Compliance Reference · Non-Profit · BC

Non-Profit Compliance in British Columbia: Governance, Charity Status, and IT Security Requirements

Q: Who enforces non-profit compliance in BC?

BC Registries and Online Services administers the BC Societies Act. Corporations Canada administers the Canada Not-for-profit Corporations Act for federally incorporated non-profits. The CRA Charities Directorate regulates registered charities. The BC Gaming Policy and Enforcement Branch administers gaming fundraising. OIPC BC enforces BC PIPA.

Q: Does Hexafusion provide legal advice?

No. Hexafusion is an IT services provider, not a law firm or compliance advisory firm. We implement and document technical controls that support your regulatory obligations. Consult qualified counsel and your non-profit's treasurer or finance committee for compliance advice.

Q: How do IT controls map to non-profit compliance rules?

Member and donor records, financial records, gaming licence records, accessibility plans, and grant reporting all need reliable retention, access control, encryption, and tested backups to meet Societies Act, CRA, and gaming obligations.

Q: How does non-profit compliance overlap with cyber insurance?

Cyber insurance underwriters require multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching. These controls also protect donor data, grant funds, and charity status.

Q: What records must my non-profit retain?

The BC Societies Act sets retention for member registers, minutes, and financial statements. CRA sets retention for books and records for at least six years. The Canada Not-for-profit Corporations Act has its own retention rules for federally incorporated non-profits. Gaming licensees have additional obligations.

Q: Does the BC Accessibility Act apply to my organisation?

The Accessible British Columbia Act applies to prescribed organisations and introduces accessibility plans and committee obligations on a phased basis. Status as of early 2026, confirm whether your organisation is prescribed and what phase of obligations applies.

This is a reference guide for BC non-profit societies and registered charities summarising the federal, provincial, and sector-specific regulatory frameworks that shape governance, charity status, fundraising, and donor privacy. Hexafusion is an IT services partner, not a legal advisor. Confirm current obligations with BC Registries, the CRA Charities Directorate, and qualified counsel.

Federal regulatory framework

Area	Statute or Regulator	IT relevance
Privacy (federal)	PIPEDA, OPC	Applies to commercial activity and cross-border data handling by non-profits.
Cybercrime	Criminal Code, ss. 342.1 and 430(1.1)	Unauthorised access to donor databases, ransomware risk.
Federal incorporation	Canada Not-for-profit Corporations Act	Minute books, member registers, and annual return records.
Charity status	Income Tax Act, CRA Charities Directorate	Receipt records, books and records retention, T3010 reporting.
Anti-spam	CASL	Consent logs for donor and stakeholder emails. Charities have some specific exemptions.
Anti-terrorism	Charities Registration (Security Information) Act	Records relevant to charity-listing reviews.

BC provincial framework

Area	Statute or Regulator	IT relevance
Societies	BC Societies Act (2016), BC Registries	Member registers, minutes, bylaws, annual filings.
Privacy (provincial)	BC PIPA, OIPC BC	Applies to personal information held by BC non-profit organisations, subject to the Act's scope.
Gaming	Gaming Control Act, BC Gaming Policy and Enforcement Branch	Licensing for lotteries, raffles, and bingo fundraising.
Employment	BC Employment Standards Act	Payroll and volunteer time records.
Workplace safety	Workers Compensation Act, WorkSafeBC	Staff and volunteer safety records.
Human rights	BC Human Rights Code	Program delivery non-discrimination.
Accessibility	Accessible British Columbia Act	Accessibility plans and committee obligations for prescribed organisations.
Consumer protection	Business Practices and Consumer Protection Act	Disclosure obligations for consumer transactions by the non-profit.

Non-profit-specific regulators and statutes

BC Societies Act (2016). The modern governance statute for BC non-profits, covering directors' duties, member rights, financial statements, and public document access. Member registers and minute books are central compliance records.
Canada Not-for-profit Corporations Act. Applies to federally incorporated non-profits, with its own members' register and filing obligations.
CRA Charities Directorate. Registered charities must keep books and records, issue compliant receipts, file the T3010 annually, and limit political activities per Income Tax Act rules. The CRA Charities Directorate publishes guidance and conducts audits.
Gaming Control Act (BC). Gaming fundraising requires licensing, reporting, and tracked proceeds. The BC Gaming Policy and Enforcement Branch supervises.
Accessible British Columbia Act. Introduced accessibility plans and committees on a phased basis for prescribed organisations. Status as of early 2026, verify which phase applies to your organisation.
Funder requirements. Government and foundation funders often impose data protection, privacy, and reporting obligations in grant agreements that go beyond statute.
Software licensing. TechSoup Canada provides discounted licensing for eligible non-profits and charities; proper licensing is a quiet compliance item.

Cross-cutting frameworks

PCI DSS for online donation processing.
NIST Cybersecurity Framework and CIS Controls as benchmarks.
SOC 2 as due diligence for cloud donor management and accounting vendors.
Cyber insurance underwriter expectations. Multi-factor authentication, endpoint detection and response, tested backups, phishing training, incident response plans, and patching.

