Navigating AI, Copilot and data security for Australian not-for-profits

Article
Published: 
Authors: Elizabeth Blunt, Julie Kilner, Wayne Anderson, Margaux Guidon

Not-For-Profit (NFP) National Leader, Elizabeth Blunt, recently hosted a webinar focused on AI adoption, while maintaining and strengthening privacy, security, and governance. Joined by Julie Kilner, BDO in Australia Partner, Digital, Wayne Anderson, Managing Director, Cyber Security and Digital Innovation, BDO USA, and Margaux Guidon, Microsoft AI, Copilot and agents specialist, they covered the data privacy expectations, potential governance, and compliance, how AI can help address long-standing sector challenges, and what successful implementation and adoption can look like. Watch the full webinar.

Data privacy and regulatory expectations for Australian NFPs

Across the industry, there is data everywhere, but often, we don’t know what we have, where it is, or what we’re supposed to do with it. In the NFP sector this challenge is amplified, because you are holding people’s stories, health information, financial information, family, cultural, and community context.

In the Australian data landscape, three main shifts are underway. Our Privacy Act is currently under reform and to date has introduced increased enforcement powers, penalties and individual rights under privacy laws. More broadly, there is increased regulatory focus on data handling practices, where regulators are prioritising the over-collection of data, poor retention and disposal practices, weak access controls, and a lack of transparency. Alongside these focuses, AI is now firmly within regulators’ scope. Australia does not currently have a single AI act, however the expectations are clear, AI must be safe, explainable, and fair. Organisations must understand how AI uses their data and align with frameworks such as Responsible AI principles and risk-based AI governance.

What this means for NFPs is where historically organisations have applied the small business exemption under the Privacy Act, these exemptions are becoming increasingly irrelevant in practice, as many NFPs now fall within the scope of the reformed Act. Government contracts often impose privacy regulations regardless of size and regulators are implying that exemptions may be reduced or removed over time. More importantly, community expectations are that data is protected, information is respected and privacy is taken seriously, seeing a shift from “are we regulated” to “are we acting responsibly”.

There are four core expectations for NFP compliance:

  • Collect only what you need
  • Know what data you hold and where it is stored
  • Manage the full data lifecycle, collections, storage, and deletion when no longer required
  • Control and monitor access, including third-party and cloud providers, with accountability remaining with the organisation.

Meeting these expectations can be difficult for many NFPs because many organisations are longstanding and not starting the compliance journey from a blank slate. Many are dealing with constraints such as legacy systems, limited funding, decentralised operations, unfamiliarity with the Privacy Act, and passion-driven service delivery.

Which is then compounded by the key challenges many are facing, which are:

  • AI risk and governance – staff using tools like ChatGPT or Copilot
  • Increasing regulatory scrutiny – more proactive enforcement
  • Managing unstructured data – tackling archive folders and large caches of stale documents
  • Resource constraints – doing more with limited funding and capacity.

Ideally you need to be targeted and pragmatic, not perfect.

In the not-for-profit sector, data is not just an asset, it is a reflection of the people you serve, and how you manage that data is increasingly how you will be judged, not just by regulators - but by your communities, your funders, and your future partners. Documentation must go beyond privacy policies and include data-handling procedures and practised breach response plans. Your staff awareness and training are critical as we see most risks arising from everyday behaviour, not malicious intent. Moving forward this training and awareness should cover AI governance including staff using AI tools with sensitive data.

How AI tools are transforming productivity

Tools such as AI offer a new way to tackle many ongoing challenges in the NFP sector including stretched teams and high turnover, administrative burdens that pull staff away from mission work, disconnected systems, and growing expectations for transparency and accountability. With the right AI systems, we’re able to reduce processes, simplify work, and free up time for your work that truly matters.

Microsoft Copilot and their agents can be integrated into daily workflows and adapt to support individual roles, with the potential to build custom agents specific to your organisation’s internal needs, while also critically working with built-in compliance and security. Utilising AI tools like Copilot can lead to organisations experiencing reduced time toggling between systems by unifying them into one intelligent experience, freeing up hours by automating tasks, improving staff retention by reducing burnout through personalised AI assistance, and the ability to strengthen trust and scalability by adopting secure, compliant AI that evolves with the organisations needs. 

