are. Um the goals are and everything that sort of comes with the role that’s very altruistic of you to be concerned about your successor. I don’t know, I don’t know how common that is. Maybe it’s more common than I realize, but still altruistic Aparna. Yeah, I had a transition about a year and a half ago where I left an organization where I was for 10 years. So just taking stock of the responsibility of all of that information. Similarly just was the only person in the role, didn’t have anybody to necessarily hand off that role to at the time. And so I just, I was interested in this topic because I think there’s so much to say about how you, how you leave. Well, but how you take care of yourself as you’re leaving. I just think it’s so important because we do care about the mission in the organizations and I think sometimes it happens at the expense of our own well being. Um And I just, yeah, so 10 years long time, the organization love the people of the organization. I think also just the perception of leaving a place that you love can feel like what am I missing? Who said this in the panel? But what’s underneath and sometimes there’s nothing, sometimes it’s very personal. But I think there’s just such so much conversation that happens around someone leaving after a long time, Carol. Do you want to share more detail of your story? You just said you had left and been in transition and felt strongly about what, what would share more. So we’re going through a lot of transitions. So some of the, some of the challenges they were just really tactical on a small team and you have four out of 12 people who are not going to be in the roles over the course of six months. Um And they hold a lot of responsibilities and then you have um a transition at the, you know, top leadership level as well. And so some of these challenges are just figuring out what documentation do you need. How do you, how do I talk to my boss about who’s going to cover these things when I’m not there? Um Again, altruistic, I don’t, I don’t know how many people think about what’s going to happen after they leave, they just leave and they figure that’s the organization’s responsibility. It’s not mine. I was leaving temporarily. So I went on, I went on parental leave for three months and we had four, taking those leaves at the same time that we had people leaving permanently at the leadership level, including my boss. So, um so, yeah, and, you know, being in the coms role, I’ve had to think through, um it’s not just handing off my, my role that works across the organization, but also thinking about helping other folks communicate about those transitions that they’re going through. Um So that, that was been top of mind in the past year. The other little piece um in my story that has sort of stuck with me and why I think why this keeps coming up is that at one point, I had a manager who from day one told me, you know, you’re here for a reason and this is, you know, we’re going to have this working relationship for a set time and all I want to know is when you’re ready to go. I don’t, I don’t want it to be a surprise and I didn’t believe that at the time is this person actually serious. You know, I, I would never just go to my manager and say I’m looking to leave my job. Um, but they really were serious and over time we built a kind of relationship where, um, I was able to go to them and say, you know, here are some of my goals here. Um Here are some things that I’m interested in. Can you help me talk about the impact of my work in this organization with other people beyond this work? Um And that, that stayed with me so strongly and that’s sort of how I work with folks that I manage now and why I feel so um why I feel so strongly about needing to have these conversations even when you’re not, you don’t even know yet that you’re ready to leave and building the kind of um the kind of culture, the kind of team where people are OK, talking about it that you’re not going to be there forever. You all call this in your session description, a handover plan. The handover plan is that does that is that put into place before a person is thinking about leaving? If it’s for like, like uh almost like a job description, there’s a handover plan when the person is not anticipating leaving, we were mostly um we were mostly talking about the, the plan for when you are leaving, like when you’re ready to go. So the, the session today, um, we split it between, here’s some things to think about to build the kind of team that can handle these kind of transitions. Well, before you even know that you want to go and then we sort of dove into the tactical pieces of, ok, you know, you want to go. here are some things to consider. When um who do you tell, when do you tell them, how much detail do they need? What kind of documentation do you need to put together? And I know a partner has done pretty extensive memos around the work that she led. Ok. Well, I mean, we’re not just going to talk about what you talked about, we’re going to talk about the details that because you’re not going to hold back on nonprofit radio listeners, I’m not gonna have that happen. So we’re not just gonna say, well, this is what we talked about, but we’re actually gonna talk about it. So, Aparna, are you the right person to start off with? This is, so this is what goes into your, your, your handover plan. Is that what we’re talking about? We identified some resources that folks might want to think about putting together before they leave. Some things we talk about were a succession plan, not just for leadership, but for people across the organization, regardless of position. What happens if you leave? What are the things that people need to know more concretely? We talked about an exit memo and different elements to consider an exit memo that are big picture and zoom in on the details and to make sure, yeah, you can hand something over and I don’t know if it’s altruistic. I think that even the fact that we’re having this session is unique to the sector. I think if it was more in the corporate world, it’s like more traditional, not traditional, but just outside of the nonprofit sector, I think you’re right. People do, they leave and they give notice and they’re out. But I think it’s just inherent in our sector that we care about the organizations and the mission and the people beyond just ourselves. And so maybe that is ultra, I don’t know, but I feel like there are so many people in the room, so we’re not alone in how we’re thinking. And so I think that carries forward to the resources that we put together. It’s for, we’ve been in position where we were handed nothing. And so thinking about, ok, someone walking into this role, what do they need to know about the things I’ve set up? So let’s talk about what the things are. What are those things? Ok. In the weeds. I would say things like contractors and consultants we’ve worked with before. How did it go? Would we work with them? Again? What went? Well, what didn’t, where did they leave off? We did a review. Are there introductions to these people if they like you at the time that you’re now, now we’re, now we’re hypothesizing. Now you’re getting ready to leave you, you’ve given your notice, you’re leaving in a month or six weeks or you know, whatever. Um Are there, are there introductions made to these vendors, consultants people you work with on the still live or potentially will need to be reactivated in the next year. So introductions to colleagues making sure people have the information. So the way I split my exit memo up was strategy initiatives and tools and in the initiatives, it was like, what are all the things that we’re doing now that still needs to be carried forward? So for example, we were rolling out our cybersecurity plan, password manager, like fishing, testing, like all kinds of things that we’re doing with a partner. So I hand that relationship over. So all the initiatives that are happening and then the tools we went into. What’s the tool? How do we use it? How much is it? When does it get renewed? Do I think we should use it again or what, what else is in there in the world? And then the strategy was the big picture around what’s the history of our technology program where, what’s what’s the future recommendations I have around staffing? How do I think it should be staff, if I could wave a magic wand a little bit, it’s like visioning. If I could wave a magic wand and you had all the money in the world and here’s what I think you should do. And here’s maybe a middle tier version of that, but big picture initiatives and tools for what I covered. And this is a written document as well. Do you have conversations with the successor? I guess if the successor is known, you’re able to make these introductions. We just talked about the successor is not known, this was more of a shared resource. Uh Laura, did you have contribution? That’s Laura, I’m sorry. Um Leanna, did you uh did you have contributions to the to the handover plan? My handover plan was pretty similar to Parnas. The one thing I would add is my role was or has been in many different organizations, very engaged with community organizations and partners. And so in addition to sort of handing off the relationship, a lot of relationship tracking. So, um you know, writing down the names of all of the community members that were engaging or the community partners and giving some background information, not just like this is the mission, this is the person, this is their email, but some context around this person never responds to emails. You have to pick up the phone or this person is really busy. Don’t ask them for anything unless it’s really critical and then they will step up. So just providing some context and then some historical knowledge of that relationship because people don’t, they don’t love it when someone new steps in and they have no idea about their importance or their relevance. So filling them in on this person has been in the community for 10 years and this is all the ways that they’ve engaged with us. And this is why they’re critical and this is who they partner with. So that relationship management piece um is really important. And then, you know, we, we’ve also talked quite a bit about how the handover document is one thing, but ideally in our organizations, we’re creating all of these, not specifically the exit memo, but a lot of the documentation during our time there when we’re not even thinking about leaving. So documenting how we do certain processes where possible building in redundancy. So like having someone shadow you when you do something so that if you have to step out, someone else can step in um making sure that you’re not working in a complete silo, which I know is really hard in a small organization because everyone is so busy, but just as much as possible trying to build in some crossover. And um like a partner, I was saying sort of succession planning where like once a year you sit down, you look at, you know, your job description, the responsibilities you have, who can back you up and just making sure that’s up to date because at any point, even if you’re not planning on leaving, anything could happen and you really want to leave, not just the organization a good place back to the altruism comment, but also you want to make sure that the people that you’re supporting, like the community and the partners and you know, your fellows, in my case, you want to make sure that they don’t get dropped and they feel supported in the transition. Did you Leanna, did you meet the person who was going to take your place? Take your job? I knew the person but I did not know they were going to take my role. So they were the person who ended up in my role and is currently in my former role, was a fellow. So I had connected with her as a fellow, which was awesome because she was the right person. She knew the programming, but we didn’t get to do a handover just because, you know, that hiring process took time. And so all there was at that point was sort of documentation. It’s time for a break. Virtuous is a software company committed to helping nonprofits grow generosity. Virtuous believes that generosity has the power to create profound change in the world. And in the heart of the giver, it’s their mission to move the needle on global generosity by helping nonprofits better connect with and inspire their givers responsive fundraising puts the donor at the center of fundraising and grows giving through personalized donor journeys that respond to the needs of each individual. Virtuous is the only responsive nonprofit CRM designed to help you build deeper relationships with every donor at scale. Virtuous. Gives you the nonprofit CRM, fundraising, volunteer marketing and automation tools. You need to create responsive experiences that build trust and grow impact virtuous.org. Now back to the essential craft of leaving your job. Laura, do you have anything to add to the to the holdover plan guidelines? I think kind of the direction Lena was taking it of there is that document I put together plenty of shared Google Docs as I was exiting. But ideally, that’s just kind of the icing on top. And ideally you’re building on a culture where it is just normal to keep things documented and to work in the open is a value that we had of, I’m not supposed to be working in a document that only I have access to because I eventually want my colleagues to be able to feed in whether it’s to contribute or just to understand and be able to check in. So I think again, circling back to the initial question of why even this topic, I think places that are resilient and healthy places to work often are places where it’s OK and normalized to leave because we’re individuals with vibrant lives and vice versa. A place that feels like awesome Carol’s moving on to something new. That’s fantastic. Probably also has already existing. A lot of processes like the redundancy Leanna is talking about or the documentation culture or just openness and frankness. So I see it all as very, I don’t know, connected to well being of people and organizations. I still think that’s altruism. Laura, did you, did you know who your successor was going to be? And did you talk to that person about the job? I didn’t, I was in a co leadership role at the time, like I mentioned, so I knew that she would be taking forward a lot of things, but I didn’t meet my immediate successor yet. Did anyone, did anyone ever in any job? Never? Ok. I don’t know. I was wondering if that would be awkward but, but you’re all so generous and altruistic that it might not be awkward at all. Um OK. Well, we don’t know, we, we’ll just say that it wouldn’t be awkward because you have the, you have the best interests of the organization in mind as well as your own best interests. That’s why you’re departing, right? Ok. Ok. Um Have we said everything about the Hold the, um, thinking of the movie, the movie The Holdovers? So I was thinking of Paul Giamatti and the Holdovers, the, the Academy Award nominated movie that the handover plan. Have we said everything that you said in the session about the handover plan? Did we leave anything out? Ok. I don’t want nonprofit radio listeners to get short shrift. We covered the handover plan. Well, we created a couple of templates and gather some resources that are related to that documentation piece. And so we did share that out with attendees on the collaborative notes for the session. Um just as an example of what we’re talking about to make it, would that be possible to share with the public or it’s just, is that like just through the NTC 24 NTC app, it’s in the app. But I mean, if someone listening to this wanted to reach out to one of us, I’m sure we can just send a link and I think the URL is public anyway, so anyone can access it. OK. So what would you search for N 10? I think there’s usually after NTC, a list of all the collaborative notes from the sessions, but I don’t know the Exactly right. Right. OK. Yeah, because I saw it for last year’s 2023. Right. So if you go to N ten.org and you look up 24 NTC, you’ll find the list of publicly available resources there because I know it’s available from last year’s so. Alright. Um Checklist of what I’m just drawing from your session description. I’m not imposing these things on you. You, this is I’m taking from you sample checklist of what to address in your job handover. Well, we kind of covered that. Yeah. Right. Right. OK. I wanna make sure we cover everything, tips for setting up your team or successor for success. Yeah, we talked about that. Alright, but we’ve only been talking for like 23 minutes and we did a 60 minute session. The emotions. Thank you. Yes, the emotions how to leave. Well, let’s um ok, uh Laura, you brought up, you mentioned emotions. So why don’t you? I suspect that I would get caught. You volunteered. You were gracious enough to volunteer the idea. So thank you for sharing. Well, I mean, I hope my lovely folks here in because what I realized actually through the process of getting ready for this panel was that the emotions I had to deal with were my own, were my own fears that I decided after a long period of deliberation that I needed to leave and not directly to another role, which is sometimes harder to talk about. It’s easy to say, look, I’m going to this really cool shiny place. It’s a little harder to say, I’m going to my couch now, like I’m going to rest and recharge and all of that, Lena, you had that because you were, you knew where you were going to the Aspirin Institute at the time you left. So you experienced that, right? Yeah. So I had the first step for me was validating my own feelings and recognizing that going to nothing, going to rest, going to myself was valid. And once I got past that. There was a lot of concern about how is my co deputy director going to take this? I love working with her. If I could, I would work with her forever. I don’t want her to feel bad. How is the rest of the leadership going to feel? How is the team going to feel? And that’s all on me, that’s all on the person who’s ruminating on these things more so than the actual departure. Guilt. It sounds like departure, guilt. Yeah, I think we talked about guilt and shame as well, particularly perhaps in the nonprofit sector where folks have a sense of identity and like uh see themselves as their work or their work as themselves and take it very personally. So for me, the biggest bit was my own emotions that anybody else want to share about. I’m not going to call anybody, anybody else want to share about the emotions they felt in the, in the transition for themselves, for the for family, pressure from family, friends, a partner, I think similar to what you’re saying, I think I realized so many of my emotions around it were not misplaced but blown out of proportion by myself. Like when I actually announced that I was leaving and people were really happy for me. Like I, I just, I had assumed that I don’t know what I assumed the worst, right? You assume the worst you hope for the best, but they were such on opposite ends of the spectrum that end up being, ended up being really great, I think for me, because I was taking a leap to not another organization to independent consulting. I think there was just a lot of