Does your nonprofit run on a free Gmail account, a busy WhatsApp group, and whatever laptops your team already owns? You're not alone. Most small South African NPOs started exactly there. It was free, it worked from day one, and you had a mission to get on with — not an IT budget to argue over.
That was a smart call at the time. The trouble is, it was a call made for a moment, and most NPOs never go back to it. Bit by bit, that setup starts holding everything important: the donor list, the records of the people you help, the photos, the funder reports. All of it ends up in tools that nobody really controls. This article looks at what that costs you, who notices, and what a simple, affordable fix looks like.
The setup that felt smart at the time
A free Gmail account gives you a working mailbox in five minutes. WhatsApp is already on everyone's phone. The volunteer who's good with computers sets it all up, and for a while it's genuinely fine. You spend nothing, and every rand goes to the work that matters.
There's nothing silly about that. When you're juggling funding applications, the actual work, and a board meeting on Thursday, "free and instant" wins every time. The problem isn't that you chose these tools. It's that personal tools were never built to hold an organisation's information. The gap only shows up later — usually at the worst moment.
Where the cracks show
The failures are rarely dramatic. They're slow leaks. Time, trust, and control drain away a little at a time, until something breaks in front of a funder or one of the people you serve.
When the volunteer leaves, the data leaves too
This is the one that catches everyone. Whoever set up the Gmail account, the WhatsApp group, and the shared folder owns all of it. It's tied to their personal account.
And volunteers move on. When they do, they don't hand over a clean set of logins. Their account is mixed up with their own private email and photos, which they understandably want to keep. So the donor list stays in their inbox. The group is still run from their phone. If they leave on bad terms, or just stop replying, your organisation can lose access to its own records overnight. Nobody can reset the password, because there's no admin — just a former volunteer who happens to hold everything.
Picture this: the registration renewal is due, the documents you need are in a folder owned by someone who left in March, and nobody else can open it. That's not a rare case. It's one of the most common ways small NPOs lose access to their own history.
Everyone's working off a different version
The second leak is teamwork. When files get passed around as WhatsApp and email attachments, there's no single correct copy of anything. The budget exists in four versions on three phones. The report someone "finished" last night isn't the one that got emailed this morning. Two people update the same list, and one person's changes quietly vanish.
Every one of those moments eats volunteer hours — and volunteer time is one of the hardest things to replace. Hunting for the right version of a file, or redoing work that was already done, is time taken straight from the mission. It almost never shows up in a report, which is exactly why it gets ignored for years.
Whose phone is your beneficiaries' data sitting on?
This leak has the sharpest edge. Many NPOs hold very personal information about the people they help: health details, children's records, money troubles, ID numbers. Under South Africa's POPIA law, a lot of that counts as "special personal information," and your organisation is responsible for keeping it safe.
When that data lives in personal Gmail and WhatsApp on personal phones, you have no real control over it. You can't remove a volunteer's access when they leave. You have no record of who saw what. If a phone is lost or sold, the records go with it, and you can't wipe them. These aren't fancy extras — they're the basics POPIA expects of anyone holding this kind of information.
The Information Regulator can fine an organisation up to R10 million for failing to protect people's personal information (POPIA section 107(1)). In practice, it has gone after large data companies, not small NPOs. So the real risk isn't a fine landing on your desk tomorrow. The risk is that you're carrying a problem you couldn't explain if someone asked — a funder doing checks, a person who complains, or a board member who reads the news and wants answers. "It's all in our WhatsApp group" is not an answer you want to give.
What your funders actually see
Let's be honest, because the wrong version of this is everywhere. Most small NPOs are funded by local company giving budgets, community foundations, or the National Lottery. Those funders look at your delivery, your impact, and your finances. None of them is going to ask which email provider you use. If that were the whole argument, you'd be right to ignore it.
