Written by Mike Pearlstein, CISSP, CEO of Fusion Computing Limited. Helping Canadian businesses build and manage secure IT infrastructure since 2012 across Toronto, Hamilton, and Metro Vancouver.
Your donor database is the most valuable, and most exposed, asset your nonprofit owns. It holds names, home addresses, giving history, payment details, and sometimes wealth-screening notes, the exact information a fraudster wants and a regulator expects you to protect. Yet most Canadian charities run on lean budgets and borrowed time.
Many leaders also assume the privacy rules that bind banks and clinics somehow skip the charitable sector. They do not. This guide maps the four Canadian obligations that actually touch donor data, PIPEDA, provincial privacy law, CASL, and CRA record-keeping, and turns them into a controls checklist a small organization can run without a security team.
Short answer: Yes, Canadian privacy law reaches nonprofit donor data. PIPEDA covers personal data a charity handles during commercial activity, such as selling, leasing, or trading donor lists. CASL governs fundraising email, and 3 provinces (Alberta, British Columbia, and Quebec) have their own private-sector privacy laws.
Treat donor records as regulated data: limit access, encrypt them, vet your donor-CRM vendor, and be ready to report a breach to the Office of the Privacy Commissioner. Quebec’s Law 25 alone carries penalties up to CA$25 million.
KEY TAKEAWAYS
- 18% of Canadian nonprofits reported a cybersecurity incident, the same rate as for-profit businesses (Imagine Canada / Statistics Canada, 2021).
- 36% have no staff responsible for cybersecurity, and 39% of those say they cannot afford to hire any.
- Nonprofits spend roughly CA$21,000 a year on prevention versus CA$55,000 at for-profits, leaving donor data thinly defended.
- 79.8% of donors would stop or pause donations to a charity that suffered a data breach (Give.org, US donors, 2025).
- The average Canadian breach costs CA$6.98 million, and PIPEDA requires reporting any breach that poses a real risk of significant harm.
Does PIPEDA apply to your nonprofit’s donor data?
According to the Office of the Privacy Commissioner of Canada, PIPEDA applies to personal information an organization collects, uses, or discloses in the course of commercial activity. Many charitable activities fall outside that test, but selling, bartering, or leasing donor lists is commercial activity, and three provinces layer on their own private-sector privacy laws.
The common myth is that registered charities are simply exempt. The truth has 3 important exceptions. Core fundraising and program delivery often sit outside PIPEDA’s commercial-activity test, but the moment your organization rents its donor list, runs a paid raffle, sells merchandise, or operates a social enterprise, that activity is commercial and PIPEDA covers the personal data involved.
Geography matters too. Alberta and British Columbia have their own Personal Information Protection Acts that can apply to nonprofits regardless of commercial activity. Quebec’s Law 25 is the strictest regime in Canada. If you email donors to solicit gifts, Canada’s Anti-Spam Legislation (CASL) also requires consent, sender identification, and a working unsubscribe in every message.
| Rule | Applies to your nonprofit when | What it requires |
|---|---|---|
| PIPEDA (federal) | You handle personal data in commercial activity (selling or leasing donor lists, paid raffles, social enterprise) | Meaningful consent, safeguards, and breach reporting |
| Alberta / BC PIPA | You operate in Alberta or British Columbia | Provincial private-sector rules that can apply with or without commercial activity |
| Quebec Law 25 | You hold personal data of Quebec residents | Consent, a designated privacy officer, breach reporting; penalties up to CA$25 million |
| CASL | You email donors to ask for gifts | Consent, sender ID, and a functioning unsubscribe |
| CRA T3010 | You are a registered charity | An annual return; summary data is public, but donor records stay private and must be safeguarded |
Mike Pearlstein, CISSP, has helped Canadian organizations classify and protect donor and client data since 2012.
Not sure which privacy rules apply to your charity? Talk to our team about a donor-data review →
What counts as donor data, and why attackers want it
The Office of the Privacy Commissioner of Canada received 693 breach reports in 2023 to 2024, affecting roughly 25 million accounts. Donor records are a prime target because a single database often fuses identity, contact, financial, and giving-history fields, almost everything a criminal needs for fraud, phishing, or resale.