fear and it was a realization of how much of my own self worth I had tied up into having a job like a traditional 40 hour a week job. And I was like, who am I? If I don’t do that? Am I worth worth less to who? I don’t know. It just now that in retrospect, when I think about it, it feels silly. But at the moment, at the time, I was like, I don’t know any other way and it felt like a huge leap to say, I want to try something different. So it was more, you’re right. It’s so much internal pressure. And once you make that decision, once you announce it, Carol is talking about a comms plan of like, who do you tell first? And then who do you tell? And what’s that whole list? And I feel like with each little bit of telling, it feels a little bit more freeing and like, oh, this is real and it’s ok and life will go on, someone will get hired and the work will happen and it’ll be fine, Leanna Yeah, that I think, you know, announcing it to or sharing it with your colleagues, some will take it well and encourage you and others might not take it well. And part of my learning was that if someone did not take it well, or they felt like why are you abandoning us? This is your loyalty is here. You know. But I think we think about nonprofits as like family, we’re going to be here forever. And so even I think unintentionally sometimes someone’s first reaction might be like, but why I don’t understand, it just doesn’t compute even if eventually they get to a place of like, I’m happy for you. I get it. But I think for me, it was a learning to, like in the beginning, I was very much trying to manage their feelings and justify and be like, wait, wait, wait. But don’t be sad. But let me explain, but let me make you feel better. And then at a certain point, I realized that wasn’t really up to me. It was not my responsibility. I still as a good colleague and friend wanted to be there for folks, but I couldn’t really control what was going on for them. You know, they might have, I don’t know, maybe they were also wanting to leave and they felt like a little, I don’t know who knows what they call survivor guilt, right? And so it’s hard because you feel like I’m the one that’s creating the hurt. So I also need to manage the hurt, but really it’s not up to you to do that. And it’s hard, it’s hard to sort of set that boundary and be like, I understand where you’re coming from. And also I can’t, I can’t fix this feeling for you. Emotion, Carol, we talked a little bit about, I mentioned the coms plan maybe because I have my coms hat on, but we talked a little bit about um actually having a huddle and thinking through and writing out here’s, here’s who needs to know about this internally. And before a public announcement goes out, here’s who needs to about this, what level of detail, um what level of detail or context that they need to know how is it going to be delivered to them? And so what we found is that sometimes for, for one person, it might be that it needs to be a phone call or one on one conversation with someone you worked really closely with for a very long time. And it would be really shocking if they found this in a public announcement, even though you hadn’t been in touch with them the past year. For other folks, it might be, it might just be a group email. You, you were in touch with this organization at one point in Fy, I, you know, um the transition is happening in this role and, but in all of that, I think you can, you can do a lot of homework and planning how you share it. But in the end, humans are humans and they will really surprise you and sometimes they will surprise you and how supportive they are and how, you know, they, they help you navigate some of those questions that you’re struggling with yourself and sometimes they really might just not take it very well. Um And I think so you can do your homework, but in the end, humans will be, humans will be humans. And that is, that’s not on you. And you know, it’s not your responsibility to figure out how um how the role is going to be filled once you’re gone. I think we’re taking on. We feel like it’s our responsibility to leave it well, but it’s not on us to chart out what it looks like beyond our time there. I think one thing we don’t talk about enough and even I am guilty of hiding. This part is I made the decision to leave when I was on parental leave and that happens to so many people. It’s such a monumental change in your life. And I think there’s so much shame attached with like, oh my gosh, but I owe them X amount of time, whoever it is or I have to go back. I don’t want people to think this is what happens when you go out on parental leave that you don’t come back. And there’s so much complexity that goes into that. But we don’t honor the actual huge change in your life that it feels like for some people. And I think we live on Congress may repeal parental leave. If I abuse, if I abuse it, it may, it may be withdrawn from the nation if I Yeah, maybe like it will affect the policy. The ORG policy. I’m like, you don’t want people to you. And then at the end of the day, I was like, but it’s, it’s my life. I have this one beautiful life to live and I don’t want to make stay for the wrong reason. I want to be there and I want to be present. And so I made the decision kind of halfway into my leave and I didn’t just not go back. I went back part time. I phased out there’s ways to do it with care and compassion that you feel. So it wasn’t betrayal to myself. But I think we just, it feels like an all or nothing like you have your leave and you go back and you just pretend nothing happened in your life. And I think in this age of social media, I was looking at so many people that do that and I did that with my first kid and this is my second kid. And I was like, I don’t want to repeat that for myself. It had to be such an individual decision. And I was like, oh, but all these other people, they can do everything and they’re so happy and they make the home cooked meals and they work outside the home and why can’t I cut it? That is what I asked myself and I had to really let go of that. It’s not me, this is such an individual decision and we owe it to ourselves to really think about it as carefully as possible. Anyway, I didn’t want to not mention that. Thank you. I’m glad you did. Thank you. What about the role of family, friends? Is that, uh is that important? I mean, a lot of you are saying that it’s in, well, you’re all saying it’s individual so you don’t not that you need the support. You, you’re, you’ve made the choice for yourselves. Um And you’re, and you’re learning, you come to respect it but family and friends, any, any role, uh doesn’t really matter what they think you can say that I don’t want to put out a directive that you must discuss with your family and friends. I think, you know, we all have different kinds of relationships and, um you know, I have friends who are peer mentors in a way that, you know, people that I can discuss some of these transitions or questions with, um, in a way that’s really where I can be really safe and vulnerable because they’re not in, you know, involved in the work that I’ve invested in. Um And I’m sure there’s a lot of conversations with families about what it means if you’re, especially if you’re leaving without something. Um one thing that came up towards the end of the session is someone, uh, one of the folks who were there, asked, you know, did you have a, was there a particular thing that made you realize I got to go like this is the moment and I raised my hand and I was like, very easy. I’ve left a job because of money and, you know, if I, if I can’t, um, you know, if I don’t see a way that that can change at all, that’s, that’s me sacrificing something for myself and for my family. So Rihanna, we also talked about how not all um situations leaving a job are by choice. Sometimes leaving a job is also because you’re getting laid off, right? Um And in that case, like you can’t really prepare for it necessarily by talking to your family and friends. But um having been through a layoff, like your friends and your family are your number one support system. Um And it is so critical to be able to lean on those people to sort of figure out both from a logistical aspect like your finances and your insurance and all of that, but also just the mental and emotional support of how to deal with um leaving a job when you’re also like, have maybe even more feelings about it than you would had you made the choice on your own. Ok. How about a closing remark? Uh Carol will let you book in since you were, you were the impetus for this. You kicked us off. Uh Leave us with uh some closing thoughts on the essential craft of leaving your job of leaving your job. I love how you call it a craft too. You could, you could have chosen art. I don’t know if you consider it art. Uh But anyway, you chose craft, the craft of leaving your job. Leave us, leave us with some closing thoughts. And then um I guess my main thing is talk about it, talk about it, talk about it from day one and towards the end of the recession, a few people came up and um some folks said, oh, I’m, I’m thinking about leaving my role. You know, I, I’m so glad I sat through this. Another person said, I just left a role that was not working out and sitting here felt so healing to be together with other folks who are sharing about their experience and speaking with us. So I think um in the lead up to this session, I had connected with other folks about it as well and even arriving here when people would ask, oh, like, are you presenting? And I would mention this is the session that I was, um I was speaking on. Most people had a pretty strong reaction to it. Like I think we just don’t talk about it enough. So, um you know, sit with yourself and, and think about it for yourself, but also talk about it with your team as you build out those teams. Thank you. That’s Carol Robison, Director of Communications at the online news Association with her is Laura Guzman, Director of Communications at DEV Global. Also Leanna Malina, senior project manager at the Aspen Institute and Aparna Kari, independent consultant. Thank you very much. Thank you all. Thank you for sharing. Thank you all. So that’s you’re gonna leave us book ended. You remember I was like, I’m gonna stop talking. People have better things to say than me. Thank you all very much. And thank you for your, for being with us for the 2024 nonprofit technology conference where we are sponsored by Heller consulting, technology strategy and implementation for non profits. Thanks for being with us. Thank you. It’s time free break. Imagine a fundraising partner that not only helps you raise more money but also supports you in retaining your donors, a partner that helps you raise funds both online and on location so you can grow your impact faster. That’s donor box, a comprehensive suite of tools, services and resources that gives fundraisers just like you a custom solution to tackle your unique challenges, helping you achieve the growth and sustainability, your organization needs, helping you help others visit donor box.org to learn more its time for Tonys T to thank you, Kate. There’s a new Jim guy. Uh I’ve been overhearing. Uh I haven’t seen the previous gym guy, I’m sure he’ll be back. The one who, uh, gave me the, the lesson in motor boat, uh, engine troubleshooting and, um, the, uh, narration for the Blue Angels, uh Memorial Day show. I haven’t seen him, seen or heard him. I haven’t heard him lately. He hasn’t been in the same time that I go, but there’s another guy a little loud, you know, loud, uh, older easily. I’d say 75 or so. Uh And he has recently been diagnosed. Uh, of course, I’m learning this as I’m forced to listen to him at the gym with idiopathic pulmonary fibrosis. Now, I knew right away idiopathic means the, the doctor can’t determine the cause. It’s just an unknown cause and pulmonary fibrosis, I wasn’t so sure about. So I, I mean, obviously I knew with lungs, pulmonary lungs, but uh, so idiopathic pulmonary fibrosis, they don’t know the cause but your lungs thicken and harden. Uh and, and they sort of grow these fibers, they become fibrous and lung tissue is supposed to be uh loose and expandable and contractible and flexible and permeable. So he’s got a serious and it’s a serious disease. Um, he comes to the gym with a supplemental oxygen tank, he’s got a tank strapped across his shoulder like a, like a woman might wear a, a purse in a crowded subway or, you know, in a, in a busy uh in, in a busy city, you know, like, so you don’t want it to be taken off your shoulders. You’d wear it across your shoulder. And that’s the way he wears his supplemental oxygen tank. And I was thinking if this guy with a supplemental oxygen tank can get himself to the gym and he’s working his ass out, he works on a bike. Uh, that, that seems to be all, that’s all I saw him doing. I think that’s all he does. He’s on a bike, but this guy’s got supplemental oxygen and he’s, he’s pushing himself to get to the gym and work out. So I think if idiopathic pulmonary fibrosis guy can get to the gym, we all can do some form of exercise, whether it’s go to a gym or run or yoga or even meditation is exercise. What, whatever it is, pick your, pick your workout, free weights, Pilates, whatever, Peloton, whatever it is. If this guy can work out, I think he’s an inspiration for all of us. And that Stony take two Kate. Now, I feel inspired to go to my Monday yoga class. Now, I wish it was tonight. I’m gonna go do yoga now. You, well, maybe there’s two classes a week you can go to. Now, I gotta figure out if there’s Thursday night yogas. All right. Do it. It working out if, if this guy can do it, any of us can. We’ve got vuko but loads more time here is data privacy. Welcome back to Tony Martignetti Nonprofit. Radio coverage of the third day of the 2024 nonprofit technology conference you might be able to hear in my voice just a little bit that this is the third day we’re sponsored at 24 NTC by Heller consulting technology strategy and implementation for nonprofits with me. For this conversation are Kim Snyder, vice president of data strategy at Roundtable Technology, Lauren Feldman Hay, the Chief Information Officer at Fountain House, and Jonathan Geller, a member of Fountain House, Kim Lauren, Jonathan, welcome, welcome to nonprofit radio. You’ve done your session already? Have you or is it this afternoon? Ok. Ok. Very good. First day you took care of it. So maybe we’ll talk about some of the questions perhaps that emerged from there. We’re gonna talk about a little more privacy. Please diving into data privacy for nonprofits. Jonathan, let’s start down the end with you seated. Uh furthest from me. Well, you know who you are, but for the folks, uh folks who don’t have the advantage of video, Jonathan is seated uh furthest. Why do we need this? Why do we need the session, Jonathan, what, what was the impetus for this? Well, for me, uh being a member of Fountain House, uh first of all, something that I that I’ve been screaming, screaming about from the mountain top for over 20 years is data privacy just personally. So once I became a member of Found House and I saw how seriously they treated my data. It was, it was refreshing. All right. So you, you, you saw the impact of uh Fountain House’s scrutiny, scrupulousness, scrupulousness, not scrutiny. Um Alright, so Lauren, why don’t you share a little bit about what, what fountain house is about and uh why, why you are so scrupulous about your members data. So um Fountain House is an organization um that was one of the first uh the first clubhouse for folks with serious mental illness. Um It was formed by members um for members and so staff and members work really closely alongside each other, which means that members and staff um work with member data. And um and we want to make sure that members and staff um know about data privacy and know why it’s important um especially when dealing with really sensitive personal information for folks. Um And I guess, yeah, that would sum it up. We’ll go into more detail. That’s a good, that’s a good kick off. Thank you. And um Kim, can you uh add your your perspective to the, to the overview the why for the topic? Um Well, besides for the fact that data privacy protects data that belongs to people, and I think that’s what we need to remember. There have been numerous data privacy regulation, numerous laws passed in, in states and we’re seeing an increasing number of that, of those kinds of laws. So it does speak to something that nonprofits need to think about being compliant with or being able to answer to at a time when people are thinking about their own privacy more and might be asking questions about it. Privacy is very aligned on in terms of ethics with a lot of nonprofits and nonprofit values and very human centered approach to data. But now it is entering the kind of we’ll call it regulatory world. Um So I think it does need to, it, it has implications for how nonprofits work with data, the regulatory world. So you’re referring to the pi i the personally identifiable information and, and states, I mean, there are a lot of states that are enacting laws uh that what we’re referring to. Yeah, they’re, they’re picking up steam because federally we haven’t been able to pass a law. So GDPR, which is the general data privacy regulation that came from the EU really created a framework for data privacy and what it means that an individual has rights to their privacy. So if I give you my data, I have certain rights, my data does not become your data. So that, that comes with certain implications and in the absence of a federal regulation, we’re seeing more states pick it up. And in 2023 7 states pass privacy laws, they’re all a little different and not all of them will cover nonprofits necessarily. But in a time when people are more privacy focused, you need to be able to answer to the kind of data practices that would allow you to comply with these regulations. Are there some state laws that exempt nonprofits? You, you just, you just mentioned some don’t apply to nonprofits. Are, are there states that exempt nonprofits explicitly? Well, I’ll say I won’t say they exempt them explicitly as well. There’s a, there are carve outs for nonprofits in some states. Yes. And because some of these laws will are more designed around higher revenue, for profit sales of data, things like that the law might apply to a certain threshold of annual revenue that a lot of nonprofits wouldn’t meet. But that said there are other laws that apply to nonprofit organizations and as we operate in a more boundary world, uh uh in terms of different states and, and also collecting data of people who live around the world in different countries, we need to be thinking about the implications of these kinds of laws. So while there may not be a law in your state, um it still is relevant because these laws cover the residents of the States and the countries um for the people whose data that you collect doesn’t, doesn’t necessarily have anything to do with where your place of business is. Also. Some of the laws also deal with that. So, so it’s based on the individual’s state of residence and uh your and or your, where you’re doing business. OK. So in other words, you