It’s important that AI products are based on a responsible AI framework, one of Microsoft’s main principles to ensure responsible AI is building trust. Key components of this trust include your data remains your data, and it’s not used to train or enrich foundational AI models without permission. It can, however, help shine a light on your data, showing how it’s structured, who has access, and how it flows. Introducing AI doesn’t mean choosing between innovation and security, it’s about understanding and utilising the right tools.

AI in practice: implementation of Copilot for a global NFP

The journey to efficient AI implementation starts before introducing an AI model to your systems. including improved service delivery, resource allocation, donor engagement and outcomes for the communities they serve. AI decisions for NFPs should remain tightly aligned with their mission objectives, helping maintain trust with donors, partners, and regulators.

In a recent journey for a NFP organisation, they acknowledged the benefit of AI within their organisation, but before they could get to the use cases for AI, they recognised the need for the right data to feed the AI applications, actually having to work through consolidating their data, recognising where the stale data is, and to understand the authoritative place of data in the process.

In their implementation, this NFP organisation adopted a repeatable, staged approach to AI, enabling them to educate staff at different levels, identify high-impact use cases, set clear risk and governance boundaries, and invest in their data foundations before the technology. They maintained an equal emphasis on people and workflow changes, ensuring staff could integrate AI into existing processes to save time, improve effectiveness, and measure results. The staged approach allowed for prioritisation of high-impact, low-complexity use cases that closely matched existing AI tool capabilities, allowing value to be realised quickly and build confidence in the internal team. Enabling momentum, learning and a gradual progression to more complex use cases over time.

AI success in NFPs can come from disciplined prioritisation, strong data foundations, governance and trust, and continuous iteration, making sure each use case deliberately contributes to the organisation’s mission rather than distracts from it.

BDO supporting NFPs through implementation and change

As Australian NFPs navigate rapid advances in AI, there is a clear opportunity to reduce administrative burden, support stretched teams, and redirect effort to the organisation’s critical work. Success with AI and data depends on getting the fundamentals right, understanding what data is held and where, strengthening lifecycle and access controls, and establishing practical governance to meet rising regulatory expectations for transparency, safety, and fairness.

Building on this, we’ll continue to share further insights with an article series over the coming weeks to support leaders as they consider how emerging technologies, data and governance overlap with their mission and operations.

Staged approaches balancing technology, people, and process change allow NFPs to adopt AI with confidence, strengthen trust with communities and regulators, and deliver greater impact at scale. If your organisation is ready to explore how AI can support your organisation, BDO’s NFP and cyber security specialists can help you move into the next step.

Watch the webinar or learn more about our not-for-profit webinar series.

Key takeaways

Australian NFPs face rising data privacy and governance expectations
  • Regulatory scrutiny of data handling and AI use is increasing, with Privacy Act reforms, stronger enforcement and heightened community expectations now applying to many not‑for‑profits. Organisations are expected to minimise data collection, manage the full data lifecycle and maintain strong access controls, regardless of size or historical exemptions.
Strong data foundations are essential for safe and effective AI adoption
  • AI tools such as Microsoft Copilot can deliver productivity and capacity benefits for NFPs, but only when data is understood, governed and appropriately controlled. Knowing what data is held, where it resides and how it is used is critical to reducing risk and building trust with regulators, funders and communities.
Staged, people‑centred AI implementation delivers sustainable value
  • Successful AI adoption in NFPs relies on disciplined prioritisation, clear governance and investment in data foundations before scaling technology. A phased approach that balances technology, people and process change allows organisations to realise value quickly while maintaining alignment with mission objectives.

Authors

Wayne Anderson.

Wayne Anderson

Managing Director, Cyber Security and Digital Innovation, BDO USA
Margaux Guidon.

Margaux Guidon

Microsoft AI, Copilot and agents specialist

Subscribe to receive the latest insights.

Filter by: