NFS Logo

1 January 2018

The Data Protection Act Is Dead - What GDPR Means for Charities

How the General Data Protection Regulation replaces the Data Protection Act, and what charities need to do about consent, data profiling, and the right to be forgotten by May 2018.

Text Giving

The General Data Protection Regulation (GDPR) is replacing the Data Protection Act in the UK. All organisations must be compliant by 25th May 2018. Maximum fines can reach €20 million or 4% of annual turnover - whichever is higher.

For charities, GDPR has three key areas of impact.

1. Consent

Organisations must maintain audit trails documenting when, how, and through which channel consent was obtained from each individual on their database.

The regulation eliminates blanket consent in favour of granular permission structures, allowing individuals to specify exactly how their data is used. A single checkbox agreeing to all communications is no longer sufficient.

For charity donor databases, this means:

  • Reviewing existing consent records
  • Identifying supporters who have not given valid GDPR-compliant consent
  • Running re-permission campaigns where necessary before the deadline

2. Data Profiling

Data profiling remains permissible under GDPR but requires individuals to be fully aware of any profiling activities and their potential impact. The regulation sets a high threshold for this practice.

If your organisation uses donor data for wealth screening, prospect research, or behavioural analysis, you need to ensure your privacy notices are clear and your consent records are robust.

3. The Right to Erasure

GDPR grants individuals the legal right to request deletion of their data from both primary holders and any third parties who have received it. Organisations must maintain reliable systems tracking exactly where each person's data has been shared.

This is a significant operational requirement for organisations using multiple data processors, mailing houses, or third-party CRM systems.

Preparing for Compliance

While GDPR does not mandate centralised data repositories, it makes them highly advisable. All organisations need:

  • Robust, auditable processes for data management
  • Regular staff training on data protection principles
  • Clear documentation of data flows and third-party processors
  • Privacy notices that are transparent and easy to understand

The principle underlying GDPR is straightforward: data control should rest with the individual, not the organisation. Charities that put their supporters' preferences first will find compliance builds rather than undermines trust.

For guidance on GDPR compliance in the context of digital fundraising, contact the DONATE™ team.