need to be acquainted with what your state law is around privacy and data protection. That’s because we’re not gonna be able to, you know, we can’t, we can’t survey the whole country. You need to know what is, what applies to. But it’s also to your states where your, where your folks are, where you are. And yeah, might include donors across the country. Might include donors in Europe and other folks too. So you might not naturally think, you know, Fountain House is a New York based nonprofit, but we’re starting to do work with more clubhouses around the country. We have a history of working with clubhouses around the world. Um But when, when a lot of folks think about Fountain House data, they might first think about our own member data or employee data and having that based in New York. Um But really, you know, we are collecting data about people um donors like from, from around the country around the world. So the law would say you’re doing business in all these states where your, where your donors are. Ok. And that gives them that gives the state jurisdiction over your practices. Yeah, I’d like to add something though about um not getting too state focused but thinking of the framework that was laid out by the GDPR because all the laws are based on that. There’s some variation of GDPR thinking of that instead as a framework for trust and responsible data practices because it may not be in a state that you’re in today, but it could come and we’re in a time of more, the, the term digital trust speaks to do people trust what places are doing with their data. And I think as nonprofits, we want to be able to have the most human centered data practices and be able to answer to questions say, if a donor, um whether or not their state has a law says, you know, II I would like my data deleted. Do you want to be the nonprofit that says, well, if it’s a donor, then you legally are obligated to hold on to that data. But so that then you can say that. But if it’s just like a marketing or, or something that you’re not, you’re not legally required. Do you want to say, well, you know, you’re not from a state where that applies. So we’re not gonna do that. So it, it, you want to start thinking about this because it is and it’s the right thing to do the right thing to do. Jonathan, let’s go back to you. Take it from the organizational level to the individual. What, what were your, what were your concerns? What are your, well, you’re still concerned. Fountain House is treating you right? But other organizations, companies that you deal with may not. What are your concerns around data privacy? Well, my concerns stem from the fact that as someone that was the victim of identity theft and uh poor data practices. Um um I’m very concerned about what organizations are doing with my data. And even after being uh becoming a member of Fountain House, after dealing with my own mental health challenges, I certainly wanted to be more aware of what data was collected and what, what they’re doing with the data. Um So one, once I became a member and then within uh the unit that I’m a part of which is the research unit, we do a lot of work with other members, data, not just uh my own. So it was required that we get hi, a trained hi A certified so that we handle the data in the appropriate manner and that we treat other people’s data like our own data. Um What was your own story that uh of the the where you were victimized? Um Basically all of my information, people would just approach me and hey, this is your social security number. Hey, this is where you live and I’d be sitting there saying how did you get this information? There was some bank account stuff that happened and it all just some of that contributed to my declining mental health? I see. All right. Thank you for the personal side of this. I don’t think people think of that at all, you know, they think about the the credit report impacts the, you know, the credit worthiness impacts. Thank you. Alright. Um Lauren, let’s turn to you. For some I’m taking from your session descriptions. I’m not, I’m not imposing this on the on the three of you. That’s what you wrote up. Uh fundamental principles of data privacy. We started to touch on some, but let’s go into some detail. You’re our Chief Information Officer representative. So um like Kim said, I think starting from a culture of trust is really important, knowing the regulations, important, but also not getting overwhelmed by the amount of regulations because there are a lot and working at a nonprofit, you have limited resources, you usually have staff and constituents members who have varying levels of digital literacy and digital understanding and comfort with technology. So you have to meet people where they are. Um and, and, and have conversations about data and about keeping data secure, you know, which has a relationship to cybersecurity as well and learning about things that could compromise your data, conversations with. You’re talking about employees, volunteers, anybody who’s in touch with other people’s data. So it’s useful especially to have conversations with folks because whether you’re a new employee, be a new member, you might not know the types of information that are being gathered, the pieces of data that are being gathered to accomplish your everyday work. You know, because our organization Fountain House is complex. We’re growing, we’re growing quickly. Um We’ve been around for a long time but things change over time and, and how we process our membership. Um app applications, how we um either share information with external stakeholders or partners like health insurance, um managed care organizations that evolves and we need to have the conversations to be able to know, you know, what does this department or area of Fountain House want to do with information in order to serve folks better or outreach to more folks. Um And if you don’t have those conversations and if we don’t communicate, we don’t always know what’s going on aside from conversations. Can you share another best practice with us for, for listeners? Yeah. Um I would say um I really like documenting things in different ways because people learn in different ways and especially working in an organization where um you know, folks are at different levels of digital literacy, it really helps to have maybe like a visual a diagram um and some written documentation and then conversations uh we have a very verbal culture, I would say at Fountain House. So being comfortable with conversations, but then also having other ways for folks to learn and absorb information or go back. Um And, and see the, the documentation about, oh, now I know when I enter information into this system, it’s also used by this other system because I can see the visual connection between the two systems in this diagram. Whereas just interacting with them on the computer or on a tablet, I thought they were completely separate. So that type of thing II I found has been helpful as well. Kim. Can you add to our list of best practices for data privacy? Sure. Well, one of the things that’s really important to is to, well, first of all, getting to know what data do you collect, you can’t protect that, which you don’t know you collect. So, and it is a lot about, that’s adorable. Sort of a poem. Data privacy poem. I’ll work on a better one for you next year. Um But uh where was I? Um you can’t know how to protect what you don’t know that you? Um So, OK, so one of the things that’s really important because this is overwhelming, maybe you can come back with a haiku next year. I will do that. In fact, I’m sorry now. So, one of the things that’s really important is getting to know what data you collect. And I’ve been working with nonprofits for um 30 years and data actually got my start at Fountain House, which is interesting to be back working with them. But um um data in nonprofits tends to, tends to be by its nature rather siloed because a lot of nonprofits are program driven. So there isn’t a sense of what all do we collect? Whose data do we collect that might be sensitive. So the first real task in any of it is getting to know what data you collect. Well, how do you do that? That’s kind of for people who have a full plate. That’s, that’s a lot to also take on, right, the data inventory if you will and that is done or that is that job is made easier when you have what’s known as data stewards or different people. Departmental champions of data, they don’t have to be data analysts. There are people, in fact, sometimes it’s better if they’re not. Right. It’s more important that they know your organizations, what programs, what’s happening with programs and what’s going on in each of these different areas and departments, you kind of appoint folks as a data steward. I those are anointing with Excalibur like King Arthur and the round. I was thinking of what is uh uh from the Lady of the Lake that’s from um Monty Python, the Lady of the Lake. OK? Not like that. Um But, but you ID these, you identify them, they’re not always like the, the the program director, right? It’s people who find they have a, they kind of get along with data. You find those people, those are your gems and the fountain house. It’s, it’s, it’s so great because it’s members and staff and it’s, and those people will know your data stewards will know what you collect and you engage them in the process of understanding what you collect, understanding how data moves, right? Lauren was talking about diagrams but understanding like how do we get this data and then what happens to it and what are the steward’s responsibilities. Why are we anointing these folks? We are? Well, I don’t officially have an anointing process. That’s my word, but I encourage every organization. What do they do? What do our stewards do they get to know the data? They, um we actually have templates and things like that. These are the kinds of things we gave out in the webinar. Uh They document what it like the flow of information through their various area. It could be very specific to one program. It could be a department. Um It really depends on what their perspective is, but they there and there’s a certain template for interviewing kind of to understand mapping, start to map the structure to the flow of data through your organization. And at that point you can identify. Wow. OK. We’re collecting very sensitive information in XYZ program. OK. Wow. What are we doing with that? How do we protect that? Where is it all going? Do we share it? Do we allow people to download it to their computers? Hopefully not Jonathan. What does, what does Fountain House do specifically that you as a member? See? And that reassures you. Well, again, I’m just basing this off of my experience. Um This is as Kim was mentioning before about the data stewards. It’s something that I wasn’t anointed. The Lady of the Lake did not know it didn’t happen in a way at all. They basically said you seem to have an apt some some level of aptitude for this. So you need to get HIPAA certified. And I said, sure I’ve had experience with that in the past. Um Basically, now again, this is more from the member side, not so much the donor side. Um Anything from processing the nece uh the necessary membership applications as Lauren was mentioning before just uh inputting the data within into certain systems, sometimes migrating that data over to other systems. And then for me, what’s the most important part about it is I treat everyone’s data like I’m handling my own data and you feel like others in Fountain House do the same. I’m looking for, you know what reassures you about what they do. It’s just again, as Kim was had mentioned, just the conversations you have with people, they’ll sit there, privacy is something that’s very important to me. So they’ll sit there and due to the fact that it’s just it’s an open culture, but it’s also a respectful culture. So it’s someone sitting there saying listen, is this something you would like to talk about in private? Come here, let’s talk about this in private. So we could go over this, we could find out what to do. If you have any questions, there’s, there’s boundaries put in place and their unspoken boundaries. But it it’s I think it’s more of a respect than anything else. Respect, respect for the person and, and their data. I mean, and this could be as simple as like address. I mean, I’m thinking of maybe an animal shelter. Well, they need to have your address, they need to know where they’re placing adoptions, right. I mean, it doesn’t have to be social security number and credit cards and children’s names necessarily address and phone number, email. All of that is considered personally identifiable information and we want to make sure we protect it. Um, we in our clubhouse locations, uh we have members and staff working together with contact information of other members reaching out um conducting outreach, phone calls, emails, texts, and people take that information seriously. Um And um they want to engage with the member and they know that other members also will be engaging with their information and reaching out to them. So I think that participation, that direct participation really lends itself to both understanding why it’s important to protect information. Um because data is information, you know, it could be on paper as well. We haven’t really talked about that aspect of it. Um And, and also identifying and working with, with people’s strengths. Um That’s something that’s really important in our culture too, to identify people’s strengths and come from that approach. And, and that’s kind of a similar, a nice parallel with identifying data stewards, identifying folks who, who might be doing things and they don’t consider themselves a data person at all. Um They might be really focused on, on helping folks find employment or housing. Um And then they learn more and more about data and then, you know, a new, a new phase of their partnership and membership in Found House emerges, which is pretty cool. What came out of your uh your session? Like what, what questions that uh you remember uh were, were poignant, interesting questions or comments or comments from the audience. Uh One that stood out for me was there was a gentleman who informed us that he, he became sort of the accidental techie at his organization. And he said, how do I start this conversation? And it’s a simple question because is, is there, you know, it, it sounds like is there a specific approach, is there a way to do this? And I’ve had experience in sales and marketing in the past. So I just, it stood out to me as a very unique question because the answer is just simple. Just start talking to someone. What do you do? What’s what throughout your workflow day? What is it that you do? What is it that you handle? What is it that you come across? What do you use to? What do you use to navigate this? What do you use to complete it? Just ask a question. That’s all you have to do. And I think I was thinking of that same, that same person and that same question because a lot of times if you end up being the accidental techie or the person who’s, you know, maybe the first person to, to start talking about, about data privacy and, and the risks that we have as nonprofit organizations having lots of personal information on, on lots of different folks. And how do you, when you’re say a small nonprofit, especially where you don’t necessarily have someone in charge of operations as a whole or technology as a whole. Um How do you start having those conversations with people, you know, who aren’t necessarily on your team? They might be on a different team. Um You know, working in finance or you might be working in like marketing and like keeping all the social media accounts up to date. And so having having conversations can then help you start to have a venue like a regular, you know, meeting series where you talk about things like data privacy that maybe didn’t have a home before and then by, by having these conversations, you start to build a home for it and more and more people begin to learn about it and realize its importance. Anything else from the session that stood out comments, questions that maybe questions you weren’t anticipating. We didn’t have that much time. I will be honest um in the side because it was a full plate, let’s put it that way. Um Wish we had more time for people’s individual questions. I think one of the, I can talk about one of the takeaways that we wanted people to have and I think both Jonathan and Lauren have spoken to this already. But the idea of this is a journey and you can find a way to mesh it with your culture. This does not require lots of technical tools, getting to know your data is by and large, not a technical task. It’s one of having conversations, it’s talking to people and often people want to sit down and have these conversations and to build that knowledge base in your organization to start to, you know, educate your staff, your colleagues on this is what we collect. Well, these are kind of the policies we might wanna put in place in order to make sure that we’re handling data uh in a way that’s, you know, both respectful and enables us to get our work done. Jonathan, I’m gonna ask you to close us out as the, as the person who was uh sounds like devastated by AAA breach of, of data. So talk to our listeners in small and mid size nonprofits and remind them how important it is and what you want them to take away. I think um when you’re dealing with sensitive data again, as Kim had mentioned, no, and Lauren has mentioned, know what your data is, know what it is that you, you have your hands on and take the necessary steps to ensure that you treat others data like you would treat your own data. That’s Jonathan Geller. He’s a member at Fountain House with him is uh Lauren Feldman Hay, the Chief Information Officer at Fountain House, and Kim Snyder, Vice President of Data Strategy at Roundtable Technology, formerly of Fountain House. All right, Kim Lauren Jonathan. Thank you very much. Thank you so much. Thank you. Thank you a pleasure. Thanks for having. Thanks for sharing and thank you for being with our coverage of 24 NTC where we are sponsored by Heller consulting, technology strategy and implementation for nonprofits. Thanks for being with us next week. Use your tech to enable generosity. If you missed any part of this weeks show, I beseech you find it at Tony martignetti.com were sponsored by Virtuous. Virtuous, gives you the nonprofit CRM fundraising volunteer and marketing tools. You need to create more responsive donor experiences and go giving virtuous.org and by donor box, outdated donation forms blocking your supporters, generosity. Donor box, fast, flexible and friendly fundraising forms for your nonprofit donor box.org. Fast, flexible, friendly fundraising forms. II, I can’t get over the alliteration. Love it and I didn’t write it. You know, they write it. Our creative producer is Claire Meyerhoff. I’m your associate producer, Kate Martignetti. The show, social media is by Susan Chavez, Mark Silverman is our report guy and this music is by Scott Stein. Thank you for that affirmation. Scotty be with us next week for nonprofit radio. Big nonprofit ideas for the other 95 percent go out and be great.

