Cyber regulations and data protection: What volunteer boards need to know

As a mission-driven organization, valuable data courses through the pixels and networks of your operations each day, including budgets, financials and the personal details of your donors, employees, volunteers and beneficiaries.

Cyber criminals are all too aware — and all too ready to make your good cause their next target. When they succeed, there’s a lot at stake: your reputation, stakeholder trust, funding requirements and regulatory compliance with a growing array of international and national policies.

As regulators respond to today’s newest technologies and fast-evolving cyber threats — and place increasing focus on cyber resilience — organizations are being tasked to improve their ability to withstand, then quickly recover from, cybersecurity incidents and to raise cybersecurity standards in key industries and their supply chains.

Large organizations may be making positive gains in cyber resilience, but many smaller ones are increasingly overwhelmed and experiencing an unfortunate decline. This means they are unable to prevent critical disruptions to their operations from a cyber incident and can incur disproportionate impact on their reputation and bottom line as they recover.

Data protection obligations such as those mandated by the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act have been just the beginning of what organizational leadership needs to know.

Are volunteer board members up to speed on new laws governing data protection, including management accountability and notification obligations in the event of a significant cybersecurity incident or data breach? Do they know the right questions to ask IT leads and department heads about systems, safeguards, crisis response plans and staff training, in order to effectively perform due diligence and maintain regulatory and contractual compliance?

This practical guide will help you answer yes to both of these questions and more, offering:

• Recent regulatory developments by region
• Next steps for putting this knowledge to work
• Insights on staying ahead of change and risk, including ways technology can help

Cybersecurity and data protection regulations worldwide

AMERICAS

United States

At the federal level, nonprofits should be mindful of policies like the Cyber Incident Reporting for Critical Incident Act of 2022, which mandates reporting of cyber incidents and ransomware payments. Check to see if these requirements apply to your operations.

Nonprofits should also regularly check state laws about handling, storing and disposing of personally identifiable information, and requirements for notifying individuals in the event of a breach. Across individual states, there are many different nuances, approaches and levels of maturity, and the landscape is always changing.

While some states (Connecticut, Florida and Virginia, for example) include non-profit exemptions in their data privacy laws, many, such as Oregon and Minnesota, do not. Also watch for language like “control or process personal data,” which determine eligibility in states like Montana and Maryland. The Colorado Privacy Act (CPA), for example, applies to organizations that process the personal data of more than 100,000 individuals in any calendar year, including nonprofits.

The CPA also includes service providers, contractors and vendors that manage, maintain or provide services relating to the data on behalf of these companies, so it’s important to vet third-party fundraising or database services as well. As an example, while the California Consumer Privacy Act does not “generally” apply to nonprofits, for-profit data brokers of a certain size and level of revenue do fall within its oversight. In New Jersey, state law covers how data brokers get the information they sell and gives consumers the right to opt out of the processing of their data.

Nonprofits providing health services, like a community hospital or health center, have special cybersecurity and data protection concerns, starting with the intricacies of HIPAA and the HITECH Act at the federal level and a patchwork of legislation by states. For example, it’s important for Connecticut-based charities to know that nonprofit exemptions in the Connecticut Data Privacy Act do not include organizations who deal in consumer health data.

Nonprofits operating in the financial space, like credit unions, should be familiar with the Safeguards rule of the Gramm-Leach-Bliley Act, which calls for security and confidentiality around consumer data, and state data protection laws like those in Nebraska, which exempt nonprofits but include provisions for banking activities.

Finally, a nonprofit doesn’t have to be based in the EU for GDPR rules to apply. Extraterritoriality applies. If your organization raises money in the European Union or collects personal data about EU citizens, you should check to see if these activities fall within GDPR oversight. And any organization that deals with federal grant programs should read up on, and check compliance with, the Federal Information Security Modernization Act (FISMA).

Europe

UK

Cybercrime is another hot spot for UK regulators. In late 2024, the Charity Commission released refreshed guidance on protecting against cybercrime and fraud, based on hundreds of cases.

The Commission requires charities to report serious incidents of fraud, cyber crime and money laundering and provides a helpful guide for knowing what to report.

Charities in the UK must also recognize that UK data protection requirements for protecting personal data and stringent timelines for reporting breaches apply to them, as do the fines and reputational damage that result from non-compliance.

Ireland/EU

In Ireland and across the EU, trustees should have the EU’s NIS2 Directive, and the requirement to transpose NIS2 into national law, on their radars. Specifically, does this updated EU directive apply to their organization?

NGOs may still fall under its scope depending on the nature of their activities and their role in providing services. The updated directive now applies to both public and private organizations defined as important or essential entities in 18 critical sectors (an expansion from the previous seven). Organizations with a health, digital infrastructure, ICT service management or manufacturing component to their operations may be more likely to fall under NIS2 oversight.

With the goal of achieving a higher level of cybersecurity and cyber resilience across the EU, NIS2 provides a list of measures for security risk management that applicable organizations should implement to protect their networks and information systems. Affected organizations may have new obligations for effective cybersecurity oversight at the highest leadership levels, supply chain management and reporting cybersecurity incidents.

Irish charities should also be familiar with their obligations under Regulation (EU) 1725/2018, which requires “all European institutions and bodies” to report “certain types of personal data breaches” to the European Data Protection Supervisor (EDPS) “within 72 hours of becoming aware of the breach, where feasible.” Charities are also required to inform “without unnecessary delay” individuals who are affected, “if the breach is likely to pose a high risk of adversely affecting individuals’ rights and freedoms.”

The EPDS provides helpful resources and forms for next steps on its website.

Organizations delivering financial services should be mindful of the Digital Operational Resilience Act (DORA), and those using artificial intelligence in their operations should ensure they understand the compliance requirements under the EU AI Act, including the key dates of its implementation timeline.

Switzerland

Switzerland does not fall within EU regulatory oversight; however, its cyber and data protection laws are following in the footsteps of GDPR and other EU legislation.

In 2023, Switzerland implemented an updated Federal Act on Data Protection (revFADP) that aligns very closely with the EU’s GDPR, aiming to facilitate the free flow of data between Switzerland and the EU and to maintain the EU’s recognition of Switzerland as providing an adequate level of data protection.

As of April 2025, under the amended Information Security Act (ISA) read with the Cybersecurity Ordinance (CSO), “operators of critical infrastructure,” will be required to report cyberattacks to the Federal Office for Cybersecurity (OFCS) — formally the National Cyber Security Centre — within 24 hours of discovery. A full report is then due within 14 days.

Mission-driven organizations operating here should familiarize themselves with this requirement, along with a new CSO detailing exceptions and provisions for implementation.

“The introduction of a reporting requirement that includes multiple sectors is a milestone for cybersecurity in Switzerland,” the Swiss government declared, adding that this requirement “is in line with international standards.”

Internal harmonization is a goal as well — something that public universities and mission-driven organizations in finance and healthcare, with other regulatory obligations, might appreciate.

“The NCSC's reporting form makes it possible to collect the necessary information quickly and, if required, to forward it to other authorities to which there is also a reporting obligation, such as the Swiss Financial Market Supervisory Authority (FINMA) or the Federal Data Protection and Information Commissioner,” the Swiss government notes.

South Africa

In April 2025, South Africa made a big shift in how it governs and oversees data protection. The government now requires organizations to report data breaches and security compromises via an online eServices Portal.

Nigeria

Charities and nonprofits in Nigeria should play close attention to new developments in the regulatory landscape. The 2023 Data Protection Act expands the definition of sensitive data, adds “legitimate interest” as a legal consideration for data processing and protects individuals “from decisions based solely on automated processing.”

Of interest to both organizations and the third parties they work with, data processors and controllers “of major importance” are required to register with the Nigeria Data Protection Commission (NDPC). Criteria for this designation include processing data from more than 200 individuals within six months, provisioning commercial tech services on third-party devices and handling confidential data in a fiduciary capacity.

Ghana

Under the 2012 Data Protection Act, data controllers in Ghana are required to register with the Data Protection Commission and are obligated to ensure data accuracy and accountability. Individuals have the right to correct and delete their data and restrict the processing of sensitive information.

International frameworks guide much of Ghana’s cyber oversight. In recent years, the government has signed the Budapest Convention on cybercrime, adopted the African Union Data Policy Framework and ratified the African Union Convention on Cyber Security and Personal Data Protection.

Tanzania

Tanzania currently governs the management of personal data through the EPOCA Act. Charities operating here should also be aware of a dedicated data protection bill that offers clear guidelines for data handling and protection, in alignment with international standards like the GDPR.

Botswana

In 2024, Botswana enacted the Data Protection Act, which updates previous legislation with new obligations for data controllers and processors.

Lesotho

Efforts to update and expand upon the Data Protection Act of 2013 are currently in limbo. A proposed Computer Crimes and Cyber Bill aims to establish both a national advisory council for guidance and a national incident response team for warnings and incident response. Yet some critics argue that the bill’s provisions protect those in power and threaten free speech.

