This article considers the key data protection challenges facing humanitarian organizations providing assistance to refugees, internally displaced persons and migrants. These challenges are particularly significant for several reasons: because data protection has come relatively late to the humanitarian sector; because humanitarian organizations are under pressure to innovate rapidly; because the global communications architecture on which many of these innovations depend is inherently vulnerable to State surveillance; and because States are deploying increasingly sophisticated and coercive means to prevent irregular forms of migration and/or subjecting humanitarian organizations to surveillance and disruption. The first part of the article outlines the fundamental rights challenges presented by contemporary data-driven migration control paradigms. The second outlines concerns about "data-driven humanitarianism" and "mass surveillance" to show how humanitarian organizations risk inadvertently exacerbating these problems. The third assesses specific data protection challenges that humanitarian organizations face and the policies and practices they have developed in response. The article concludes with some brief observations on the technical and political dynamics shaping their efforts to comply with their legal and ethical obligations, and calls for the sector to work together to extend data protection norms and outlaw cyber-attacks by State actors.