Nonprofit Radio for May 8, 2020: Data Privacy Practices

I love our sponsors!

WegnerCPAs. Guiding you. Beyond the numbers.

Cougar Mountain Software: Denali Fund is their complete accounting solution, made for nonprofits. Claim your free 60-day trial.

Turn Two Communications: PR and content for nonprofits. Your story is our mission.

Get Nonprofit Radio insider alerts!

Listen Live or Archive:

My Guest:

Jon Dartley: Data Privacy Practices

Let’s have a romp through the fields of data privacy and cybersecurity, musing as we frolic on just how important the right practices and policies are to your nonprofit. My guest is Jon Dartley, Of Counsel at Perlman+Perlman law firm.

 

 

 

Top Trends. Sound Advice. Lively Conversation.

Board relations. Fundraising. Volunteer management. Prospect research. Legal compliance. Accounting. Finance. Investments. Donor relations. Public relations. Marketing. Technology. Social media.

Every nonprofit struggles with these issues. Big nonprofits hire experts. The other 95% listen to Tony Martignetti Nonprofit Radio. Trusted experts and leading thinkers join me each week to tackle the tough issues. If you have big dreams but a small budget, you have a home at Tony Martignetti Nonprofit Radio.

Get Nonprofit Radio insider alerts!

Sponsored by:

Cougar Mountain Software logo
View Full Transcript
Transcript for 488_tony_martignetti_nonprofit_radio_20200508.mp3

Processed on: 2020-05-09T00:45:18.281Z
S3 bucket containing transcription results: transcript.results
Link to bucket: s3.console.aws.amazon.com/s3/buckets/transcript.results
Path to JSON: 2020…05…488_tony_martignetti_nonprofit_radio_20200508.mp3.92969305.json
Path to text: transcripts/2020/05/488_tony_martignetti_nonprofit_radio_20200508.txt

[00:00:12.00] spk_0:
Hello and welcome to tony-martignetti non profit radio

[00:02:19.07] spk_2:
big non profit ideas for the other 95% on your aptly named host. This is our second non studio show produced using a dizzy audacity and zoom Oh, I’m glad you’re with me ID break out in Wall Dyer’s ring If I had to say the words you missed today’s show data privacy practices Let’s have a romp through the fields of data privacy and cybersecurity, musing as we frolic on just how important the right practices and policies are to your non profit. My guest is John Darkly of counsel at prominent Pullman law firm tony. Take two. Take another breath were sponsored by wegner-C.P.As. Guiding you beyond the numbers wegner-C.P.As dot com by Cougar Mountain Software Denali Fund. Is there complete accounting solution made for non profits? Tony-dot-M.A.-slash-Pursuant Mountain for a free 60 day trial? And by turning to communications, PR and content for non profits, your story is their mission. Turn hyphen two dot ceo. It’s a pleasure to welcome John Darkly to the show he founded and operated involve the Web application, development and design firm that pioneered online peer to peer fundraising list building and advocacy campaigns for non profits involved was acquired by Can. Terra. John probably made a lot of money there when Cantero was acquired by Blackboard John probably make money again, but he was also named senior deputy general counsel and information governance chair. Besides all that, he has more than 15 years experience representing nonprofit organizations. He’s of counsel at Perlman and Perlman law firm in New York City. The firm’s at Perlman and perlman dot com. And at tax exempt lawyer John Darley. Welcome the non profit radio.