Zimbabwe

Organizations handling personal data in Zimbabwe should be familiar with Statutory Instrument 155 on cyber and data protection. Passed in 2024, it regulates data processing and security and, importantly, requires entities handling personal data to hold a current, valid license as a data controller.

Namibia

Charities and nonprofits in Namibia should not wait for official legislation to enact strong protections and practices. Major legislation like the Cybercrime Bill and Data Protection Bill remain under deliberation as cyber attacks abound, including a sizable breach at Telecom Namibia.

“While Namibia is still in the process of finalising its approach, cybercriminals continue to exploit weak security systems, outdated controls, and untrained employees, leaving both private businesses and government entities exposed,” the Windhoek Observer reported.

Uganda

In Uganda, a national framework provides guidance for protecting critical infrastructure, fostering a trusted digital economy and governing it all: the Ugandan National Cybersecurity Strategy 2022-2026. Implementation on the ground involves sector-specific computer security incident response teams (CSIRT) and a central register of cyber incidents.

Malawi

In Malawi, a number of policies and authorities interact to provide governance over cybersecurity and data protection. These include:

• The 2016 Electronic Transactions and Cyber Security Act, established to promote trust in digital transactions.
• The 2024 Data Protection Act, which focuses on safeguarding personal data and establishes the Malawi Data Protection Authority for enforcement.
• The National Digitalization Policy, which delivers guidance on secure digital services, cyber resilience and robust data security.
• A National Cyber Security Policy, addressing ransomware and crimes related to cryptocurrency.
• The National CERT, which helps coordinate cybersecurity awareness and incident response across sectors.

Middle East

United Arab Emirates

As international investment and global partnerships multiply across the United Arab Emirates (UAE), mission-driven organizations should familiarize themselves with the National Information Assurance Regulation, overseen by the Signals Intelligence Agency (SIA), and the nation’s federal and financial free zone data protection laws.

Some emirates have their own robust cybersecurity laws, such as the Dubai Electronic Security Center’s (DESC) Information Security Regulation (recently updated). Two of the region’s financial hubs, the Dubai International Financial Centre (DIFC) and Abu Dhabi Global Market (ADGM), operate under a mature data protection regime and maintain abundant resources for affected organizations.

The UAE also implemented the first government Ministry of AI in the world, and its National Strategy for Artificial Intelligence 2031 and UAE Charter for the Development and Use of AI stand as trendsetting examples of responsible AI governance.

Saudi Arabia

In the Kingdom of Saudi Arabia (KSA), mission-driven organizations should first turn to the Essential Cybersecurity Controls updated in 2023. These implement 114 specific guidelines and limitations across five major security domains. They are complemented by a strong Personal Data Protection Law that overlaps with the GDPR’s requirements in many areas.

The nation’s Capital Market Authority (CMA) also issues cybersecurity guidelines for financial institutions, as does the Saudi Arabian Monetary Authority (SAMA) through its Cyber Security Framework.

Like the UAE, KSA benefits from a forward-looking Saudi Data and AI Authority (SDAIA) issuing innovative AI governance rules and regulations, most notably their 2024 AI Adoption Framework.

Qatar

Qatar’s national office of Cyber Governance and Assurance Affairs oversees its data protection law, which follows similar laws elsewhere in promoting transparency and protecting personal information held by institutions, as well as enshrining a right to request the erasure of one’s personal data with the submission of a formal request.

Bahrain

In Bahrain, a robust data protection law conforms to a network of other protections and privacy controls. Like laws emerging in other countries, it includes core rights to content before personal data are collected and to have personal data stored in a secure, identity-protective environment.

Asia-Pacific

Singapore

In Singapore, the Cyber Security Agency (CSA) both sets national standards for data protection (“Cyber Essentials”) and provides resources for their implementation. These include a Cybersecurity Health Check self-assessment for evaluating programs, benchmarking against peers and addressing gaps.

Australia

The Australia Charities and Not-for-profits Commission (ACNC), the national organization which oversees these mission-driven organizations in Australia, includes cybersecurity as a component of its compliance reviews.

The ACNC review process covers policies and procedures for cyber risk management, incident response, training and handling of “sensitive and personal information the charity holds.” ACNC also considers the broader picture, including activities that could make an organization vulnerable to cyber and security risks, financial risks that arise from cyber vulnerabilities and third-party risk management practices.

