
The team at ResourceSpace have been a joy to work with, helping us manage what could've been a really difficult transition every step of the way.
Blog
1st April 2025
Regardless of the industry you operate in, any UK or European organisation that processes people’s personal data needs to comply with the General Data Protection Regulations (GDPR)—and this includes charities and non-profits. Note that ‘processing’ includes collecting, recording, storing, retrieving, analysing, using and deleting personal data.
As a charity, you’re probably storing data on donors, volunteers, service users, members of staff and so on, and you need to make sure you're managing the data of these stakeholders properly.
In this article we’re going to take a closer look at the subject of charity GDPR compliance, what your GDPR policy should cover, and provide a practical checklist.
READ MORE: Why ResourceSpace is perfect for... charities
The two primary data risks relating to charities are similar to that of most organisations: either an external data breach, or inadvertent internal error that results in the accidental or unlawful loss, alteration, destruction or disclosure of personal data.
There are a number of potential things that can lead to these types of breaches. For example:
A GDPR data protection policy is essential for any charity or non-profit organisation that handles personal data.
A data protection policy sets out how data is collected, processed, stored and protected while safeguarding individuals' rights, and for a policy to be fully compliant with GDPR it should cover eight key areas.
Charities must clearly define what personal data they collect, why they collect it, and how it will be used.
This section should outline the legal basis for processing data, such as consent, contractual necessity or legitimate interest. Transparency is crucial, with individuals being informed about data collection practices through clear and unambiguous privacy notices.
A GDPR policy must specify how personal data is stored and protected, including the implementation of appropriate security measures, such as encryption, access controls and secure servers.
Charities should also have a process for regularly reviewing and updating security measures to protect against cyber threats and unauthorised access, whether that’s supported by an internal IT team or third-party cyber security provider.
Under GDPR, individuals have specific rights over their personal data, including the right to access, edit, erase and restrict processing. Your policy should therefore outline how the people whose data you store and process can exercise these rights, providing clear procedures for responding to requests within the legally required timeframe.
If an organisation shares personal data with third parties, such as cloud storage providers or marketing agencies, the policy must explain how these relationships are managed. This includes ensuring that third-party processors are also complying with GDPR requirements through data processing agreements and adequate security measures.
A GDPR policy should detail how long personal data is retained and the criteria used to decide what period of time is reasonable and appropriate.
The policy should also include procedures for securely deleting data when it is no longer needed, ensuring compliance with the principle of data minimisation.
Even when the best efforts have been made to avoid one, sometimes a data breach can't be avoided. However, if a data breach does occur, organisations must act quickly to contain the issue, minimise potential harm and resolve the issue that led to the breach.
A GDPR policy should also outline how data breaches are detected, reported and investigated, while it should also specify when and how affected individuals and regulatory authorities will be notified (in line with GDPR requirements).
Employees and volunteers working for the charity play a key role in data protection, so training should be a core part of any GDPR policy.
Staff need to be educated on data protection principles, security protocols and how to handle personal data responsibly. The policy should also define who is ultimately responsible for ensuring compliance, whether that’s a dedicated Data Protection Officer (DPO) or someone with a different role in the organisation.
Finally, GDPR compliance is an ongoing process, so data protection policies must be reviewed and updated regularly. This ensures that any changes in legislation, business practices or technology are reflected in the policy, and makes it more likely that the charity stays compliant with the law while minimising the chances of a data breach.
READ MORE: How UK GDPR impacts Digital Asset Management
Follow the below checklist, based on the EU’s own guidance, to help you secure your organisation, protect stakeholder data and avoid penalties for failing to comply.
Protecting the data of stakeholders and ensuring the proper management of consent is essential for charitable organisations and non-profits, particularly those that operate in the UK or EU and fall under the remit of GDPR.
To find out more about how ResourceSpace is the ideal Digital Asset Management solution for charities, including how it supports digital rights management get in touch with the team today. Alternatively, you can book a free product demo below and see the relevant functionality in action.
#GDPRCompliance
#DataPrivacy
#Consent
#DataBreach
#CyberSecurity
#NonProfit
#DataManagement
#LegalCompliance
#BestPractice
#IndustryNews
#ResourceSpaceTips
#PersonalData
#DataRights