[00:02:21.64] spk_5:
Glad to be here. Thanks for having me.

[00:02:23.19] spk_2:
Good to have you. That was, uh, that sounds like it was quite a run with involved in terra and black bod.

[00:02:29.54] spk_5:
It was definitely an interesting path. I like this day. It gave me a lot of kind of real world experience. Great to work on. Both sides. Both work on the software side now, back on representing clients. Yeah. Yes, it was interesting.

[00:02:43.11] spk_2:
How many years was that from? Like from the time from founding involved to being appointed senior deputy general counsel at Blackboard,

[00:02:52.74] spk_5:
right? About seven or eight years. And when I start with the ball off again, we working with some very large, not pop. It’s doing Web applications. This was like the first kind of friends asking, friends type approach on. Then we just kind of built out organically, like working with a non topic clients and eventually bought and bought again, as everyone knows a lot. Elation.

[00:03:26.39] spk_2:
Yeah, good, Wonderful. It’s a good trip. So it isn’t practicing law now. Boring. Without all that, you don’t have a let’s start up excitement and challenge and all those obstacles and frustrations.

[00:03:27.92] spk_5:
The grass is always greener. So, you know, when I was at that sign, it seemed like just being a lawyer would be very comforting. Now you’re like sometimes you miss the excitement. But I hope my clients and we have some smaller clients that are building, you know, interesting brands that you’re saying. All of this s o. I feel like I’m so not sure. I’m just advising my clients

[00:03:46.69] spk_2:
without without All the agita is the once removed once room from, uh, from rounds of rams of financing, et cetera,

[00:03:56.25] spk_5:
where you are like wearing having to pay painful, easy,

[00:04:32.40] spk_2:
right, Get back and I make right. Can I make the Yeah? Can I make salaries this week. Right? Right. So, um all right. Data data, privacy, cyber security. I think people probably understand, in our current environment, I’m not having to do with Corona virus, but just living in 2020. I think a lot of people are conscious of at least cybersecurity issues. Maybe not so much data data, privacy. But But let’s make sure, you know, give us some, uh, motivation for why data, privacy and cybersecurity should be paint paid attention to

[00:05:16.39] spk_5:
Yeah, I’m often accused of scaring people, and I think that’s a good thing, you know, frankly, I work with four profit stonework with non puppets now primarily. And from, you know, I was a non profit yourself 5 to 6 years behind the for profit world and taking privacy of cyber security. Seriously. Just, you know, in the for profit world is now a C suite. You know, job is open, it’s cheap. Obviously, Officer, there’s teams of people working on things, not hop it, and they are starting to learn the importance of taking the practices and putting these policies in place. But a lot of times is an infrastructure is do. The manpower is too but just to kind of take a context every year, the amount of breaches grow. Last year, $2 in 19 the amount of damages increase by about 17%. And just in the context of what that costs, the average reach across an organization almost $4 million now, given there are some very large reaches, so that kind of skews the results. But in terms of a per record, So think about donors. How many donors you have, Basically an average of $150 for every record loss is what you’re gonna pay in regulatory fees and other finds. Another kind of charges. So that’s, you know, a real real thing.

[00:05:44.28] spk_2:
Now, what about the comparison between, you know, corporate and non profit breaches mean? Well, I’m thinking off the top of my head of, ah, Marriott. Uh, you know, I don’t 100 million records or whatever. West maybe was only 10 million. I don’t remember, but many millions of records um, there have been other big corporate breaches, but have there been breaches? Maybe they’re just not as, uh as publicized on the non profit side.

[00:06:21.42] spk_5:
You’re actually exactly right. Uh, small and mid sized nonprofits are actually being increasingly target if they don’t have to sophisticated protocols in place to kind of to protect against some of these of these hacks. We don’t hear about the malls and not the big build. Another Facebooks of the world on an ID only they’ve been. Actually, some studies done is not evident. It totally they’ve been some studies done that, not pump it actually hurt more than four profits for data breach. I’ll give you an example. You know, Facebook gets breached. How many people actually got off Facebook and stop using it, right? Not pop it in a way, are more fungible. Some donors with donate more to more than one organization, studies have shown. If there’s a data breach at a non profit, donors are less likely to come back next year. Donate. I’ll just choose another organization. So in some ways, the bar and the risks are even higher for nonprofits,

[00:07:03.52] spk_2:
right? All right, right. I’m I’m more committed. I’m pretty committed to my Marriott Marriott Bon voy points. No, I don’t. I’m gonna keep using the brand because I’ve got a couple 100,000 points with them.

[00:07:29.30] spk_5:
Exactly. The reputational harm I have to say, tony, ITT’s organizations don’t think about that. But these days, I think we all were all more sensitive to write. Our data’s being treated. Yeah, they’re a lot more regulations out there which out there they will talk about. But the reputational harm can last for years, especially when organization is seen as either not doing the right things, not taking kind of, you know, appropriate precautions that could really be devastating.

[00:07:40.49] spk_2:
All right, since you mentioned regulations, um, uh, you know, we heard a lot about GDP. Are when? When that was knew. What was that, like, two years ago or so that

[00:07:50.44] spk_5:
that May of 2018 will into effect.

[00:07:53.86] spk_2:
Okay, pretty good. Usually I’m bad about the estimating time. All right, so it was two years ago this month. All right, um, so GDP are But you can acquaint us with that. What? I mean for a U. S. Charity? What? What do we need to be conscious of their

[00:08:44.74] spk_5:
Yeah, it’s funny when you came. In fact, it seemed like a few months, like just everyone was talking about it. Remember, a Woody Allen movie would talked about. He said soon will be, the Renaissance will be painting. Thing is like, I think soon it was like That’s all we’re talking about a CPR. It’s like literally a few months s. The only emails I got from clients was like, What is this thing with GDP on what I need to do now? It’s two years later, we’re still talking about it, But there are other regulations ever come into a factory plucked out as well. A general data protection regulation does affect not Klopp, which came into effect in 2018 and has very specific department. So does it affect your not profit? Some of listening? If you have a website, it probably does right. Judy PR affects anybody collecting any information from someone residing in the European Union between the UK, including Switzerland. So B e a, uh, and you know, if your only collecting a few names from from those countries I wouldn’t be is concerned. But if you collect a little bit more than that, then it probably makes sense to comply with GDP. Are

[00:09:39.37] spk_1:
it’s time for a break? Wegner-C.P.As. They have a bunch of covert 19. Resource is on their site. Tax questions related to Cove in 19. We received RP PP funding. Now what? Developing your 13 week cash flow forecast. Internal controls. Covitz style. What about cash? How are you controlling cash in a virtual environment? This is all at wegner-C.P.As dot com. Click resource is

[00:09:45.17] spk_2:
Okay. So, John, it’s only it’s only if you’re collecting data. Not not if you citizens or Swiss citizens are visiting your website merely visiting your website.

[00:09:55.14] spk_5:
But really, it is because what he has done has lowered the bar. What personal information is right? We all care. We were going to use the term sometimes P I I personally identifiable information. And so Jeannie pr is concerned about is if you collect P II. According to Judi pr and I key address. Right. We’ll have computers. We access a website. We have an I P. Address a stash. Consider P I So, technically, anybody accessing your website if you collect their i p address with, most people do automatically. You’re you’re technically subject that GDP are

[00:10:27.29] spk_2:
okay. Wait. All right, So you’re saying most web? Most websites automatically preserve the i p address of a visitor.

[00:10:36.34] spk_5:
Most do through, like, Google analytics or, you know, at least. Yeah, All these the analysts people use automatically get life he addressed with someone visits your website.

[00:10:43.64] spk_2:
Okay. And that then is an entering argument for GDP are to apply to your your website your your non profit

[00:11:34.01] spk_5:
Exactly. Just counsel our clients that you should really only be concerned if you’re collecting and be getting. Don’t you collecting information more than I p addresses to get it? It’s kind of Ah, it’s a risk reward. Be only getting a few I p addresses. You’re not doing anything with it. The odds are of GDP are becoming an issue on the regulators Looking at your not profit. Probably small, but okay, a lot not talk. But in this country that either have offices early, you or have people access routinely. So I’ll give you an example. We worked with a large, well known museum and when people come from your they often want to visit this museum in Manhattan. So they have ticketing and they’re having thousands of people not really least used to when people are travelling but museum tickets. Judy pr squarely applies. They have to comply.

[00:11:48.48] spk_2:
Okay, So beyond the beyond the this sort of perfunctory the i p address else. So if we don’t have ah location that people are buying tickets to come to, what other kind of data would would trigger the GDR for us?

[00:12:30.11] spk_5:
Any name and email address, you know, collecting that anybody resigned. And when I say the word residing, you don’t have to live there. So, technically, tony, if I went Teoh London and then made a donut, patients were not topping the US JD. Power applies to me with that trip is action. I’m now residing in the EU state token of somebody from the U is in the U. S. Exit donation to a non profit. Even though there are you sitting this in a transaction takes place in the U. S. GDP. Ours doesn’t apply. It’s a little bit complicated, but like I said it that today those

[00:12:30.46] spk_2:
those those are the exception. So let’s just deal with

[00:12:33.43] spk_5:
that at

[00:12:33.87] spk_2:
the mainstream. You got a new resident transacting from from the European Union. Um but let’s just assume all that you residents are in the the European Union for this conversation, right? None of them, they’re here. So

[00:14:01.36] spk_5:
So yeah, so replies just kind of get the kid like some of things you want to do. I say, like the low hanging fruit fidgety you are applies. The first thing is website privacy policy. I’m gonna talk about that a little bit more later in terms of a general privacy policy, the importance of it. But Virginia PRD is separate. Basically, GDP are notice that needs just list specific information. Uh, two people from the EU learning them of their rights. And some of the remedies they have, I’ve tell organizations of GDP are applies. The first thing you do is put a put a speeding car notice on your website. That’s something a regulator is the first thing they don’t look at. If you have, that is already one box check. That’s great. Thea. Other hurdle for a lot of non profit we work with is how to get, uh, what when someone wants upped and there’s no more opt out. Everything has to be in Upton and has to be a very specific and home up then, and this is probably the biggest challenge for a lot of non profits. It’s a much higher bar for consent. I’ll give you an example. No longer than you have to have a check. The box and the box says we are signing up to get email campaigns, periodic newsletters and other promotions, even if they check that box. Wegner Judy PR Let’s consider too broad, right? Every request for permission need to be very specific. You need to be clear and affirmative and very moment, one of the biggest challenges for Not

[00:14:10.45] spk_2:
question. So give me an example of of a consent that is properly worded.

[00:14:21.74] spk_5:
I hereby consent to the processing of my personal data for the price Rose Christ or period, not email newsletter, not general marketing purpose for a specific purpose. A price store. You could also say I’m I’m a I hereby consent to the processing of my data for your monthly newsletter. Now let’s say three months later, you have a new newsletter or different what you can no longer send them both newsletters. You don’t have to stand for that. You now have to go back to get the scent. You get one try. They don’t respond. You can’t go back to them again.

[00:14:47.79] spk_2:
Cannot. You can’t go back to them again.

