Does GDPR Apply to Nonprofits and Charities? (Yes, But...)

No Exemption for Nonprofits

GDPR Article 2 defines its scope as applying to "the processing of personal data wholly or partly by automated means." It doesn't exclude organisations based on legal form, revenue, or whether they're profit-making. A charity with a website, a member database, and a newsletter mailing list is a data controller — full stop.

The ICO, which regulates UK data protection, has published specific guidance for charities. They've also issued fines and enforcement notices to charities. In 2017 (before GDPR, under the Data Protection Act 1998), the RSPCA was fined £25,000 and the British Heart Foundation £18,000 for illegal use of wealth-screening services. Post-GDPR, the maximum fines are substantially higher.

What's Actually Different for Nonprofits

Legitimate interests is somewhat more available to nonprofits than to commercial organisations, particularly for communications with existing members and supporters. The ICO's guidance acknowledges that communicating with active supporters about the charity's mission can pass the legitimate interests test more readily than cold commercial marketing.

GDPR Article 9(2)(d) also provides a specific exception for nonprofit bodies with a political, philosophical, religious, or trade union aim — they can process special category data of members without explicit consent, for legitimate activities with appropriate safeguards. This is narrow and specific, not a general exemption.

In practice, enforcement against small organisations has been lighter than against commercial organisations. DPAs tend to focus investigations on organisations with the widest potential impact. But "they'll probably fine someone else first" is not a compliance strategy.

What Nonprofits Commonly Miss

Donation data retention. Many charities keep donor records indefinitely. There's no legal obligation to retain donation data forever — only financial records relevant to Gift Aid claims and statutory reporting (typically 6 years in the UK). Donor personal data beyond what's needed for this can and should be deleted or anonymised.

Volunteer data. Volunteer management systems hold significant personal data: contact details, DBS check records, availability, emergency contacts, sometimes medical information. This data needs the same protection as any employee data — retention periods, access controls, and a deletion mechanism when volunteers leave.

Event attendees. If you collect registration data for events (name, email, dietary requirements, accessibility needs), that data shouldn't persist indefinitely after the event. Dietary requirements and accessibility needs are potentially special category data (health data). Set a deletion policy.

Legacy enquirers and legacy pledgers. People who have expressed interest in leaving a gift in their will. Many charities maintain these relationships for decades. There's no legal basis to hold and market to these individuals forever — you need either ongoing active consent or a very carefully documented legitimate interests assessment.

Fundraising Email Lists: The Hardest Part

The soft opt-in (PECR Regulation 22) allows marketing to existing customers or supporters about similar activities. For charities: if someone donated in 2021, you can email them about similar fundraising campaigns, as long as you offer an opt-out in every email and you're contacting them about similar charitable activities.

You cannot use the soft opt-in to email people about unrelated campaigns, sell them merchandise, or share their details with other charities. You also cannot use it indefinitely — a supporter who donated once in 2018 and hasn't engaged since represents diminishing legitimate interest.