{{last_updated_at}} by {{last_updated_by}}

GDPR (General Data Protection Regulation) Compliance

Data Collection


"any organization which attracts people to its website and wants to collect data via a form must communicate clearly to that person what the data is going to be used for. The individual will need to give their consent to that use and the consent needs to be clear, in plain English and "informed, specific, unambiguous, and revocable". Data subjects also need to be told about their right to withdraw consent." and "to pre-tick the box on a form to send email, as ‘opt-out consent’ will no longer be permitted under the GDPR." and "if [an organization] decides they want to for a new purpose at any point during the relationship, they’ll need use the data for that new purpose." 1

"Direct marketing and fundraising communications for email and text require consent under the regulation, but mail and telephone communications can still be lawfully conducted on an opt-out basis provided a charity can justify it under a “legitimate interest.” That legitimate interest essentially allows entities to process individuals’ personal data without affirmative consent, direct marketing being one such interest." and "Profiling donors is not prohibited under current law or the GDPR,... but organizations must have a lawful basis for profiling and must inform individuals that their data is being used to target them. Individuals must also have the ability to object to such efforts. Charity leaders are adjusting by reviewing and redrafting privacy policies and actively communicating with supporters and prospective supporters with an eye on transparency." 2

Data Minimisation

"When an organization is collecting data from an individual in order to convert a website visitor into a lead, they must remember that, under the GDPR, they are only permitted to collect data that is adequate, relevant, and limited to what is necessary for the intended purpose of collection. Data collected by the organization which is deemed unnecessary or excessive will constitute a breach of the GDPR." 1

"The GDPR will likely make it more difficult for organizations to remain in contact with individuals over several years without some sort of reconfirmation that they wish to continue hearing from the charity — passively reading newsletters and emails without an affirmative action such as donating being an example of such a supporter." 2

Data Storage and Processing


"Once data is collected, the organization needs to ensure it is stored in a secure manner and in accordance with the Security provisions of the GDPR. This means they must use “appropriate technical and organizational security measures” to protect personal data against unauthorised processing and accidental loss, disclosure, access, destruction, or alteration. Depending on the type of data collected and the ways it is being used, companies may need to consider encrypting the data, using pseudonymization or anonymization methods to protect it or segregating the data from other data in their systems." and "Only employees who need to access that data for the intended purpose have access to it and contracts with any vendors touching that data contain the relevant security protections." and "They may need to appoint a data protection officer (DPO) and they’ll also need to ensure they implement a ‘Privacy by Design/Default’ policy, to ensure they’re systematically considering the potential impact that a project or initiative might have on the privacy of individuals. Controllers will have to ensure their vendor contracts are updated so that they include the necessary provisions to protect the data being processed by those vendors on their behalf." 1

End of the Relationship


"organizations may only hold on to personal data for as long as is necessary to fulfill the intended purpose of collection. So if the relationship is terminated for any reason, they need to ensure they have a data retention policy in place which outlines how long they will retain that individual’s data for and the business justification for holding on to the data for that specified period.

"In drafting their retention policies, organizations will need to consider whether there is any law or regulation which obliges them to hold on to some of that data for specified periods. For example, they may need to retain some financial data for auditing purposes by law. While this is permitted, it should be outlined clearly in their retention policy and made clear to Amy. Again, the principle of transparency is important, even at this stage in the relationship." 1


"If the individual requests at any time that their data should be deleted, the data controller has to comply with that request and confirm the deletion, not only from their own systems but from any downward vendors’ systems who were processing that data on behalf of the organization." 1

Updated by Jon Goldberg over 3 years ago · 8 revisions