[00:14:49.92] spk_5:
No. Cannot. And there’s no grandfather clause either. So you know a lot of people. At least couple years ago, I had all these names. They were wondering, what do we do? And you got one shot Thio going going to these folks and say, Hey, GDP, our allies way like to use your names. This way, please respond. Have you to get a response That said you can no longer market to these folks.

[00:15:30.84] spk_2:
Okay. All right. So you get one chance per each channel. Sort of. You don’t have to do it for each individual newsletter. I mean, individual mailing of the same newsletter. But But as you said, if you if you start a second newsletter on a different topic related to a different program, you’d have to get permission for that

[00:16:00.79] spk_5:
exactly right. And then the people that you do have kind of on your roster that you’re allowed Teoh work with the U there certain rights they have and these rights have to be passed on to the benders that not puppets work. With these age, everything’s in the cloud off. The odds are they’re using other folks that kind of help processes data. But anybody from the EU has the right of access. They have the right to know what you have about them. They have a right to a racer. They’re gonna ask you to delete their data at any time. You must comply with a certain period of time. They have the right to restrict processing. Yeah, you can use my data eat to give me a newsletter. But I don’t want to be in a cooperative where you’re sharing my name. Uh, they have the right the right to data portability. Give me everything you have and provide. Give it to this new provider on. They have the right to object to anything you’re doing with their data. And when we talk about the Jodi or notice the privacy policy, the privacy policy needs to kind of lift all these rights for EU people. You usually

[00:16:28.40] spk_2:
all right. And that policy needs to be on your website.

[00:16:31.95] spk_5:
Yeah, just like a regular privacy policy. But it needs to be a separate notice. It needs to be on the website prominently displayed.

[00:16:48.14] spk_2:
Okay. When you get consent for the processing of data around a particular purpose, do you need to remind people about their rights? Give them all these reactions, toe portability and the ratio, et cetera, or just one time on the website.

[00:16:55.11] spk_5:
No, No need to be part of your privacy notice. You don’t need to remind them proactively, but it needs to be listed in your GDP are profit privacy notice

[00:17:02.48] spk_2:
Privacy notice on your website.

[00:17:04.34] spk_4:
Yeah, right. Okay.

[00:17:05.86] spk_5:
And the fines are extremely high again for small missiles. Nonprofits to a very low interaction. I’m not concerned. Larger non puppets should be a little bit more aware and look concern. And, you know, one of the things you also need to be aware of. 1/3 party vendors GDP are now makes nonprofits directly responsible and liable for the axe or or emissions of the vendors that holding the state on your behalf. So you now need to give all these vendors specific provisions. Your mandated by GDP are specific. GDP are provisions that buying these benders to basically support your efforts to comply with GDP are so this is another hurdle.

[00:17:52.44] spk_2:
Okay. Um, all right, I would presume the largest vendors are acquainted with this by now, but you

[00:17:53.35] spk_5:
must have their own. Yeah,

[00:17:55.63] spk_2:
but you need to be proactive about ensuring that your vendors all do, whether small or large,

[00:18:00.84] spk_5:
Yeah, a lot profit use. It’s more of the small amount outside vendors, and they may have one in place, and the one they have a place might not be. You know, listen, that everyone takes a different approach. The vendor who supplies they’re all will be much more friendly towards them, so they should still be reviewed and negotiated.

[00:18:16.79] spk_2:
All right, so you’re asking, Are they GDP are compliant when you’re querying your vendors?

[00:18:23.40] spk_5:
Exactly. That May should also bishop. There needs to be the denim toe. Any contract that you have in place just not to get too technical, but the non profit who collects it. Who’s collecting? The data is called a data controller, right. They control the data, their vendors who helped process the data. So maybe a C. R M system, a black box, for example. They would be considered a data processor. Ben should be processing the data on behalf of the non profit who owns the data. So I’ll pop. It is data controller has kind of a much higher bar of requirements to me.

[00:19:03.14] spk_2:
All right. As long as you defined your terms, you keep yourself out of jargon. Jail on. All right. Um uh, Okay, well, there’s a New York law, but, you know, New York Shield, But our listeners are nationwide. So you want to just be much briefer about New York Shield just for our New York listeners?

[00:19:49.27] spk_5:
Yeah. Although New York still, tony, just like today PR, it doesn’t make a difference where you are. You collecting information from New York residents? It applies to you And I would argue is actually, it’s more important because the Jeep car that’s still question how the you will force it against a non profit who does not have offices in the U By how that happens. Nobody has seen yet. But but let’s put that aside, the New York Shelled Act gives the attorney general a public right of action. And certainly in New York, the New York Attorney General has a much further reach to go after not profit, whether they’re in New York or anywhere in the US, because we’re talking about the same country. So I would be as a non profit, more concern about New York Shield at this moment. First import most and then worry about you need your necks.

[00:20:01.72] spk_2:
Oh, all right, do other states. California is a pretty activist state. Do they have something similar that applies to all their residents?

[00:20:33.26] spk_5:
California has one called CCP A, but right now it does not apply to non profits. It only would implicate non profit ever have a four profit wing or Division A? Are there working with a four profit where, for example, be getting data from a company that’s getting from messages in CCP? A. The non papa should be concern at that vendor. Who’s providing you That data has complied with CCP A. But other than that, it doesn’t really apply to non profits.

[00:20:35.61] spk_2:
Okay, any other states.

[00:21:29.34] spk_5:
Massachusetts has had something for a long time, not too dissimilar from New York. But you need me. I think people are kind of and there are other unless there are other ones in the works. Colorado has won about us looking to pass something at some point. That’s in Kobe. 19 is for a lot of things on the back burner, but at some point we could have federal legislation, and you know what I counsel with non clap? It’s even which university BR came out and they said it doesn’t apply to me. I said, Even if it doesn’t, it probably makes sense of trying to comply his first ball. Everything’s moving towards greater accountability. Donors. Employees are getting more sensitive about Heather Data’s being used and starting to follow some of these protocols. Just make makes the non hop. It’s better stewards of the information they collect another day. We want to do like by these donors wanted to do right by our employees. The data were collected. So following somebody particles and they don’t apply is a smart practice because nothing wants unauthorized access to their systems.

[00:21:37.88] spk_2:
Okay, Okay. Um, the Massachusetts law is that limited to credit card information?

[00:22:05.54] spk_5:
No, let me call it. It’s a lot of different kinds of personal information, but has not been. I have not seen it really in forced on. A lot of organizations already have policies in place that kind of meet somebody obligations. And certainly if you’re if you start to meet the New York Field Act, which I think will be will be unless they enforce more vigorously, you’re probably OK on the on the Massachusetts

[00:22:10.22] spk_2:
front and the messages from Okay, so Yeah, that’s that’s true. In a lot of cases, like if you can comply with the New York law, you’re covered in a lot of other states because New York is so stringent. Um,

[00:22:22.40] spk_5:
I always say that you can make it here. You can make it anywhere. That was

[00:22:28.69] spk_2:
okay. Uh, yeah, but hey was intact. Think Sinatra was intending much more favorable. And the privacy compliance. All right, so what about New York Shield? You want toe? Give us an overview of that. What? What we should be concerned about this thing, This is if we’re collecting data from New York residents, that right?

[00:24:00.98] spk_5:
Exactly. Yeah, but I would argue I would take my most nonprofits to do any kind of real online access and gather data or getting donations. You probably have a, you know, at least amount from New York. But you know, many what may have a lot So certainly ones working on the East Coast would probably have a lot of New York residents accessing about side and giving information. So that’s about one of things. It expands. What constitutes a data breach, Uh, basically lowers that bar as well. So in terms of when you have to report a data breach, let’s put that piece of side. But this happened the most important thing for nonprofits to keep in mind. Now where? Why was them that says it may an individual one. Employees are pleased to coordinate data security program. This is key because most organizations don’t have one. This is the old saying. If you don’t know where you’re gullible, roads will take you there, and I’ve always counselled we have my non profit clients. If you don’t have somebody in charge of privacy, odds are nothing’s really happening on that front. So that’s good. This is a great example of even if you’re not collecting information of New York residents, you shouldn’t have a point person. Um, and what that point was it needs to do is he needs to look at, based upon your size and attack the information to collecting uh, that they have played a physical security tech technical security attacks, a compliance programs doing training were supposed to looking at Bender agreements and assessing risk. And now New York requires you to have certain provisions. Reasonable provision in every vendor agreement that makes me binds those vendors for doing the right things, that appropriate things in terms. Protecting the data you collect euros exposes, sensitively destroyed data when you no longer needed. And again, I know for many clients this ridiculous some of my clients and many non prop assistants in daunting. It’s not as hard to comply as they might think. And for some of our clients, I’m acting as that point person. It doesn’t have to be. And employees. It just needs to be somebody. So I’ve come in organizations. I’ve looked at the left look of the vendor agreements. Let’s see how things are being protected. Let’s look, if you’re doing training, just let’s look at the your overall approach to privacy and even and give a kind of annual advice that would get them a long way to comply. Europe show.

[00:25:04.84] spk_2:
Okay. Okay. Um, all right. And you know, good point also is you know, you said a few times Ah, it’s worthwhile to comply with these to the extent you can, even if you feel it doesn’t apply to you that the law may not apply, but it’s gets good practices.

[00:25:17.34] spk_5:
Yeah. I mean, listen, reaches typically happen from third party vendors That’s usually the case, because these days most people are using cloud providers or using third party vendors to kind of hold this data. If a breach occurs, a vendor’s Onley obligation is to tell you their client that the breach occurred. Your obligation under law. Is it now? No. Divide all the donors who stayed it might have been compromised. They could be credit monitoring costs. There could be legal costs that could be certain regulatory fines. So it’s it’s so example. New York, she’ll requires you to look at these vendor agreements and have certain terms in there. That’s just a smart thing to do. Third party vendor agreements are woefully one sided in favour of the vendors. They’re the ones drafting it on. And it just makes sense to review negotiate these agreements. We can certainly talk about you like five or six, uh, terms that should be in every vendor agreement you

[00:26:10.88] spk_4:
have. All right,

[00:26:11.21] spk_2:
You’re not gonna get to two. Ah, legalese on this. Are you mean I haven’t practiced? I haven’t practiced law since 1994 so

[00:26:19.35] spk_5:
I’m not

[00:26:20.09] spk_2:
gonna get technical for the non lawyer. The 99% of listeners who are not lawyers, right? Okay.

[00:27:12.94] spk_5:
You know, I can keep it. Very simple, just like. And I actually have a great checklist. I’m happy, you know, share with you, tony. People could reach out to me of things to keep in mind. But again, when you instill Ryan, you know, hopefully 98% of time, everything felt swimming. Well, it’s never an issue, but what they still wrong kind of pull out the contract. And again, these contracts very one sided, I joke because I mentioned before I used to work for a very large software company where I drafted a portion of their their client agreement. And then lately, I’ve had the opportunity to negotiate that agreement on behalf of clients. And I wind up rewriting the entire agreement and adding an extra 10 pages and and general counsel at this one company said, John. But you wrote the agreement, your last changing. But I’m on the other side of the deal. It’s a whole, uh, so it’s not just what’s in the agreement. That count

[00:27:20.67] spk_2:
doesn’t. That doesn’t make you That does not make you a hypocrite. People need to understand your allegiance at that time was different than your allegiance at the second time when you were rewriting the agreement that you were drafted in the first time. You’re not a hypocrite.

[00:27:29.68] spk_5:
No, no, no. We’ve fallen advocacy,

[00:27:31.74] spk_2:
advocacy. That’s what we call it. I have forgot that.

