Changes in GDPR for Not-For-Profit Organisations

Compliance with GDPR will help a not-for-profit organisation to fulfil their moral and legal obligation to protect data while helping reduce any fines that could come their way.

The majority of charitable and not-for-profit organisations hold a large variety of data. Much of the data is personal such as names and addresses of supports, subscribers and members. It will also contain sensitive data such as race, ethnicity, religious beliefs, sexual preferences and health records including physical and mental records, along with criminal records as well.

Organisations that collect, store or process data are responsible for meeting the standards of GDPR data protection and are answerable to the lead supervisory authority. The Independent Fundraising Regulator will incorporate the GDPR’s relevant requirements into the Code of Fundraising Practice.

At the moment the code, in its current form exceeds existing legal requirements, charities must not sell any members, supports, and subscriber’s data and may only be shared with third-party organisations with the individual’s explicit consent.

If a not-for-profit organisation already follows the Code of Fundraising Practice, then they should be in a good place to comply with GDPR standards.

Is your organisation prepared for GDPR?

Start preparing for GDPR with a risk assessment and provide all employees with data protection.

Who is in charge of your organisation’s GDPR?

Clear establish ownership within your organisation needs to be set along with assessing the need for any additional support.

What type of data do you process and where is it stored?

It is very likely that your organisation will processes a large amount of data. It’s important that you know where it is, how it is stored and who is accessing it.

Does your organisation work with children?

Children who are under the age of 13 cannot give consent for their data to be processed though consent can be acquired on behalf of children aged under 16 and over 13.

What if the organisation doesn’t carry out fundraising activities?

GDPR doesn’t apply to just fundraising but to any and all activity that involves the processing of personal data, such as campaign and volunteer databases.

How do you contact supports at the moment?

You will need explicit ‘opt-in’ consent to contact supporters by email, automated calls, SMS and calls to those on the preferred to be contacted by Telephone option.

Who is accountable?

When new projects arise, carry out privacy impact assessments and update your privacy notes, consents and rights for individuals.

Do you have consent to contact your existing database?

You must be efficient when managing individual’s preferences. Make sure to make it clear how they opt in to be contacted and how their data is handled for future contact. Provide an opportunity to opt-out of anything that supporters might wish to not take part in.

Do you have any gaps in recruitment to fill?

Can your team cope when a flood of information is requested? All your team must be able to cope with the legislation’s procedural changes.

What to do in the event of a data breach?

You must report a data breach within 72 hours to your lead supervisory authority.


Download and follow our new GDPR Guide here