How GDPR Impacts Charities and Nonprofits: Managing Donor Data
The General Data Protection Regulation (GDPR), enacted by the European Union (EU) in May 2018, was designed to give individuals greater control over their personal data and to streamline data privacy laws across Europe. While its primary focus was on large corporations and their often opaque data practices, the regulation extends to all organisations handling EU residents’ data, including charities and nonprofits. For purpose-driven entities that often operate on tight budgets and depend heavily on donor relationships, GDPR has fundamentally reshaped how they interact with and manage personal information.
Understanding GDPR in the Context of Charity Work
GDPR was created in response to growing concerns about data exploitation in an increasingly digital world. For charities and nonprofits, this means a shift from assuming that donor data is free to use for good causes to treating it with the same level of care and respect as commercial data controllers must. While these organisations may not enjoy the same attention as well-known corporations, they must still adhere to the law, facing the same potential fines for non-compliance.
The new regulation has placed an emphasis on transparency and accountability. Charities must be clear about what information they’re collecting, how it’s being used, and why it’s essential. Many nonprofits rely on data from donors and beneficiaries to understand their community, tailor their strategies, and secure funding. However, under GDPR, even the most altruistic purposes must not outweigh an individual’s right to privacy.
Implications of GDPR for Donor Data
Given the strong reliance of charities on financial contributions, donor data is arguably one of the most critical types of information that nonprofits manage. GDPR has specifically impacted how this data is collected, stored, and processed. Below are several considerations charities need to be aware of:
1. Lawful Basis for Processing Data
Under GDPR, organisations cannot process personal data without a clear lawful basis. Nonprofits must determine which lawful basis applies to their activities. In most cases, the appropriate basis will either be “consent” or “legitimate interests.”
If the charity relies on consent, it must be specific, informed, freely given, and unambiguous. Donors have to opt in voluntarily, meaning that pre-ticked boxes or vague consent forms no longer suffice. Organisations relying on legitimate interests must ensure that their activities do not override the fundamental rights and freedoms of donors and must balance their operational needs against privacy protection.
2. Rights of the Individual
GDPR grants individuals new and enhanced rights that directly impact how charities manage donor data. These include the right to access their personal data, the right to rectification, the right to erasure (commonly referred to as the “right to be forgotten”), and the right to data portability. Nonprofits must be prepared to comply with such requests promptly, which involves developing systems and processes to locate and deliver user data effectively.
For instance, if a long-time donor requests to have all of their data erased from the organisation’s records, the charity must ensure processes are in place to securely delete all related information, including donor profiles, email lists, and historical contributions.
3. Data Minimisation and Retention
One of the core principles of GDPR is data minimisation, which asks organisations to collect only the data they truly need. Charities often collect detailed information about donors—ranging from names and addresses to phone numbers, donation history, and even personal lifestyle preferences. Under GDPR, they need to question whether every piece of data collected is truly necessary.
Additionally, GDPR discourages the indefinite retention of personal information. Charities must determine appropriate data retention periods and commit to deleting or anonymising information that is no longer required. For example, retaining donor data indefinitely “just in case” could result in a breach of the regulation.
4. Enhanced Security Measures
Given the rise in cyber threats and data breaches, the GDPR demands robust security measures to protect personal information. Charities cannot afford to assume that their size or nonprofit status exempts them from cyberattacks. Ensuring strong data encryption, regularly updating software, and conducting risk assessments are simple but effective methods for securing donor data.
This is particularly important because, in the event of a data breach, GDPR requires organisations to report the breach to the relevant authorities within 72 hours and, depending on the severity, to the individuals affected. For nonprofits already stretched thin on resources, such instances can not only be financially draining but also negatively impact their reputations.
Steps Charities Can Take to Ensure Compliance
Nonprofits may not have the same resources as large corporations, but they can—and must—take proactive steps to align their data practices with GDPR requirements. Doing so ensures continued trust from donors while mitigating legal and financial risks. Here are some steps that can help:
1. Conduct a Data Audit
The first step is to understand your current situation. Conduct a thorough audit of all donor data your organisation holds to identify what type of data is being collected and why. Pay special attention to where data is stored and the purposes it serves. Is there any data you no longer need? Are there records without clear consent or justification for retention? Answering these questions will help you understand gaps in compliance.
2. Revisit Consent Policies
Updating consent procedures to meet GDPR standards is imperative. Ensure any opt-in processes for newsletters, communications, or donation appeals are clear and transparent. Avoid bundling consent for multiple activities—donors should be able to choose what they are opting into. In addition, ensure you have a process for recording and managing these consents.
3. Create a Data Privacy Policy
A visible and easily understandable data privacy policy isn’t just a legal requirement—it also reassures donors that your organisation values their privacy. The policy should outline the types of data collected, the purposes for collection, how data will be stored and processed, and the rights individuals have over their information.
4. Train Staff and Volunteers
Employees and volunteers interact with donor data in various capacities, so it’s essential that they are well-versed in GDPR guidelines. Provide training to ensure they understand the importance of protecting personal data, the processes they must follow, and how to handle data access or deletion requests.
5. Appoint a Data Protection Officer
Charities handling large volumes of sensitive data may need to appoint a Data Protection Officer (DPO) to oversee compliance. This person acts as the point of contact for data protection issues and provides guidance on best practices. While smaller charities may not be legally required to appoint a DPO, having someone responsible for GDPR can greatly reduce compliance risks.
6. Partner with GDPR-Compliant Vendors
If your organisation uses third-party tools or services—such as fundraising platforms, email marketing providers, or cloud storage solutions—ensure these partners are also GDPR-compliant. Vendor data breaches can affect your donors, and ultimately, your organisation could bear the responsibility unless you’ve ensured their compliance.
Balancing Privacy with Operational Needs
GDPR compliance adds layers of complexity to collecting and managing donor information, but it also fosters deeper trust between organisations and their supporters. Charities and nonprofits depend on meaningful, long-term relationships with donors, and respecting their right to privacy enhances their experience. Treading the fine line between operational needs and privacy rights requires careful planning, adequate resource allocation, and a commitment to ongoing learning.
While GDPR compliance may initially seem like an administrative burden, approaching it as an opportunity to strengthen transparency and accountability can yield long-term benefits. By taking steps today to establish GDPR-aligned data practices, charities and nonprofits can future-proof their operations, safeguard their reputations, and continue to thrive in a world increasingly focused on data protection.