[00:27:34.82] spk_5:
Yeah, I’m advocating, but recognizing. I

[00:27:59.74] spk_2:
mean, you’re advocating. Okay. All right. Wait. So let me before you start taking these things off, just tell listeners eso if they would you want to reach you? If somebody wants to get this this checklist that you have He’s John J O N at Kerman and perlman dot com. And Perlman is p e r l m a n not like the, like, the gem or the stone. Whatever that. Whatever pearls are, it’s not like that. Okay, John, at prominent perlman dot com. Okay, you got 45 whenever five things, six. And

[00:30:18.68] spk_5:
get that quickly. Yeah, The 1st 1 is just the privacy of charity. You know, typically will be one of two sentences. We’ll take commercially reasonable practices, know in this day and age and with New York Shield when GDP are there apartments that they need to get a lot more meat on the bone in regard to how company will protect your information. So one of the elements you want to do is simply insert a lot of language that raises the bar again of what we spend it’s supposed to be doing and that they don’t do that. And there’s a breach. Now you have some kind of remedy, uh, to go back from limitation of liability. Every contact has it typically limits what a non topic can get. If there is any kind of loss or damage, anything goes wrong. So open just six months of these. Can’t you have to always negotiate that? They kind of data breach a date of event that we should be untapped direct at Mage is a but not profit is fully covered. The’s terms old Ausubel. I open get it, But you have to ask for it. You don’t ask for your not getting getting it. Uh, uh, rich notification really important. So if there’s a breach, I always put a section in that gets you both quick notification and get you all the credit monitoring and all the other costs. Regulatory fines cover. I’ve never had a better save. Noted that in the end it may take a few back and forth, you know, negotiations. Always a dance, but having a breach notification and uncovered cause it is essential to be two more transition service is when you want to leave the vendor. It’s very hard to leave fried when you’re working with somebody like relationship kind of know who who see the is added. That might broker but becomes very difficult. But transition service’s basically bond and surrender toe work with you for six months and with your new better of choice to make that transition seamless, very important to have that obligation in there. And finally, I would say, is, You know, during the court, in stage with when you’re working with a vendor, you get a whole types of promises. You’ll get lots of marking material. Here’s how the functionality hero features you got everything spray when you signed the contract, you’ll notice that almost there’s no mention just nowhere to be found. One of the biggest things I find my clients about difficulty with is where someone over promises and under delivers. How do you prove that it was not part of the contract? So all those kind of shining marking materials. All those handouts, all those things that give you. You have to attach that to the agreement reference, is it? So when I get things, don’t work out his plan. Now you can show why there’s a beach and what you can get out of the agreement. Very important.

[00:33:11.64] spk_1:
We need to take a break. Cougar Mountain Software. Their accounting product Denali, is built for non profits from the ground up. So you get an application that supports the way you work that has the features you need an exemplary support that understands the way you work. They have a free 60 day trial on the listener landing page at tony-dot-M.A.-slash-Pursuant. Now time for tony. Take two. Take another breath, doubling down on my advice from last week that you take some peaceful time. Um, whatever it is for you if it’s napping, if it’s walks. Um, I’m not thinking of exercise. Exercise is important, but I’m not thinking of runs right now or home workouts. I’m thinking of peaceful, relaxed, calm time putting your mind at ease. I’m talking like I’m tryingto get bring you down right now. I’m not. I’m just trying to give some ideas. This is not a meditation. That’s not a meditation minute. I did try meditation class. I loved it, Actually did something online with a woman who’s giving free meditation classes. Um, and for an hour, I was I was under hypnosis. Almost at almost. I was, uh, focused on breathing where the breath comes in, where I feel it very valuable. Eso maybe for you. It’s meditation, and I have never done that before. So that was unusual experience for me. But I loved it, and I hope to do some more with her. Whatever it is for you, you know you know what it is. Take it, Do it. Take the time for yourself. There’s a lot being asked of us that is unusual. And even if it’s more routine now than it was 456 weeks ago, it’s still stressful. We’re out of our routines, so be good to yourself. Self care, right self care. Take care of yourself. Do it each day. You deserve it. Please do it. That is tony. Take two Now back to data privacy practices.

[00:33:22.92] spk_2:
All right, if you were on both sides of this arguing because you said it’s a dance right so suppose you were on both sides. Which side would you? Which side would you give in and which side would win?

[00:34:09.68] spk_5:
You know, it’s funny, because I do represent, we have. We have clients that are often vendors. I think I’m very fair in Middle Road. I think, you know, given eight hours of myself come help with very for both sides. But you, tony, that’s a great example of Give you an answer. The limitation. Liability. I always think there should be reasonable carve outs. It shouldn’t be a car about unlimited liability again. It’s what offended would owe you. Something goes wrong. It shouldn’t be that anything goes wrong no matter what, Even if it’s not their fault, they should pay you. So, for example, a visit data peach. But they did everything they were supposed to do when they were so got hacked. That should not be uncapped. But I wait at my rivers, my clients, I I agree with that. But if they do something wrong and there’s a reach, their full, that’s beyond cat. What side of the Delamontagne? I’m always gonna push for both those.

[00:34:25.18] spk_2:
Okay. Okay. Eight hours with myself. I don’t know. I don’t know where I would go. I don’t want Oh, it’s not for public consumption, I’m sure. Um all right, so so is it. Is that what you say?

[00:34:36.09] spk_5:
I was thinking apocalypse. Now, that’s what happens when you have too much time on your

[00:34:44.04] spk_2:
OK. All right. Well, I was only r rated. All right, um, so it sounds like the difference. Maybe I’m getting too legalese now. It sounds like a different dream. Negligence, gross negligence and recklessness or something like that.

[00:35:21.99] spk_5:
Yeah, way. We’ll definitely end illegally. So I won’t go there. But those things are just sink. Since the name that contact get the most important thing for anybody listening is you need to have somebody review these agreements. Just don’t sign them. They’re always negotiable. Hopefully, you want somebody. And here is my biggest right. When I was at a black bond. Other companies that sometimes a lawyer who did not know understand technology, I wouldn’t really know what to ask, wouldn’t know had a mark up the agreement, make sure whoever you work with understands, right? They need to know what you’re getting. What the solution is to hopefully kind of protect your interests. So that would be like, he just have somebody who knows what they’re doing with you negotiating on your behalf.

[00:35:37.56] spk_2:
Okay. Cool. All right. Um, what else could we be looking at in this in this arena that can can protect us.

[00:37:17.21] spk_5:
Yeah. I’m gonna get you less than every non profit. If they don’t have, they should do immediately. That you have to think about updating. Are just checking in One is a plot privacy policy website. Privacy policies. Still a lot of non profit don’t have them if you have them. They’ve all from two drafted years ago. They have been updated. So the number of persons do is looking a privacy policy. Make sure it’s been updated. Last year, I would say it’s the transparency is the most important key. Do when you say it. Say what you do. Uh, in terms of the data you collect, you could almost almost do anything you want with it. If you’re transparent about it, you want to add you want oh, care with advertisers? Sure. You want to do you a cooperative? Fine. You want to even sell it? That’s often be possible. But you need to disclose that when somebody gives you the data, so having enough today, privacy policies really key if something goes wrong and people looking for privacy policy and you didn’t just close some of the ways you were sharing, and that’s where the data was lost to be a very big not only legal ramifications. Bobby CPR head. Andi even if we have a privacy policy and they need to be updated because things change all the time. What you were doing for years to the day, both in the back again in terms of how you’re analyzing in the front end has changed GDP. Ours would be an example in Europe shield. A lot of these things require certain statements in the privacy policy. Is your number one. Get a privacy policy. Make sure it’s updated. Make sure it’s accurate. Number two. You should also, in terms of use, terms of service that basically protects the organization, the views and don’t sweep it, then join your website. Very important, Uh, you know, what does that come from? Our what

[00:37:19.77] spk_2:
does that cover in terms of use in terms of service for website were just what does that cover what kind of

[00:37:24.71] spk_5:
anything anybody might do on the Web site in terms of making donations. When the rules, if you have a block, people post content. Or they can take your content, things that can and can’t do in the protection organization from a lot of different kind of legal planes. Just a kind of a standard document every non profit should

[00:37:40.00] spk_4:
have. Okay, Okay. Is that

[00:37:42.11] spk_2:
public to Is that on the website turned

[00:40:12.61] spk_5:
to use an exit privacy policy. Okay. Okay. Now a lot of charity navigator, uh, recommends that you actually have a separate donor profit privacy policy. Just why I read their privacy policy typically only covers when you collect online, they recommend to get the four stars that you have a separate donor privacy that speaks specifically to the information you collect from donors both offline and online. So some might want Consider whether it makes sense to have a separately for a daughter policy and a separate link for a privacy policy. Just like just why there, uh, we talk about bad nerves being an issue. So way kind of crossed that box. Look, pull out all your vendor agreements, see if you’re covered. It’s not when they come up for dual negotiate, I would say annually, no. Once a few years, you should do a privacy audit That’s more formal process where I typically even organization lots of different questions. All their different practices later the cyber security and privacy. And we see where the gaps are. But, you know, one thing I do is kind of a simple one is kind of member. The five W’s in the h. You’re kind of doing news. Recording the five question the six questions asked. They call the five W’s. What? Remember the what? Why, who, where, when and the how. So what is what data we’re collecting? A lot of organizations don’t understand all the data they’re collecting, so get a handle. What data is your collecting? Why, why? You clicked on the state of more many organizations like more David, I need more data. You have the work more risk. You have rights. Onley collected data you need who has access to the data again. People should only have access to the P I. I personally identifiable information you collect who need to have that access. More people have access. The more things that could go wrong. Where? Where’s a dork? Data store. It’s an offline. Are they locked in? Cabinets are there, you know, with vendors. Have it. Are there volunteers? You have access to it. So where is the data stored? When? When is the day to delete it? We’ll talk about that a couple minutes. But you should only keep dating for Florence. You needed and know lots of non profit clients get data for years and years. Even if somebody, for example, is and donated 10 years. The more data you key, the more risk of presidents a loss. And then how House of Data being protected, like in terms of all that, when the data’s being kept, How is it being protected? Really important question You kind of answer all those questions is initial step. You’ve already gone a lot further than a lot of organizations and and kind of being better stewards. That information you collect, uh,

[00:40:13.35] spk_2:
on the, um made 12th 7 dubbed 17 70 on the May 12th 2017 show, I had a guest on talking about cybersecurity insurance.

[00:40:27.61] spk_5:
Yeah,

[00:40:35.61] spk_2:
so now, so listeners could go back to that 5 12 17 show. You can get a lot more detail there because we spent the whole half hour talking just about insurance. But what? What are some key things you want to say about what cyber insurance could protect you against?

[00:42:00.94] spk_5:
You should definitely have a cybersecurity policy with two things. You should make sure your vendor has a cyber security policy. It should be large enough to protect you if something went wrong. So for these bigger vendors, that should be a minimum five million anywhere from 10 to 20 million. You should be named as what they call an additional assured on the benders policy. So you have a direct right and claim against their policy. Putting that aside you non toughest wanna have their own cyber security policy. Okay, they won’t have a policy that basically match the company’s risk that organizations risk that kind of work. They do. You need to make sure has the specific terms that that cover that organization. I’ll give you a great example. We have one plane, very large non profit. Had a head of non had a cyber security policy. They were paying over $100,000 a year for I read through it my joy is released. Things it didn’t apply to them. It was a sign of security policy for a service provider, not for a organization using service providers. So they had to get a new policy. Has something happened? They would have been covered. So I know people hate these policies along their involved, but somebody should read them before you sign them. Work with a good agent that have your attorney be the policy. But every organization listening should have their own cyber security policy a minimum of one million up to depends on the amount of data collecting, uh, you know, on an annual basis in the kind of transactions were doing.

