What to Look for in a Tech Consultant: A Guide for Organizations That Serve Vulnerable Populations

Finding competent technology help is hard. Finding a tech consultant who understands the specific privacy stakes involved when you work with LGBTQ+ clients, therapy patients, immigrants, or domestic violence survivors — that’s considerably harder.

Most IT consultants know how to set up a router and manage devices. Far fewer understand that a misconfigured Google Workspace can expose client intake forms to search engines, that a standard email newsletter tool can leak subscriber data in ways that put people at risk, or that “we’re compliant” and “we’re actually secure” are not the same sentence.

This guide is for organizations that need to make a thoughtful decision about who to trust with their systems and their clients’ information.

Start With the Right Question

The first question most organizations ask is “how much does it cost?” That’s understandable, but it’s the second or third question you should be asking. The first question is: does this person understand who our clients are, and what it means if something goes wrong?

A therapy practice handling mental health records operates under HIPAA. A nonprofit serving undocumented immigrants needs to think carefully about what data they collect and who might compel them to produce it. An LGBTQ+ organization may have clients whose identity information, if exposed, could put them at real personal risk.

These aren’t hypotheticals. They’re the actual threat models for real organizations, and a consultant who hasn’t thought about them — or who treats your organization like a generic small business — isn’t a good fit.

Privacy Should Be a First Instinct, Not an Afterthought

When you describe your work to a prospective consultant, pay attention to where they go first. Do they ask about your clients and what kinds of data you handle? Or do they jump straight to which antivirus software you’re running?

A consultant who leads with privacy is asking the right questions. One who treats security as a checklist item — a box to tick after setting up the equipment — is operating with a fundamentally different frame.

Good questions a privacy-first consultant should ask you:

• What data do you collect about the people you serve, and where does it live?
• Do your clients have any reason to be concerned about that data being seen by third parties?
• Have you audited what third-party tools are embedded in your website or forms?
• Do you have a process for what happens if there’s a breach or a data request?

If a prospective consultant doesn’t ask anything like this, that tells you something.

Ask About Their Actual Experience With Organizations Like Yours

“I work with nonprofits” covers a lot of ground. Ask specifically whether they’ve worked with organizations in your sector — healthcare, LGBTQ+ services, immigration legal services, mental health — and what that work involved.

You’re looking for evidence that they understand the relevant regulatory landscape (HIPAA for healthcare, state data protection laws for others), the specific tools your sector tends to use, and the particular ways things can go wrong for organizations like yours.

This doesn’t mean they need to have worked exclusively with organizations exactly like you. It means they need to demonstrate that they understand why your situation is different from a small retail business, and that they’ve thought carefully about it.

Transparency About Tradeoffs Matters More Than Confidence

Good technical consultants acknowledge tradeoffs. Every system involves choices — between convenience and security, between cost and redundancy, between ease-of-use and control. A consultant who presents everything as simple and without downsides either hasn’t thought it through or isn’t being straight with you.

Ask about a tool or approach they’d recommend for your situation. A thoughtful answer will include something like: “this works well, but the downside is X, and we’d want to mitigate that by doing Y.” An answer that has no caveats should give you pause.

Specifically for privacy: ask them to explain the privacy tradeoffs in a tool they’re recommending. If they can’t, they either don’t know the tool well enough or haven’t considered the privacy angle at all.

Understand What Ongoing Looks Like

One-time setups rarely stay secure. Technology changes, your organization changes, and threats evolve. Ask prospective consultants how they think about the ongoing relationship.

Some things worth understanding before you start:

• How do they handle questions and small issues between projects? Is there a retainer arrangement, hourly billing, or a support package?
• What does a security review or check-in look like? How often do they recommend them?
• If something goes wrong — a breach, a compromised account, a data request from law enforcement — do they help with response, and what does that cost?

An organization that serves vulnerable people needs to know there’s someone available when something goes wrong, not just when they’re onboarding you.

On Cost: Inexpensive and Cheap Are Different Things

Budget constraints are real, especially for nonprofits and small practices. A good consultant will work within your constraints and help you prioritize the things that matter most first.

What they won’t do is pretend that cutting corners on security has no consequences. The goal of a good consultant isn’t to sell you the most expensive solution — it’s to help you make informed choices about which risks are acceptable given your resources and which ones aren’t.

If a consultant is willing to implement something they know is inadequate without flagging it clearly, they’re not serving your interests.

A Note on Certifications

Technical certifications (CompTIA Security+, CISSP, etc.) demonstrate baseline knowledge, and they’re worth asking about. But they’re not a substitute for judgment, and they don’t tell you whether someone understands your specific context.

The most important indicators aren’t credentials — they’re how the person thinks, what questions they ask, whether they can explain things clearly, and whether they’re honest about what they don’t know.

Ask a prospective consultant about a situation where they gave a client advice they knew the client didn’t want to hear. Their answer will tell you a lot.

Frequently Asked Questions

What should a nonprofit ask a tech consultant before hiring them?

Start by asking whether they have experience with organizations serving vulnerable populations, and what that work involved. Then ask how they approach privacy — do not as a compliance requirement but as a design principle. Ask them to walk through the privacy tradeoffs in a tool they’d recommend for your situation. A good consultant will engage seriously with those questions; a poor fit will treat them as unusual or give vague answers.

Do I need a HIPAA-compliant tech consultant for a therapy practice?

Any technology work that touches electronic protected health information (ePHI) — which includes client scheduling, intake forms, email, cloud storage, and billing — is needs to be done with HIPAA requirements in mind. This means your consultant should understand what a Business Associate Agreement (BAA) is and ensure that every tool they recommend either has one available or is explicitly outside the scope of ePHI. “I’ll look into that” is not a satisfying answer when HIPAA is involved.

How is working with an LGBTQ+ organization different from working with other nonprofits?

The threat model is different. For many LGBTQ+ clients — particularly those who are not out to family, employers, or in hostile jurisdictions — exposure of their connection to an organization can carry real personal consequences. This means your consultant needs to think carefully about data minimization (don’t collect what you don’t need), access controls (who in the org can see what), and what happens to data if the organization receives a legal request. A consultant who hasn’t worked in this context should at least demonstrate that they understand why it matters.

What’s the difference between a privacy audit and a security audit?

A security audit focuses on whether your systems are protected from unauthorized access — malware, intrusions, account compromises. A privacy audit looks at what data you’re collecting, where it goes, who can see it, and whether collecting it in the first place is necessary and proportionate. Both matter. For organizations serving vulnerable populations, the privacy audit often surfaces more actionable issues — like a contact form sending data to Google, or a mailing list tool that retains subscriber metadata indefinitely — than a pure security review would.

How do I know if a tech consultant actually understands privacy, versus just using the word?

Ask them to walk you through the privacy implications of a specific tool they’re recommending — your website analytics setup, your email platform, or your document storage. A consultant who understands privacy will be able to explain what data is collected, where it goes, what the vendor does with it, and what your exposure looks like if there’s a breach or a legal request. If they can’t answer these questions or treat them as overly technical, they’re using “privacy” as a marketing term rather than a practice.