As a charity manager with over a decade of experience in data protection, I’ve seen firsthand how the General Data Protection Regulation (GDPR) has reshaped the way UK charities approach donor management. When GDPR came into effect in May 2018, it was not just another piece of legislation to be crossed off the compliance checklist. It was a paradigm shift that demanded a deeper understanding and a more respectful and transparent approach to handling donor data.
For charity trustees, the stakes are high, as the Information Commissioner’s Office can impose fines of up to £17.5 million or 4% of annual global turnover, whichever is higher. While the largest penalties are usually reserved for the most serious breaches, even relatively modest fines can be financially crippling for charities operating with limited resources. However, even more damaging to your charity in the long term can be the erosion of trust with your donors if your charity suffers a data breach or non-compliance.
In this ever-evolving regulatory landscape where public confidence in charities is increasingly under the microscope, a single misstep in terms of GDPR compliance can undo years of trust-building and reputational work. In my journey to support various charities, I have come to understand that GDPR is not just a legal framework but also a new ethos that underpins a respectful and donor-centric approach to data processing.
Despite the clear emphasis on privacy and control from the regulator, I’ve encountered many trustees who are still uncertain about the exact obligations when it comes to GDPR-compliant donor management systems. This confusion is understandable given the complexities of the regulation and the unique nature of charitable fundraising. Unlike commercial businesses with their customers, charities have a more complex network of donors, beneficiaries, volunteers, and other stakeholders with various data protection issues.
In this article, we will delve deeper into the GDPR, particularly as it applies to the donation management process in charities. We’ll explore the key principles of the GDPR that affect how you collect, store, and use supporter data, and how you can put these principles into practice in your charity.
Understanding GDPR and its Implications for Charitable Fundraising
GDPR stands for the General Data Protection Regulation. It is a comprehensive data protection law that came into force in the UK in May 2018 to protect individuals’ personal data and privacy. One of GDPR’s central tenets is that individuals should have control over their personal data, which is defined broadly to include anything that can be used to identify a person.
For charities, this means that every piece of donor data you hold, from the basic contact details to complex wealth screening information, needs to be processed in compliance with the strict legal requirements set out by GDPR. The regulation establishes six lawful bases for processing personal data, but for most fundraising activities, the relevant lawful bases for charitable fundraising are consent and legitimate interests.
Consent under GDPR is more stringent than many charity managers initially realised. It must be freely given, specific, informed, and unambiguous. This means that pre-ticked boxes, implied consent, and blanket permissions are no longer acceptable. Donors must actively opt in to communications and need to understand exactly what they’re consenting to. Furthermore, consent is not a one-time event; it can be withdrawn at any time, and the process for doing so must be as easy as the process for giving consent.
The legitimate interests basis offers more flexibility, but it still requires careful consideration. Charities can process donor data for fundraising purposes based on legitimate interests but only after conducting a rigorous balancing test that weighs the charity’s interests against the donor’s rights and freedoms. This balancing test must be documented and regularly reviewed, particularly as fundraising strategies and techniques evolve.
If the data in question is considered sensitive, such as political opinions, religious beliefs, health conditions, or ethnic origin, the regulation then categorises it as special category data, also known as sensitive data. Many charities collect this sensitive personal information as a means of building up a detailed understanding of their supporters, and tailoring communications to their preferences. Processing special category data can be very valuable for charitable fundraising, but it also requires more robust safeguards than regular data processing activities.
GDPR Pitfalls to Avoid when Managing Donor Data
Over the years working with a range of charities, I have identified the following common pitfalls that trustees should look out for. First and foremost, trustees should be aware that historical donor relationships do not provide a legal basis for continued data processing under GDPR. Many charities found this to be the case and were forced to embark on large scale re-consent campaigns which reduced their contactable supporter database by up to 50%.
Charities should be careful not to share donor data internally between teams without an appropriate legal basis. Within the charity, various teams may work with different parts of your supporter base. You will need to ensure that any personal data transfers between these teams have an appropriate legal basis. This can also include data sharing between your charity and other charities, commercial fundraising agencies, or other service providers. Robust data sharing agreements with third parties that set out the legal basis for sharing, and security responsibilities, can help you manage your obligations in these cases.
