GDPR Small Charities Policy Template

GDPR has significant implications on charities, especially when it comes to data on your clients, donors, and employees or volunteers. Each of these groups have its own set of privacy concerns, which must be addressed in your data handling procedures and security measures.

What is the General Data Protection Regulation (GDPR)?

In fact, the GDPR went into effect in the European Union on May 25th, 2018. It tells any organisation, even charities, how to handle data, and it is at the centre of Europe’s digital privacy laws.

It began as a law of the European Union. However, after the Brexit transition period was over, it became part of the UK’s data protection law. It is a law that protects the personal information of EU and UK citizens. It also affects charities that deal with personal information. Because of this, if your charity asks for, gets, or stores personal information from people in the EU or UK, these laws will apply.

Chiefly, GDPR is not just a legal requirement. Instead, it gives charities the chance to gain people’s trust and confidence, become more resilient as an organisation, and get more value out of their data.

GDPR small charities policy Template 

Our GDPR for small charities policy Template, generated by our GDPR compliance software, will allow you to generate a privacy policy for your site. Follow these few easy steps: 

1. Select your industry sector

GDPR Small Charities Policy Template-1

2. Confirm your business processes

GDPR Small Charities Policy Template-2

3. Generate your Privacy Policies

GDPR Small Charities Policy Template-3

4. Our updates keep you in the green

GDPR Charities Privacy Policy-4

Our Privacy Policy Generator makes it easy to create a Privacy Policy for your small and medium business. 

Firstly, let’s look at what you would need to include in your GDPR small charities Policy template.

So, in order to follow these rules, you should make sure that your privacy policy is:

Written in simple language and presented in an easy-to-understand way, so that your users can easily understand it. Complete, so that it covers all aspects of how you handle personal data. If you use a consent form, it’s a good idea to put a link to the privacy policy somewhere on your main page.

Even though charities don’t collect personal information for profit, they are still vulnerable to data breaches and privacy violations, just like any other organisation.

Understanding the people’s rights under the GDPR

Under the GDPR, people whose personal information is being used, processed, or stored by public bodies and other private organisations, like your charity, have the right to ask how their information is being used, processed, and stored.

One of these rights is the ability to find out how their personal data is being used, and to access that information.

  • Change any wrong or outdated personal information
  • Ask you to erase any information you have on them
  • Stop or limit the processing of their personal data
  • Allow them to receive or transmit their data
  • Object to how you might use and process their data


They also have rights to object if you use their data for any of the following purposes:

  • Automated decision-making (without human involvement)
  • Profiling that can be used to forecast their behaviour or interests


What are the 7 most important GDPR principles, to be aware of?

The General Data Protection Regulation (GDPR) is based on seven principles, and is meant to give people more control over their personal data.

  • Lawfulness, fairness, and transparency: All organisations must be open and honest with people about how they collect, and use, personal data.
  • Limiting the use of personal information: Personal information can only be used for certain clearly stated goals.
  • Integrity and privacy: Organisations are responsible for keeping personal information safe. Illegal processing, loss, or damage to, or destruction, of data are all risks that need to be carefully looked into.
  • Data minimisation means that organisations should collect as little data as possible, and only keep the data they need to run their business. All the collected information should be kept and stored safely. Also it should be enough and confined to a single purpose.
  • Storage Limit: There are many ways in which data can help charities, but only if it is useful and of good quality. Personal information shouldn’t be kept for longer than necessary.
  • Data Accuracy: Organisations should do everything they can to make sure that people’s personal information is correct. Therefore, they shouldn’t be afraid to remove, or correct, wrong information.
  • Accountability: Such organisations are responsible for following GDPR, and they must be able to show that they have met all applicable requirements.


Understanding the basics of GDPR for Charities

Even though the GDPR may seem challenging at first, especially for smaller charities that don’t have a DPO (data protection officer), it can be easy to follow. If you have the right policies and procedures in place, it shouldn’t create any problems. Therefore, check some examples of what you can do to help your charity become GDPR-compliant:

  • Get consent: Give people a clear choice about what information they want to share with you, and make it easy for them to change their minds. Being clear and brief can go a long way towards making people trust charities.
  • Communicate purpose: Be clear about why you want to gather information. Be open and honest about how your business handles data, whether it’s for operations or marketing.
  • Keep information safe: Only people who have a good reason, should be able to see personal information. Use strong passwords and safe processes, like encryption, to protect important data sets and documents.
  • Document everything: Lastly, write down every step you take to follow GDPR, and update regularly. In the event of a breach, these documents will show that your data protection policies and procedures are in line with the law.


Who are data processors and controllers in charities?

A “data controller” is an organisation that processes data, and is in charge of deciding how, and why, that data will be processed. A “data processor” is an organisation that is hired by a data controller to handle data on their behalf.

Even if you are a charity or non-profit organisation, you have to follow GDPR, if you handle personal information. In your database, you can find information about your employees, clients, suppliers, and people who give you money. Under GDPR, you are required by law to respect, and protect, the data you process.

The charity could process some, or all of this data, itself, making it both a controller and a processor, or it could hire a third party to do so.

In any case, the data controller is in charge of making sure GDPR is followed, and they must be sure that third parties have enough data protection measures in place.

The person who owns the data, and the person who processes it, should agree in writing on how the data will be used and kept safe. If one of these rules is broken, it could cause a breach for a third party.


Third Parties: Data Protection Officers

A DPO is a specialist who works outside an organisation, and is in charge of keeping an eye on how it protects personal information.

Therefore, you must name one, if you are a public authority or organisation, that regularly and systematically monitors data subjects, or if you process large amounts of special categories of personal data.

Many experts recommend hiring a DPO because it can be helpful in a number of ways, such as being able to communicate with data subjects and supervisory authorities, in a way that is efficient and legal.

Basically, you can hire a DPO from inside or outside your company. 


How does the GDPR affect your Charity?

The law applies to all organisations that could be considered data controllers and processors. This includes charities and other non-profits.

GDPR will apply to any personal information about your users, donors, employees, and volunteers that you collect and store. We suggest that any organisation, not just nonprofits, start getting ready for GDPR, by finding out what personal data they handle.

If you keep someone else’s information, you will have to explain why you do so. For example, if you know someone’s full name and address, can you explain why you know it? You might have a good reason to store their full name, but you might have to explain why you want their home address. Under GDPR, you must say why it is legal for you to process data.


Protecting Personal Data under GDPR for Charities

After you’ve found out how the personal data you handle is right now, you may need to think about the steps you’ll need to take to be GDPR-compliant. To make sure you are legally processing personal information, you would need to put in place a number of processes and rules, such as a privacy policy, eg. GDPR small charities policy template.

You will also need to make sure that the personal information you are working with, is safe. If you keep someone’s personal information, you are responsible for it, and must keep it secure. You need to take steps to keep the data you process protected and secure.

When proving that they have a “legitimate interest” to process personal data, charities must show that they have a clear, and specific, goal or benefit in mind.

GDPR applies to all organisations, no matter how big or small they are, or what industry they work in. Reviewing your GDPR Privacy Policy can be helpful if you work for a charity that raises money, and accepts donations from the public.


GDPR small charities policy template – drafting a GDPR Policy template for your charity is a complex task. Therefore, consider using our GDPR compliance tool, to make it easier. In a few easy steps, get your compliant GDPR Privacy Policy template ready, to implement on your site. Thanks to our GDPR compliance generator, it’s easy.