Donor data is rarely just an email address. A typical fundraising record pulls together at least 4 sensitive categories, and each one raises the stakes if the database is breached.
- Identity and contact details: legal name, home address, phone, and email.
- Payment and banking data: credit cards, pre-authorized debit numbers, and CRA receipting information.
- Giving history and capacity: gift amounts, frequency, and wealth-screening notes.
- Relationship and program data: volunteer records, board PII, and sometimes beneficiary details.
That concentration is exactly why nonprofits make attractive targets, and why thin defences hurt. Across the Canadian sector, 36% of nonprofits have no one responsible for cybersecurity, and only 7% of small organizations even know that security standards exist.
One quiet risk multiplier is AI. When staff paste donor lists into free chatbots or enable broad file access for tools like Microsoft 365 Copilot, sensitive records can leak through oversharing, a pattern we cover in our note on Copilot oversharing for Canadian SMBs.
What a donor-data breach costs a Canadian nonprofit
According to IBM’s Cost of a Data Breach Report 2025, the average Canadian breach now costs CA$6.98 million, up 10.4% in a single year. A small charity will rarely face that headline figure, but the proportional hit, plus the loss of donor trust, can be existential for an organization running on a CA$2 million budget.
The damage lands in two waves. The direct costs include forensics, legal advice, notification, and recovery, which averaged about CA$19,000 per incident across surveyed Canadian nonprofits. The indirect cost is harder to recover: when 27% of affected nonprofits saw services disrupted, the hit to programs and reputation outlasts the cleanup.
Donors notice, and the chart below is blunt: nearly 80% would change their donations after a breach, so a data incident is also a fundraising incident.
For broader Canadian context on threat trends, our summary of the state of cybersecurity in Canada tracks how these costs keep climbing.
Mandatory breach reporting under PIPEDA
Under PIPEDA’s mandatory regime in force since November 1, 2018, the Office of the Privacy Commissioner requires organizations to report any breach that creates a real risk of significant harm, notify affected individuals as soon as feasible, and keep a record of every breach for 24 months.
The deciding test is “real risk of significant harm,” which weighs the sensitivity of the data and the probability of misuse. A stolen spreadsheet of donor names, addresses, and donation amounts will usually clear that bar, which means 3 actions follow: report to the OPC, tell the affected donors, and log the incident.
A short, written plan turns a chaotic week into a checklist. Our template for an incident response plan walks through the same steps, scaled for a small Canadian organization.
A donor-data protection checklist for nonprofits
The Canadian Centre for Cyber Security publishes baseline controls for small and medium organizations. Mapped to donor data, the priorities reduce to 8 moves: access control, multi-factor authentication, encryption, vendor due diligence, retention limits, staff training, tested backups, and a breach plan.
None of these 8 controls require a security team. They require deciding who owns each one and a review once a quarter. Use the table as a working audit of your current posture.
| # | Control | Category | In place? |
|---|---|---|---|
| 1 | Unique logins and MFA on the donor CRM and email | Access | □ |
| 2 | Role-based access; remove leavers and inactive volunteers within 7 days | Access | □ |
| 3 | Encrypt donor data at rest and in transit | Data | □ |
| 4 | Written data-processing terms with your CRM and payment processor | Vendor | □ |
| 5 | Retention schedule; securely delete data you no longer need | Data | □ |
| 6 | Annual privacy and phishing training for staff and board | People | □ |
| 7 | Offline, tested backups of the donor database | Resilience | □ |
| 8 | One-page incident-response and breach-notification plan | Response | □ |
Want a second set of eyes on your donor-CRM security? Book a consultation →
How to fund this on a nonprofit budget
Programs like TechSoup Canada and Microsoft’s nonprofit offer give registered charities donated or deeply discounted security tooling, including Microsoft 365 Business Premium grants that bundle MFA, encryption, and device management. Most of the 8 controls above cost staff attention more than dollars, which matters when nonprofits spend about half what businesses do on prevention.
