Responsive Transparency: An Analysis of Organizational Readiness for PII Protection

Author: Philliph Drummond, Senior Tech Design Researcher, Superbloom
Editor: Tin Geber, Founder, Draftlab

Civil society organizations (CSOs) and non-profit organizations (NPOs) are both wrestling with an emergent problem of their own, and their staff’s, visibility online: they need public transparency for credibility and funding, yet this visibility exposes their often vulnerable, marginalized staff to targeted harassment, doxxing, and escalating physical threats. Current solutions require ad-hoc manual content removal of personally identifiable information (PII), taking hours or days. This leaves staff vulnerable to threats during critical windows of time that they and their organizations should be responding to secure and protect their PII.

This research aims to discover and analyse existing best practices in organisational readiness and ability to remove PII in response to immediate threats; surface broad sector-level insights and critical recommendations; provide a blueprint for taxonomies of PII removal; and investigate technological solutions to support and facilitate responsive protection of sensitive data. We conducted two surveys: one focused on organizational readiness (Survey A: Organizational Assessment), the other on individual safety (Survey B: Individual Safety). We also conducted qualitative key partner interviews for narrow-and-deep insights.

The research shows that this isn’t exactly a technology issue: rather, it’s about how systems and processes are failing people. About a third of Survey B’s respondents to the organizational assessment survey have faced online threats, yet at the same time, another third of respondents never told their organization about it. About half of the respondents’ organizations only prioritized making threat assessments after an incident had occurred. Both surveys (organizational assessment and individual safety) show that none of the respondents’ organizations had attempted so far to temporarily hide PII or attributions from their site: if sensitive information needs to be removed from their organizational website, it’s likely removed “destructively:” deleted and gone for good. On top of that, about a quarter of respondents’ organizations don’t have any formal process to protect PII currently on their sites.

Organizational practices described by our respondents are in stark contrast with individuals’ needs and expectations: nearly half of the CSO/NPO staff that responded to the surveys want protection (i.e. removals) within the same day or faster. Most (72%) don’t want it to disappear completely; they just want to hide some details. More than half (65%) want to work collaboratively on privacy decisions, instead of leaving everything up to their organization.

An ideal solution to keep the PII of organizations safe would involve practicing responsive transparency that would allow for organizations to have public PII/attributions by default but rapidly protected when necessary, without permanent loss of visibility or hours of manual work.

1. Survey A: Organizational Assessment
   • Target: Small to medium NGOs (5-50 staff)
   • Focus: Attribution practices, technical environment, threat scenarios, organizational policies
   • Distribution: Direct outreach + public form
   • Period: July 14–September 24, 2025
2. Survey B: Individual Safety
   • Target: Individual staff at CSOs/NPOs
   • Focus: Personal safety concerns, threat experiences, control preferences
   • Distribution: Social media + organizational networks
   • Period: July 14–September 24, 2025
3. Practitioner Interviews
   • Target: Seasoned professionals (10+ years experience)
   • Format: Semi-structured interviews
   • Focus: Lived experience, implementation challenges, nuanced perspectives
   • Period: September 1–September 24, 2025

The sample size is pretty small, so we can’t assert with certainty that the findings apply consistently across the non-profit or civil society sectors—which was a goal to some extent. For that reason, we focused on identifying directional trends in the sample, in order to make inferences about the broader target audience.

Additionally, we need to account for respondents’ bias, since the people who chose to take the survey are more likely to care more about privacy than most other CSO or NPO staff. Additionally, since the survey was only in English, it left out those who speak other languages. Finally, a lot of people didn’t answer the more hypothetical questions—about 40 to 45% skipped those.