This website uses cookies for anonymised analytics and for core features such as voting on polls and comments. See our privacy and cookies policies for more information.

Get TFN updates
The voice of Scotland’s vibrant voluntary sector

Published by Scottish Council for Voluntary Organisations

TFN is published by the Scottish Council for Voluntary Organisations, Mansfield Traquair Centre, 15 Mansfield Place, Edinburgh, EH3 6BB. The Scottish Council for Voluntary Organisations (SCVO) is a Scottish Charitable Incorporated Organisation. Registration number SC003558.

How charities can ensure they are GDPR compliant


In her first blog Val Surgenor gave an overview of the new general data protection regulation (GDPR) and the potential impact it may have on the third sector. In this latest blog she takes a closer look at the impact of the GDPR on fundraising and marketing.

Data is a key fundraising resource for third sector organisations - it is how supporters are identified, contacted and often how they are made aware of fundraising campaigns. However, with data comes responsibility for protection of that data. The GDPR will reform the current data laws in the UK as of 25 May 2018 – meaning direct marketing and consent will face significant change and influence how charities raise funds in the future.

Preparing for the change will ensure that charities don’t lose out on potential funding come 2018 because their marketing practices aren’t GPDR compliant.

Val Surgenor

Charities must think about preparations now to ensure that they are GDPR ready by spring 2018

Val Surgenor

So, what do charities need to know?

1. Affirmative consent – the demise of the pre-ticked box

A donor or supporters consent to receive your newsletters, updates and information on your latest campaigns will need to be “affirmative” to be lawful. What does “affirmative” mean? Well, this will include ticking boxes on a website (the opt-in), but reliance on silence, inactivity or the pre-ticked box will be explicitly excluded as means of consent. An early review of how you obtain consent and what information you provide at the time is good practice but will also help you “GDPR prepare”.

2. Rights of supporters and donors

Under the GDPR, your supporters and donors will have the right to:

• “Withdraw consent” at any time, and it must be as easy for them to withdraw it as it was for them to give it - once a participant or donor withdraws consent his or her personal data must be erased and no longer used by the charity; and

• Object to receiving your direct marketing - objection would require you to erase the individuals personal details “without undue delay”.

To avoid fines, consider now how you would ensure that supporters and donors are not contacted once they have withdrawn consent or objected to use of their information.

Why should charities care?

• Reputation – charities and their fundraising practices have been under the spotlight in recent months, and failure to comply with the GDPR may fuel public distrust in fundraising.

• Sanctions – major breaches of the rules around consent could result in fines of the higher of 4% of your global turnover or €20m. This makes the current maximum fine in the UK of £500k seem (almost) insignificant.

How can charities prepare?

2018 may seem a long way off, but in preparation terms it isn’t. Charities must think about preparations now to ensure that they are GDPR ready by spring 2018:

• Review procedures used to seek, obtain and record consent (“Know Your Data”);

• Review and revise privacy policies and notices to ensure compliance - say goodbye to your pre-ticked boxes; and

• Look at the consents you already have and decide whether they meet GDPR standards.

Val Surgenor is a partner at MacRoberts LLP. Its team of data protection specialists can provide expertise and advice to charities wishing to adopt a proactive approach to compliance preparation.



0 0
Jacqueline Bridgeman
over 2 years ago
We have been collecting names, postcodes and email addresses of people who want to receive news about our events for the past year. Some people have given us that information by signing up on the street or at our meetings. Other email addresses have been sent to us online by people asking to be supporters or members of our organisation. I have kept all original copies. We also add the option of unsubscribing to all our emails. Do you think we are doing enough to comply with the new GDPR legislation? With thanks for your help.
0 0
Susan Smith
over 2 years ago
Hi Jacqueline - we can't offer information and advice about that on TFN. However, you can try the Scottish Council for Voluntary Organisations' Information Service on 0800 169 0022 or