In the event of a data breach, (“when personal information an organisation or agency holds is lost or subjected to unauthorised access or disclosure”), the Notifiable Data Breaches (NDB)scheme requires an organization to “promptly notify any individual at risk of serious harm,” along with the Office of the Australian Information Commissioner. Notifications must include:

• A description of the data breach and the information involved
• Recommendations for steps individuals can take in response
• The organization’s contact information

New Zealand

Under the Privacy Act of 2020, all New Zealanders, “regardless of age or circumstances,” have a right to know when their information is being collected, how it is being used and shared and that it is being kept safe and secure. To comply, nonprofits and charities in New Zealand should be familiar with these 13 principles covering data collection, storage and use.

And they should be very familiar with the Act’s definition of and requirements for a privacy breach. An incident qualifies, according to the New Zealand Privacy Commissioner, “when an organisation or individual either intentionally or accidentally provides unauthorised or accidental access to someone's personal information or discloses, alters, loses or destroys someone's personal information,” as well as “when someone is unable to access their personal information due to, for example, their account being hacked.”

“Our expectation is that a breach notification should be made to our Office no later than 72 hours after agencies are aware of a notifiable privacy breach,” the Commissioner declares.

Key takeaways and next steps

For mission-driven organizations and their volunteer trustees and directors, the message is clear: regulators worldwide are making cybersecurity resilience and data protection a priority, so these areas need to be at the top of your agenda as well, now and as the landscape evolves.

Another area to keep a close eye on: Emerging legal frameworks for AI governance. With both the economic potential and the operational risks of LLM tools increasingly well understood, governments are moving fast on novel regulations for this now-ubiquitous technology. Expect regulatory bodies to seek pragmatic policies that protect fundamental rights while allowing organizations to take advantage of the productivity boons AI can offer — as well as its transformative potential.

The previous section’s highlights and resources provide a solid starting point. But your specific cybersecurity and data protection plan will need to check its own legal boxes.

Our advice:

• See where your own organization stands in terms of the data it collects, the digital systems that bring your mission to life and how everything is protected.
• Identify your strengths, weaknesses, opportunities and threats.
• Keep current with evolving risks, emerging technologies and governance best practices.
• Assess your board’s cyber knowledge and oversight processes. Are leaders able to ask tech leaders the right questions? Can they synthesize the answers and communicate their findings clearly and succinctly to regulators, funders and community stakeholders?
• Develop an AI literacy program for boardrooms, leadership teams and employees to help build a culture of responsible and ethical AI use. Check for alignment and compliance with AI governance laws and guidance where the organization operates now and plans to operate in the future.
• Bring in your legal advisor or outside counsel early and hire outside help when you need it.

“Cybersecurity is not something that just impacts big companies. It impacts really all of us at an individual level and on an organizational level and nonprofit organizations are very much in the crosshairs of cyber criminals.” – Dottie Schindlinger, Executive Director, Diligent Institute

More useful resources

Now that you have a feel for the regulatory landscape and next steps, here are some resources for doing the work.

How to make your board cyber ready digs deeper into skills (recruiting and training), policies and procedures and educational resources, including certification programs. The Cyber Leadership Playbook offers an actionable roadmap for leaders across the organization, from IT to executives, to collaborate more effectively, elevate risk management and integrate security into strategic decision-making.

Learn how to build a nonprofit cybersecurity risk management framework, ways to manage reputational risk and how technology can support security best practices for volunteer boards.

In the high-stakes realm of regulatory compliance and risk management, there’s no substitute for real-world knowledge. See how Hospital Sisters Health System strengthened their crisis resiliency, then practice your own preparedness with 5 steps for running a tabletop exercise.

Need help making a case for future-focused cyber governance and data protection in the first place? Here are key stats that boards need to know — especially today’s volunteer boards — along with a security assessment checklist to show where your organization stands right now.

BoardEffect: Built to protect mission-driven organizations and their data

Volunteer boards have an important mission in today’s cybersecurity environment: crafting policies, tracking regulations and ensuring preparedness and response against rising risk — and this sensitive data is too important to leave to siloed spreadsheets, insecure communications channels or tools built for other purposes.

BoardEffect brings information and collaboration together onto one secure, encrypted, HIPAA- and HITECH-compliant governance platform, offering:

• A centralized resource library for sharing and accessing plans, reports, educational materials and more.
• A secure, dedicated communications channel for sensitive discussions about cyber threats, reputational risk and cyber resilience.
• Annotation tools like “sticky notes,” drawing and highlighting for greater engagement and more efficient meeting prep.
• One-stop, anytime access to a full range of secure collaboration tools, like virtual workrooms, polls, surveys, tasks, schedulers and discussions.

Schedule a demo today to get ahead of the cybersecurity and compliance curve, gain greater peace of mind for your volunteer board, and safeguard your organization and its important mission.