Start where the risk is highest and the cost is lowest. Turning on MFA and ending shared logins is free and closes the most common attack path. Grant-funded Microsoft 365 Business Premium then layers on encryption and device management for little or no licence cost.
Stretching a nonprofit budget? Get in touch about grant-funded security tooling →
TRUSTED BY CANADIAN ORGANIZATIONS SINCE 2012
CISSP-Certified • Microsoft Solutions Partner • CompTIA Managed Services Trustmark • 50 Best Managed IT Companies (2024)
Related Resources
- IT support for Canadian nonprofits
- Bill 194 and Ontario non-profits
- Best IT Providers for Canadian Nonprofits (2026)
- PIPEDA compliance checklist
- Data Security and Canadian Privacy Compliance
- incident response plan
- Accounting Firm Data Security in Canada
Frequently asked questions
Does PIPEDA apply to registered charities in Canada?
It depends on the activity. PIPEDA applies when an organization handles personal data in the course of commercial activity, such as selling or leasing donor lists, paid raffles, or a social enterprise. Pure fundraising and program delivery may fall outside it, but Alberta, British Columbia, and Quebec add their own private-sector laws, so most of Canada’s 85,518 registered charities are touched by at least 1 regime.
Is donor data considered personal information?
Yes. Donor names, addresses, email, donation amounts, payment details, and giving history are all personal information under Canadian privacy law. Combined in 1 record, they are highly sensitive, which raises the likelihood that a breach meets the “real risk of significant harm” test and must be reported to the Office of the Privacy Commissioner.
What is the penalty for a privacy breach in Canada?
It varies by law. Under federal PIPEDA, knowingly failing to report a qualifying breach or to keep records can draw fines up to CA$100,000. Quebec’s Law 25 is far stricter, with administrative penalties up to CA$10 million and penal fines up to CA$25 million, so an organization with Quebec donors faces materially higher exposure.
Do we have to report a donor-data breach to anyone?
If the breach poses a real risk of significant harm, yes. Since November 1, 2018, PIPEDA requires you to report the breach to the Office of the Privacy Commissioner, notify affected individuals as soon as feasible, and keep a record of the breach for 24 months. Document your decision even when you conclude no notification is required.
Does CASL apply to our fundraising emails?
Yes. Canada’s Anti-Spam Legislation governs commercial electronic messages, and fundraising appeals generally qualify. You need consent, clear sender identification, and a working unsubscribe in every message. Registered charities get some relief for messages whose primary purpose is raising funds, but the 3 core requirements still shape how you build and maintain your donor email list.
Is our cloud donor database automatically compliant?
No. Platforms such as Blackbaud, Raiser’s Edge, or DonorPerfect secure their own infrastructure, but compliance is shared. The duty to control access, obtain consent, assess a breach, and notify donors stays with your charity. Always confirm what the vendor covers in writing, and treat the other 7 controls on the checklist as your responsibility.
How much should a small nonprofit budget for donor-data security?
Less than most leaders fear. Canadian nonprofits average roughly CA$21,000 a year on cyber prevention, but the highest-impact moves cost little: MFA and ending shared logins are free, and grant programs supply Microsoft 365 Business Premium at deep discounts. Budget for 1 annual training session and a managed-IT partner if internal capacity is thin.
What is the single most important first step?
Turn on multi-factor authentication and give every user a unique login on the donor CRM and email. This 1 change blocks the most common attack path, stolen or reused passwords, and restores the access trail you need to scope an incident. It is item 1 on the checklist for a reason and usually takes under 1 day.
The bottom line
Donor trust is your nonprofit’s real endowment, and it lives in a database the law now expects you to protect. You do not need a security team to start. Limit access, turn on MFA, encrypt donor records, vet your CRM vendor, and write a 1-page breach plan. Those 5 moves cover most of what PIPEDA intends, and most of the paths attackers use.