Trustees should be aware that GDPR requires that you only keep supporter data for as long as you need it to fulfil the purpose for which you collected it. I have heard many charities state in the past that they should keep all their donor data as it is ‘valuable’ for relationship management and strategic planning. However, such data retention policies are no longer permitted under GDPR, unless you can clearly justify and document them.
Wealth screening and prospect research are very popular with many charities, yet can easily trip charities up under GDPR. If you are enhancing donor data records with publicly available information or third-party data sets, it is important to know that donors are unlikely to be aware of this, and GDPR requires that you set out a clear legal basis for processing.
The handling of deceased donor data is one of the more nuanced GDPR areas for many charities to get wrong. Although GDPR doesn’t technically apply to deceased donors, the regulation’s spirit and bereaved family expectations require sensitive handling of this information, especially when it comes to legacy fundraising.
Before you can put the appropriate compliance processes in place, it is important that your charity conducts a thorough audit of all data processing activities it undertakes for donor management. This includes mapping every instance where donor data is collected, from online donation forms and event registrations to telephone fundraising and direct mail recruiting. Each of these data collection points should be carefully assessed for GDPR compliance in terms of transparency and lawful basis.
Your data audit should include all systems and platforms where donor data is stored or processed. This includes your core charity management system as well as all email marketing platforms, event management tools, social media advertising interfaces, and any cloud storage solutions. You will likely be surprised at the extent of your data ecosystem and the number of third-party processors with access to donor information.
Privacy notices are a crucial element of GDPR-compliant data processing, so they should be a key part of your data audit. Privacy notices should be scrutinised to ensure they are clear, comprehensive, and provided in plain English. The notice should clearly articulate what data is collected, why it’s necessary, how it will be used, who it will be shared with, and for how long it will be retained. Notice language should be jargon-free and accessible to supporters from all walks of life.
Documentation relating to staff training should also be part of your audit. GDPR compliance is not just a technical issue but a cultural one that requires data protection awareness throughout your charity. You will need to ensure that all staff members who are handling donor data understand their role and the potential implications of non-compliance. This includes not only fundraising staff but also administrative staff, volunteers, trustees, and temporary workers.
GDPR requires you to have robust incident response procedures in place, so this should also be included in your audit. Data breaches can still happen despite best efforts. GDPR requires certain breaches to be reported to the Information Commissioner’s Office within 72 hours of them being identified. Robust detection, assessment, and response procedures are critical to minimise both regulatory and reputational fallout.
GDPR-Compliant Charity Management Systems
Selecting and setting up a charity management system is one of the most important decisions trustees make around GDPR. A robust, GDPR-compliant non-profit CRM will provide the tools for managing consent, tracking processing activities, and supporting supporter rights. However, not all charity management systems are equal, and trustees will need to assess them against the charity’s needs.
Consent management should be central to any GDPR-compliant charity management system. The system should allow supporters to provide granular consent, so they can independently opt in or out of different types of communications and activities. For example, a donor might consent to receiving fundraising emails but not postal mailings, or they might be comfortable with receiving telephone calls but not SMS texts. The system should also maintain a complete audit trail of all consent changes, including when and how consent was given or withdrawn.
Data subject rights functionality should be another key feature to consider. GDPR grants several rights to individuals regarding their personal data, including the right to access, rectify, erase, restrict processing, and data portability. A compliant charity management system should enable the efficient handling of these requests, where possible through automation. The system should be able to produce complete reports of all data held on an individual and provide easy mechanisms for updating or deleting data.
Integration capabilities with other systems and platforms is another important feature that trustees need to scrutinise. Charities often use a range of systems and platforms to manage their operations, and the chosen charity management system needs to integrate with these. While integration offers many operational benefits, it is also a point of vulnerability that needs to be managed carefully, so robust security and clear data processing agreements are required for each integration point.
Reporting and analytics features must be built with privacy by design principles. Charities need analytics and insight into supporter behaviour and campaign performance, but this can be achieved with privacy risks in mind. This could include using data anonymisation techniques, aggregated reporting, or even being more circumspect about what information is truly needed for decision-making.