Non-profits often operate with leaner IT budgets than comparable for-profit organisations, but they face the same threat landscape: phishing against donor databases, ransomware against finance systems, and account takeover on email that funds can be redirected from. Program funders, both government and private, increasingly include cybersecurity and privacy provisions in grant agreements, so the baseline of multi-factor authentication, endpoint detection and response, tested backups, phishing training, an incident response plan, and documented patching is no longer optional at any size. TechSoup Canada licensing makes several of these controls affordable for eligible organisations, but the procurement advantage needs to be matched with disciplined configuration and monitoring.

How IT controls map to the regulatory stack

Retention schedules for member registers, minutes, financial statements, receipts, and grant reporting, aligned with Societies Act, CRA, and funder expectations.
Access logs on donor databases and accounting platforms, with separation between fundraising, finance, and leadership roles.
Encryption at rest and in transit on donor records, payroll, and case management systems.
Written breach response plan aligned with PIPEDA and BC PIPA, with board notification procedures documented.
Tested backups and disaster recovery for accounting and donor management.
MDR, EDR, MFA, and patching, with attention to board and volunteer accounts that often sit outside standard staff controls.

Non-profits that handle these controls well tend to consolidate onto a small number of well-supported platforms (typically Microsoft 365 or Google Workspace, a single donor CRM, and a single accounting package) rather than sprawling across free tools that nobody fully manages. They enforce MFA across staff, board, and regular volunteer accounts because a compromised board email is an effective fraud vector. They align retention schedules to Societies Act, CRA, and funder expectations, rather than letting the defaults of each cloud tool decide. And they keep the privacy policy, breach response plan, and accessibility plan (where applicable) under regular board review, which turns compliance from a reactive exercise into a standing item of governance.

Boards increasingly take direct interest in cyber and privacy risk because a ransomware event can halt program delivery for weeks and a donor data breach can erode trust that takes years to rebuild. Directors' fiduciary duties under the Societies Act include a duty of care, and boards are asking for the same kinds of evidence that an insurer or funder would. Non-profits that can show a written privacy policy, an incident response plan, documented backups, and a recurring training programme can usually satisfy board, funder, insurer, and regulator questions with the same artefacts.

Where Hexafusion fits

Hexafusion operationalizes the IT controls that support BC non-profit governance, charity status, and donor trust obligations. That includes donor database hardening, Microsoft 365 or Google Workspace configuration, encryption and retention tuning, board account security, and the written documentation that supports CRA inquiries, funder audits, and insurer questions. Our founder's PCI DSS Internal Security Assessor background informs how we structure evidence for third-party review.

We do not interpret the Societies Act, do not prepare T3010 filings, and do not act as your privacy officer. Those roles belong to qualified counsel, your treasurer or finance committee, and your designated privacy officer.

Common questions from BC non-profits at the intake stage include how to secure board communications and directors' email accounts, how to manage access to the donor database when volunteers rotate through, how to handle retention across a donor CRM and a general ledger that keep records on different timelines, and how to respond to the data protection and incident reporting clauses that appear in government and foundation grant agreements. Each question has a technical answer that flows from a well-governed cloud platform, a clear policy layer, and named ownership for each control, which is the same pattern that works for for-profit organisations but applied with a budget discipline that non-profits typically need.

Related compliance resources

Frequently Asked Questions

Who enforces non-profit compliance in BC?
BC Registries administers the Societies Act. Corporations Canada administers the federal Act. CRA Charities Directorate regulates registered charities. BC Gaming Policy and Enforcement Branch administers gaming fundraising. OIPC BC enforces BC PIPA.

Does Hexafusion provide legal advice?
No. We are an IT services provider. Compliance interpretation belongs to counsel and your finance and governance leadership.

How do IT controls map to non-profit compliance rules?
Member and donor records, financials, gaming records, accessibility plans, and grant reporting all need reliable retention, access control, encryption, and tested backups.

How does non-profit compliance overlap with cyber insurance?
Insurers require MFA, EDR, backups, training, IR plans, and patching. These also protect donor data, grant funds, and charity status.

What records must my non-profit retain?
Societies Act member and minute records, CRA six-year books and records, federal Act requirements for federally incorporated organisations, and gaming licensee records where applicable.

Does the BC Accessibility Act apply to my organisation?
Status as of early 2026, it applies to prescribed organisations on a phased basis. Verify current prescription list and phase.

Disclaimer

This reference guide provides general regulatory context for BC-based non-profits and charities. It is not legal or compliance advice. Confirm current requirements with BC Registries, CRA Charities Directorate, and qualified counsel. Hexafusion is an IT services provider and does not provide legal advice. Administrative monetary penalties apply up to statutory maximums; confirm current amounts with the regulator.

Other compliance reference pages

Reviewed by Alex Barari, Founder, former PCI DSS Internal Security Assessor (ISA).

Need help with the IT side of compliance?

Request a scoped assessment. We review your technical safeguards against the evidence an assessor, regulator, or insurer expects, and deliver a written report.

Request a scoped assessment