But it changes for two kinds of funder, and they're worth naming:
- Large and international funders. The bigger grant-makers and overseas donors increasingly ask about governance and how you handle data. "How do you protect the personal information of the people you serve?" is now a normal question on a serious application.
- Funders whose work touches sensitive data. Anything involving health, children, or ID numbers will care about how that data is handled, because their name is on it too.
For these funders, the way you run your information isn't a small IT detail. It's a sign of whether their money is going to an organisation that has its act together. When you're up against others who can answer the data questions cleanly, that matters. You don't need big, expensive systems to look good here. You just need a setup that lets you say "yes, we control our data, and here's how" without flinching.
What "fixed" looks like — and what it doesn't
Here's the good news, and the reason this is worth doing: the fix is neither expensive nor complicated. Microsoft and Google both offer their business tools to registered nonprofits for free or at a big discount, and for most South African NPOs that's the whole answer. We've put together a full, up-to-date guide to free and discounted Microsoft 365 for South African nonprofits — start there for the numbers.
Moving to a proper, organisation-owned setup fixes three things:
- Ownership. The organisation owns the accounts, not a person. When someone leaves, an admin removes their access in seconds, and nothing walks out the door.
- One correct copy. Files live in one shared place. Everyone works on the current version, and older versions can be brought back.
- Control. You can see who has access, wipe a lost phone, and show a funder or your board that the data is handled responsibly.
It's just as important to be clear about what this doesn't do. Overselling it would be its own kind of dishonesty:
- Moving to Microsoft 365 or Google Workspace does not, by itself, make you "POPIA compliant." It closes the access and control gaps above. Full compliance also means having a privacy policy, a clear reason for the data you keep, a way to handle people's requests about their own data, and a PAIA manual. Those sit alongside the tools, not inside them.
- It doesn't put your data out of reach of foreign governments. These are global tools run by US companies, and where the data physically sits doesn't change that. For most NPOs this won't matter — but you should know it.
- The built-in version history in these tools is a safety net, not a real backup. It's worth knowing the difference before you assume everything is safe forever.
None of this needs a server, a round-the-clock help desk, or a big contract. That's the whole point. A small nonprofit needs simple, owned, affordable tools — and someone who can set them up properly and pick up the phone when you have a question. Nothing more.
Frequently Asked Questions
Isn't proper IT expensive for a nonprofit?
Usually it's the opposite. The main tools — email, shared files, calendars — are free or heavily discounted for registered nonprofits through Microsoft's and Google's nonprofit programmes. The main cost is the once-off work of setting it up properly. For most small NPOs, running on proper, owned accounts costs little more than the free tools they already use, and often nothing more.
What's actually wrong with using our free Gmail and WhatsApp?
Nothing — until something goes wrong. The problems are that the accounts belong to people, not the organisation; there's no way to remove access or get the data back when someone leaves; and sensitive information ends up on personal phones you don't control. They're fine for personal use. They were just never built to hold an organisation's information.
Will our funders really judge us on our technology?
Most won't. Local company and Lottery funders care about your delivery and impact, not your email provider. But large funders, overseas donors, and anyone whose work involves sensitive data increasingly do ask about how you handle and protect information. For them, being able to show you control your data is a real plus.
Do we have to move everything at once?
No. The sensible way is step by step: get the organisation onto proper email accounts first, move shared files into one place next, and tidy up the rest over time. You don't stop work for a week, and you don't need everything perfect before you start seeing the benefit.
Where to start
If any of this felt a little too familiar, the first step is simple: map what you have. Which accounts exist, who owns them, and where the data about the people you help actually sits. That picture alone usually makes the priorities obvious.
TechCloud helps small South African nonprofits move off make-do tech and onto simple, owned, affordable cloud tools — without the big-company extras you don't need. If you'd like a straight conversation about your current setup, or want to see the affordable managed IT support behind it, we're easy to reach: call 010 590 0090 or email info@techcloud.co.za. No jargon, no pressure — just a clear picture of where you stand and what it would take to fix it.