How GDPR applies to charities and NPOs

September 29, 2016


How GDPR Applies to Charities and NPOs

Between fundraising, events, and charitable giving, non-profit organizations (NPOs) collect a ton of personal information, which makes them just as obligated as any other EU company to comply with GDPR.

Because marketing is such an important part of fundraising efforts, charities will have to pay special attention to the rights, and respect the wishes of, their supporters and donors, who may withdraw their consent to receive communication from them at any time.

The enactment of GDPR reiterates the four conditions that need to be present in order for consent from supporters to be valid:

  1. Data must be freely given: The individual must consent without force, and they don’t have to give unnecessary details in order to donate or participate in an event
  2. Data submission must be informed: Communication must be very clear with regard to what is being asked of them, and how they opt in or out
  3. Data consent must be specific: An individual’s consent for one specific occasion can’t be applied to future instances, and can’t be changed later without further approval
  4. Data consent must depend upon a positive action to indicate: An individual must tick a box, click “yes,” or complete a form to indicate consent. Absence of action isn’t allowed.

To avoid fines, charities need to start thinking about how they’ll ensure that supporters and donors aren’t contacted once they’ve withdrawn consent or have objected to the charity’s use of their information.

Now is a good time for non-profits to begin embedding privacy by design into all business processes with regard to how systems store and process their supporters’ and donors’ data.

There are a few platforms that can help get you on the right track:

  • CRM systems will help keep your lists organized, and will make it easy for charities to remove those who’ve revoked consent so they will no longer receive communications from you
  • Compliance software that operationalizes data protection and can streamline your privacy initiatives to get all departments (HR, operations, marketing, etc.) aligned on your efforts
  • Security/IT software that can assess your current standards to see where there are gaps in security that could leave your organization vulnerable to risks

GDPR’s penalties are the same for any company, regardless of whether or not they are doing charitable work, so it’s best not to wait too long to prepare. Major data breaches could result in fines of 4% of your global turnover (or €20M).

The time to start thinking about this is today –– slow and steady will ensure that non-profits have nothing to worry about by the time May 2018 rolls around.

You may also like


Privacy Management

Managing data transfers within the UK & EU

Join our experts as we discuss ways to effectively manage data transfers between the UK & EU while staying compliant with the latest privacy regulations.

October 31, 2023

Learn more


Data Discovery & Security

A guided tour of OneTrust Data Discovery magic

Our expert speaker will demonstrate how common real-world data challenges can be identified, addressed, and reported on, leading to better data governance, security, and alignment with business goals. 

October 26, 2023

Learn more


Data Discovery & Security

Data minimization and risk assessment in data discovery

Explore the concept of data minimization and its crucial role in enhancing security, privacy, and reducing risk.

October 19, 2023

Learn more