Security features of the system are another critical aspect that should be carefully evaluated. This includes encryption of data in transit and at rest, access controls, and regular security updates and patches. The system should also provide detailed audit logs that can track all access to and changes made to donor data, enabling you to identify and investigate any suspicious activity.
Key Donor Management Tools for GDPR Compliance
Trustees need to be aware that a robust non-profit CRM can provide a number of useful tools for GDPR compliance. Consent management is a must-have feature in any GDPR-compliant system. The CRM system should allow for granular consent tracking, so donors can independently opt in or out of different types of communications and activities.
Robust data subject rights functionality should be provided as part of your non-profit CRM system. GDPR grants individuals the right to access, rectify, erase, restrict processing, and data portability, and a compliant system should enable the efficient handling of these requests where possible through automation.
Trustees should also look for good integration capabilities with other systems and platforms their charity uses. Robust security features are a critical aspect of a GDPR-compliant system. This includes data encryption in transit and at rest, access controls, and regular security updates and patches.
Trustees should also expect detailed audit logs from their charity management system. Audit logs are an essential tool for monitoring access to and changes made to donor data, which can help you to detect and investigate any suspicious activity.
Privacy by design principles should be a key consideration for trustees when choosing a non-profit CRM system. This means considering privacy at every stage of product development, from the initial design to implementation and day-to-day operations. Trustees should look for a system that has been built with privacy by design principles, meaning that privacy is a key consideration at every stage of the product development process.
Building a Data Protection Culture within Your Charity
GDPR compliance is not just a technical issue to be resolved with the right software and procedures; it’s a cultural shift that must be embedded within the charity. This cultural shift begins with the trustees and needs to be championed by the board, demonstrating a commitment to data protection and privacy at the highest level.
Charity trustees should consider regular data protection training for all staff who handle donor data as part of their GDPR compliance strategy. Training should be comprehensive, ongoing, and tailored to the different roles and responsibilities within the charity. For example, fundraising teams will need detailed understanding of consent requirements and the lawful basis for processing, while administrative teams might focus more on data security and access controls. Training should be practical, scenario-based, and help staff to understand how the GDPR principles apply to their day-to-day activities.
Trustees might also consider appointing a Data Protection Officer (DPO), although this is not a legal requirement for most charities. A DPO can provide expert advice, monitor compliance, and serve as a point of contact for data protection authorities. Even smaller charities can benefit from designating a staff member or trustee with specific responsibility for data protection.
Finally, trustees should be aware that GDPR is not a set-and-forget regulation. Regular review and updating of policies and procedures will be required to ensure they keep pace with any changes in your charity’s activities or the regulatory environment. Privacy notices, for example, should be reviewed annually or whenever there are significant changes in data processing activities. Staff should also be reminded of their data protection responsibilities on an ongoing basis through regular communications and refresher training sessions.
Testing your incident response procedures through simulated breach scenarios is another best practice that trustees should be aware of. This will help you to identify any weaknesses in your procedures and ensure staff know how to act swiftly and appropriately in the event of a real incident. Any lessons learnt during these tests should be fed back into updated procedures and training.
Conclusion
GDPR has fundamentally changed how charities manage donor data, placing a much greater emphasis on transparency, accountability, and individual control over personal data. Trustees who can navigate these changes and build a robust data protection culture within their charity will not only ensure compliance with the GDPR but also enhance their relationships with donors, potentially leading to more effective fundraising and engagement.
However, trustees need to be aware that GDPR is not just a technical issue to be resolved with the right software and procedures; it’s a cultural shift that needs to be embedded within the charity. This shift starts with the trustees themselves and must be championed by the board, showing a commitment to data protection and privacy at the highest level.
Trustees should also consider investing in regular data protection training for all staff members who handle donor data, ensuring that training is comprehensive, ongoing, and role-specific. Designating a Data Protection Officer (DPO), although not legally required for most charities, can also be a beneficial step. Even smaller charities can benefit from assigning a staff member or trustee with specific responsibility for data protection.
Finally, trustees should remember that GDPR is not a one-time project; it’s an ongoing process. Regular review and updating of policies and procedures will be necessary to keep pace with any changes in the charity’s activities or the regulatory environment. Trustees should encourage staff to regularly remind themselves of their data protection responsibilities through ongoing communications and refresher training.
