General Data Protection Regulation (GDPR) & Nonprofits

In effect since late May, the General Data Protection Regulation (GDPR) has already had a dramatic effect on businesses and organizations all around the globe. From fines to large tech companies, to discussions around how GDPR relates to US-based nonprofits, these regulations are often misunderstood—but they don’t have to be!

Did You Know? Just like GDPR, at Charities Review Council we have a fundamental belief that transparency can inspire donor confidence and trust. In 2017, Charities Review Council partnered with 580 nonprofits to work towards earning the Meets Standards® Seal, a visual marker of nonprofit accountability, transparency, and strength.

GDPR: A 30-second Primer

GDPR attempts to give individuals two things: Transparency and safe practices around data collection. Put in place by the European Union, GDPR strengthens strongholds on personal data of individuals in the European Union and the European Economic Area (EEA). GDPR’s purpose is to allow individuals to “opt-in” to email and online marketing and data collection, helping give residents of the EU power over their data and who uses their personal information. Remember, GDPR language is intentionally vague, allowing the EU and its regulators to apply it in the way they see fit.

GDPR asks five, key things:

  1. What data is being collected?
  2. How is the data being used?
  3. Is contact info for the organization updated and correct?
  4. How long will data be kept?
  5. How can individuals contact the organization about issues or to remove data?

Here are three, key points to remember about GDPR and solutions to help…

Check your privacy policy: Different from a standard donor privacy policy, your website should have a place to host a privacy policy, (often located at the footer of the page) to inform visitors what data is being collected and how it’s being used. EU users must explicitly consent to the use of their data—including cookies.

Opt-In marketing is the new norm: GDPR effects marketing from data collection to email and beyond. Nonprofits must remember a few key points: Email subscription preferences must not be checked, “yes” by default and subscription checkboxes must be accompanied by an explanation of the mailing list and how to unsubscribe. Additionally, members of the EU can email websites and ask how information is being collected, how long information is kept, what it’s being used for and who has access to the data. Upon request, organizations must also delete or erase an individual user’s data.

  • Take a moment to investigate partners and vendors of your organization and ensure they have taken steps to become GDPR compliant.
  • Create GDPR compliant forms by using this resource from DonorBox.

It may apply to your organization: Remember, GDPR applies to nonprofits, companies, and organizations located around the globe who do business or market to individuals in the EU. We believe it’s important to always check with your legal counsel and IT providers to ensure you are taking the steps necessary to meet regulations.

GDPR is a reminder to all nonprofits to stay on top of best practices not only within our own industry but others as well. Together, we can create stronger relationships between donors and nonprofits by offering transparency, thoughtful data protection, and individual-first marketing.

Looking for an older article?

We're in the process of migrating our blog. If you're looking for an older entry, please visit the archive to search for it.

Get our latest and greatest monthly!


Charities Review Council

Our mission is building donor and nonprofit relationships for strong, vibrant and just communities. We envision healthy communities for all, benefiting from effective and trustworthy nonprofits that are supported by a well-informed public’s generosity.

Let’s Connect

1915 Highway 36 W Ste 133 • Roseville, Minnesota 55113-2709
Phone: (651) 224–7030 • E-mail:

Privacy Policy (5/9/19) • Terms of Use (5/9/19)

Log In