Fundraising in the age of the GDPR

14th May 2018Blog

Are you ready to get in touch?

Request a Call back

For charities, could the GDPR be a blessing in disguise? In this blog, Northdoor looks at some of the implications of the regulation on fundraising activities, showing how a best-practice approach could improve donor trust and help build stronger relationships.


As the General Data Protection Regulation (GDPR) came into force, many charities are concerned about the potential impact on fundraising. Gathering, storing and using personal information – for example, names, addresses and telephone numbers of donors – makes any organisation a “data processor” under the GDPR. This means that they have new legal obligations relating to personal privacy and data protection, with the potential for stiff financial penalties for non-compliance.

On the one hand, charities want to be able to contact existing supporters, but on the other, they must be confident that any communications do not breach the new regulation. For example, opt-in versus opt-out remains a tricky point: should you contact only those people who have specifically given you permission to do so, or can you contact any existing supporter and give them the opportunity to opt out of future communications?

The answer will vary according to the type of direct marketing undertaken, and according to the way in which consent is gathered – and organisations will need to review their activities carefully in the light of the regulation.

For consent to be valid under the GDPR, it must be specific, informed, freely given and unambiguous. It must also be active and affirmative – the individual must consciously fill a field or check a box – so pre-ticked boxes and “implied consent” should now be a thing of the past for charities.

The need to review email databases and remove any entries where consent is not clear will naturally shrink the pool of available contacts for fundraising drives. But might this be a blessing in disguise? A recent survey suggested that almost half of the public would be happy to receive information about what a charity was doing with their donation, suggesting that the door is still open for the right kind of communications. Even if the total number of contacts is smaller, applying tighter standards around consent should ensure that those who remain on the list are actually genuinely committed to your charity – and therefore more likely to respond positively to new fundraising initiatives.

Of course, fundraising is just one part of a typical charity’s activities, and it is vital also to consider that the GDPR’s requirements span campaigning, marketing, managing volunteers and so on. Trustees, employees and volunteers must all be trained in data stewardship, and charities will also need to ensure that they take appropriate measures around cyber security – especially given the growing use of digital channels.

It’s certainly possible to comply with the GDPR without damaging your fundraising capabilities, but many organisations will lack the skills and time to make the necessary changes alone.

By working with a partner that has both an in-depth knowledge of the regulation and a complete toolkit of software for finding, classifying and protecting personal data on your network, you can keep your focus on making the world a better place while we handle the data.

Read more: Data Protection in the Charity Sector

Our Awards & Accreditations