How GDPR Applies to Charities and NPOs

Between fundraising, events, and charitable giving, non-profit organizations (NPOs) collect a ton of personal information, which makes them just as obligated as any other EU company to comply with GDPR.

Because marketing is such an important part of fundraising efforts, charities will have to pay special attention to the rights, and respect the wishes of, their supporters and donors, who may withdraw their consent to receive communication from them at any time.

The enactment of GDPR reiterates the four conditions that need to be present in order for consent from supporters to be valid:

  1. Data must be freely given: The individual must consent without force, and they don’t have to give unnecessary details in order to donate or participate in an event
  2. Data submission must be informed: Communication must be very clear with regard to what is being asked of them, and how they opt in or out
  3. Data consent must be specific: An individual’s consent for one specific occasion can’t be applied to future instances, and can’t be changed later without further approval
  4. Data consent must depend upon a positive action to indicate: An individual must tick a box, click “yes,” or complete a form to indicate consent. Absence of action isn’t allowed.

To avoid fines, charities need to start thinking about how they’ll ensure that supporters and donors aren’t contacted once they’ve withdrawn consent or have objected to the charity’s use of their information.

Now is a good time for non-profits to begin embedding privacy by design into all business processes with regard to how systems store and process their supporters’ and donors’ data.

There are a few platforms that can help get you on the right track:

  • CRM systems will help keep your lists organized, and will make it easy for charities to remove those who’ve revoked consent so they will no longer receive communications from you
  • Compliance software that operationalizes data protection and can streamline your privacy initiatives to get all departments (HR, operations, marketing, etc.) aligned on your efforts
  • Security/IT software that can assess your current standards to see where there are gaps in security that could leave your organization vulnerable to risks

GDPR’s penalties are the same for any company, regardless of whether or not they are doing charitable work, so it’s best not to wait too long to prepare. Major data breaches could result in fines of 4% of your global turnover (or €20M).

The time to start thinking about this is today –– slow and steady will ensure that non-profits have nothing to worry about by the time May 2018 rolls around.