[00:42:23.60] spk_2:
We all hate insurance, but you know, whether it’s auto or homeowners air, I got flood and wind, and but, you know, it’s peace of mind. So and all the you know, all the headlines we see. I mean, this stuff can apply to you as well. Like like we’re talking about. So, uh, you’re not You’re not. Yeah, you’re not. You’re not free because you’re not profit or you’re not, uh, safe.

[00:43:15.62] spk_5:
Yep. It’s all over. When There That you should have one is a data retention and destruction plan. And, you know, this goes back to some of the questions we’re talking about. A data audit you only want keep Davis, or as long as you need it and you want to make sure get rid of it the right way right away. That really destroys the data. So if you have your organization doesn’t have one. You really want a formal data retention destruction plan? By the way, if I didn’t mention it to your killer app requires you that have that a place. So again, you need to think about it. It’s a good practicing of New York shoulders, and if I every organization should have it. Also, business continuity plan. You know, this has come up a lot with Kobe. 19. You know, organization should have a plan in place when something China’s for profit happens, it would. You know, this pandemic was challenging forgiven organizations who had a plan. And I think now we’re over advising plans to take into account the sites of things. But you should have a planet. You know, one of your critical providers goes down. If there’s a data breach, who do you call? You know. How do you respond? New York Shield activity are required Response in a very short period of time. Tony, Order Gate to kind of mitigating organizational damage is the damage that can occur. You need to do the right things early on. So having that in place to support

[00:43:43.94] spk_2:
is this is this the same is a disaster recovery plan. Is that what

[00:43:47.66] spk_5:
you say? Yeah.

[00:43:48.11] spk_4:
Okay.

[00:44:07.99] spk_1:
Time for our last break. Turn to communications. They’re former journalists. So you get help getting your message through it is possible to be heard through the Corona virus cacophony. They know exactly what to do to make it happen. The turn hyphen two dot ceo we’ve got but loads more time for data Privacy practices.

[00:44:51.06] spk_2:
I had a whole show Are I have to show half an hour on disaster recovery plans. I don’t remember the date, but, um, the guest was dar d a r v vor ca v e v e r k a dar viveca choose from one of the non profit technology conference shows. So if you go toe tony-martignetti dot com when you’re looking for the 5 12 17 show on cyber insurance that when I did. I did get the date on that one. This? Ah, this one don’t have the date. But the guest was Dar v Barca on disaster recovery plans, including including sometimes that alternate locations. Even depending how bad the disaster is. You might need a backup location. Do you have that in place?

[00:44:59.89] spk_5:
Yeah, and usually that’s for the benders. Using someone hosting they should have that in place. But released are non profits. It’s more cola called when something bad happens. You know what the weather sex you take to mitigate into remedy.

[00:45:16.49] spk_4:
Okay. Okay. Um

[00:45:17.46] spk_5:
and then, tony, one other thing I’ll add is, you know, a lot of people in this goes to people working from home. It’s even more important. But a lot will use their own devices. Your own PC, sometimes accessing work stuff. You want to have what they called the wild, deep policy. Bring your own device to work one of the views. And, Jones, if you’re accessing information from your personal phone from your computer, what are you allowed to do when you What is it you shouldn’t do? A lot of this is just good training.

[00:45:53.59] spk_2:
Yeah, whether right. Whether even allowed to use your own device. But then there has to be a non profit provided advice and all right, what about? So this is you mentioned that? What about other? We have other data privacy concerns. I’m sure we do around, ah, distributed workforce. And, you know, I think they’re gonna be changes to do work life, and there may There may be a lot more remote employees going forward Then we’re accustomed to just two months ago. So what about this? Having a more distributed workforce and around data privacy?

[00:47:38.88] spk_5:
Yeah, exactly. I kind of when I think about over 19 have been speaking about There was a philosopher and physicist, Thomas Kuhn, and he had a term paradigm shift that, you know, once in a while once a couple 100 years is that is a paradigm shift that changed the way we think of the world. You know, Not Newton Newton’s right. What was a paradigm shift? Mechanics. The paradigm shift and you don’t usually know is a paradigm in ship until after it happens. Kind of like a recession. You can’t look back. I certainly think over 19 at least in the short term and made the lumber could be, you know, paradigm shift The way we’re approaching work when we approach our our lives outside of work has changed dramatically. And there’s challenges with that. Sure, only people working from home, uh, heightens the risk associated with with data breach and unauthorized access. I’ve talked to my colleagues that been studies. The amount of research that happened have gone up dramatically. I don’t know about you, tony, but literally every week I get emails from CBS Chase Bank Wal Mart over Me gift card. Tell me to click on a link. It looks like it’s CBs dot com, but look, the sub tomato. It’s nothing like that. Exactly. When people working from home, they’re not. They just can’t be a safe. So there are a lot of things digital kind of a 10 to Now that we have a remote workforce, Uh, like what? What’s that?

[00:47:39.46] spk_2:
Yeah, OK, I think we’re gonna go onto something else. Yeah, Like what?

[00:48:06.94] spk_5:
I don’t know. I can tell you. So you want to review if you have policies in place, review them. You don’t have policies in place. You need to kind of tell folks what’s expected of them when I’m working from home. Uh, need to communicate. You can’t over to communicate on these types of things. Training annual training would be helpful, but you’re a few of the things that could go wrong. Ah, lot of folks transfer, transfer organizational data to their email accounts and seventh and cells. A commercial email pound has a lot more protections in a personal email account. If they’re sending things from the from of the organization and downloading from emails, they should delete that email as soon as they get the day that they no longer need it. So don’t keep that in your emails that that could be hacked later on, uh, using personal cloud stores storage. Is that not all the same? Make sure the ones they’re using our secure physical document management. You know, we always think about digital data, but a lot of people bringing things from their office home and as a physical document, how is that being capped it when it’s all over leading houses being destroyed, it should be left in a car to be shredded. So let’s not. Let’s not forget about the security of physical documents, unsecured connections to employers if they’re not using BBN, that could be a problem. You need to make sure that people are accessing organizational information in a smart way.

[00:48:56.27] spk_4:
Yeah, that one.

[00:48:56.95] spk_2:
That that’s you. That’s where you have to look to your Internet service provider, right for the for the security that they’re providing on on your connection.

[00:49:42.97] spk_5:
Well, here’s the thing. That’s that’s about your home router. Personal public routers. Let’s talk about personal people have personal. Rather, you come into my home and you access trying to access my Internet. You need a 13 digit pass code. Most people don’t do that when they’re working from home. A lot of people keeping unsecured network. So would you recommend anybody work home should basically activate their round of firewall and, you know, and utilize malware on their computers and and make make everything password protected. So that’s a great example of you. Don’t people think I’m hold? Who’s gonna access my information? That could be easily hacked your home router?

[00:49:48.43] spk_2:
Yeah, okay. On our malware protection so that I mean, that’s something that the employees would have to subscribe to.

[00:49:55.27] spk_5:
Well, yeah. So we’re talking about non working shooters, right? Way are Yeah. You’re

[00:50:12.35] spk_2:
in your home? Yeah. I’m not writing home. I have next ride to where the company has got. The organization has to pay me to subscribe to, uh, malware bytes or something. One of the malware protection companies. Well, we’re in three Norton, 3 60 policies. Something like

[00:50:16.50] spk_5:
that. Yeah, well, working organization. But some of these things, like every router, comes to the ability to put put a password on it. So some of these things are just reminding employees and training them on best practices. Are you working from home here? Like the 10 tips you should be keeping in mind Remind them about from time to time. A lot of a lot of unauthorized access and data breaches. A large percentage could be avoided with just some kind of smart polluting practices.

[00:50:58.80] spk_2:
Okay. Okay. Yeah, there’s I think they’re gonna be a lot more people working from home. Ah, year from now than there were in 2019. Um, I mean, including on the employee side. I’ve heard from a few people that they like working from home. No. And there have been there. I just saw. I just saw study some research like yesterday or something, but were more productive when we’re working from home

[00:51:08.93] spk_5:
back. I

[00:51:45.12] spk_2:
don’t. Well, there’s a lot of reasons. Plus, it’s better for the environment. You save commuting costs, you save gas or public transit. We’re keeping people off the roads. It’s safer. Better for the environment. Yeah, there’s a lot of advantages. All right. Um, I’m you know, I’m a neo fighting all these things, but I know how to read. I can read and regurgitate. I’m like, I’m, like, a like a billboard that you put something on my forehead and then you can read it off my forehead. That Z that’s my role. Um, all right, so we got, like, another three minutes or so, Roughly. You want to leave us with? Yeah, I think you have some. Some resource is tools you can recommend.

[00:51:51.86] spk_5:
You know, I actually I have a lot of different checklists. You said you’re a billboard on a checklist maker s. So I have a variety demand check checklist related to both data data. Privacy on its GDP are policies which should be in there. Your privacy policy. What elements should be in there? No. People always ask me tony can you just give me privacy policy and, like, know who’s that? Privacy policy describes what you do. You know the worst thing that you take somebody else’s privacy policy from another wet side. A is copyright infringement, but it never fits where you’re doing. So I can give you a list, for example, elements that need to be every province in policy. But how you address those, for example, depends upon what your organization is doing with the data. How is it looking at in the back? It? How is this sharing what third party better is really working with? So a lot of my re sources are kind of best practices and tips. I’m happy. I know you get my email just before I’m strictly looking access. But what’s like? I’m happy to kind of, you know, give me some people toe, depending on their needs. Anything we talked about today, there’s a checklist for that.

[00:52:51.88] spk_2:
Uh, these aren’t on the check the silent on the Perlman website, though

[00:52:56.55] spk_5:
I don’t think we posted on the website. Typically, I like to hear what the client needs. Just before, I kind of threw out checklist because, you know, sometimes a lot of information to be overwhelming.

[00:53:14.11] spk_2:
Okay, so, John, at permanent perlman dot com. Um, all right, John. I mean, uh, is there anything you want, toe? I’ll give you a chance to close. And you want to close with?

[00:53:20.65] spk_5:
No, this is again. Thank you for the opportunity I started. I think our conversations saying that you know what I’ve seen? It’s not profits have really kind of lagged for profits and kind of, you know, taking some of these precautions. A lot of things you talk about are simply achieved. It takes a little time, little commitment, but taking some of these small steps, go a long way and come and you know you can never take it. You know, data breach on the north rise access off the table. But you can certainly kind of mitigate risks and be better stewards of the data you’re collecting on behalf of her donors. So I hope this was helpful again. And I love kind of counseling our clients on these types of information the sets of policies of because I know it puts them in better stead.

[00:54:46.34] spk_2:
Yeah. All right. John Janet Perlman and roman dot com. Thank you. very much for doing that, John. Thank you for sharing my pleasure. Next week. Maria Simple returns, plus a 20 NTC panel. If you missed any part of today’s show, I beseech you, find it on tony-martignetti dot com were sponsored by wegner-C.P.As guiding you beyond the numbers. Wegner-C.P.As dot com by Cougar Mountain Software Denali Fund Is there complete accounting solution made for nonprofits tony-dot-M.A.-slash-Pursuant Mountain for a free 60 day trial and by turned to communications, PR and content for nonprofits, your story is their mission. Turn hyphen. Two dot ceo Creative producer

[00:55:27.10] spk_0:
is clear. Meyer off. I did the postproduction. Sam Liebowitz managed The extreme shows Social Media is by Susan Chavez. Mark Silverman is our Web guy, and this music is by Scott Stein of Brooklyn. You with Me next week for non profit radio big non profit ideas for the other 95% Go out and be great talking alternative radio 24 hours a day.