GDPR for charities and fundraising organisations (privacy notices)


GDPR for charities and fundraising organisations
Charities and Fundraising organisations GDPR

GDPR for charities

In the previous part of this series we saw how GDPR affects recruiters (and you as you will be one of the biggest volunteer recruiters), in this part we are going to look at “Language” and your privacy statement.


Language forms the basis of verbal and written communication. Imagine a world where no two people spoke the same language and therefore could not communicate? Kind of like the “Tower of Babel” situation!

Similarly, GDPR expects you to use a certain “type” of language when communicating with your data subjects.

The average privacy policy is long-winded, technical and usually filled with industry specific jargon. The reason for this (more often than not) is because it is written by lawyers and what should be a simple privacy notice is written like a legal contract. In other words, it is trying to ensure that the company (i.e. you), can’t be sued! Banks and financial institutions are one of the worst offenders here. The terms and conditions will make any average privacy notice look like a postcard! The best privacy notices are as short as they can be, written in language that is plain to the point of bluntness, and highlighting the most surprising and unexpected things that you are doing.

Let’s consider the example we used before – our Acme Limited (fictitious company). Acme Limited has a charitable concern called Acme Charities Limited (ACL) (another fictitious company). Now let’s say ACL has a newsletter section and collects the following information:

  • Name
  • Address
  • Date of birth
  • Email address
  • Contact number

On the sign up page, ACL has mentioned that it will only use the email address to send you newsletters and will not share the data with other charities. It also mentions that your information will not be used for marketing purposes. However at the bottom of the sign up page, there are two tick boxes (check boxes) that asks you if you want to allow them to request donations from you.

Pretty standard sign up page so far! Well, you complete your information and being the kind hearted person that you are, tick the box that allows them to contact you for donations. When you tick the box, a further message appears that tells you that you can unsubscribe from this option at any time and you can view their full privacy terms and conditions by clicking a link.

Sounds familiar? That’s because that is most of your sign up pages. The permutations and combinations might vary, but the bottom line is pretty much the same.

Well, getting back to ACL’s sign up page, out of curiosity you click the terms and conditions link and you are presented with a 10 page document. Being the prudent person that you are, you take your time to read it. About halfway through the document there is a section that tells you what they will do with your data.

“In order to ensure that the data we hold about you is accurate and up to date, we may occasionally use information sources that are in the public domain to verify your details, such as address and telephone number.”

Once again, sounds familiar? Yes, most companies are guilty of this and let’s see why under the GDPR, this is no longer acceptable.

In ACL’s example, the privacy statement explicitly mentions that the data will be used to verify your details. So at this point, the data (more often than not), will leave ACL’s control and pass to a third party. Part of ACL’s contract with the third party is to do a wealth screen as well. Now if ACL uses ANY of the data for the wealth screen, they will be in breach of the GDPR principle. “But they have mentioned it in their multipage privacy document!”, I hear you ask. Well, let’s take a closer look.

Think about intention and explanation. Your intention (and for all purposes, the intention of your potential donor) is to receive a newsletter. On selecting the “contact me for donations” section, the data subject (donor) now has to be subjected to additional DPA notices. So the intention has now changed in the context of data protection.

As for the explanation, the disclaimer about the information gathered was succinctly outlined. However, when it came to the opt-in donation section; the data subject was referred to read a multipage saga. While the saga might have been necessary from a legal standpoint (to cover your base), there was no explanation of what the data subject should be aware of before they make that commitment. This also raises an issue of consent! Remember the point about the data subject’s details being passed to a third party to verify? Well, ACL has assumed consent about this point – just because the data subject clicked the “contact me for donations” tick box. Once again, where was the explanation of this change in intent?

The ICO recommends a layered or just-in-time approach. That is, provide layered information as your intention changes. So in ACL’s case, while their first explanation is succinct and to the point, additional information should have been available (similar to the initial explanation) once the data subject’s intention was broadened.

Personally, I would recommend a just-in-time approach as it provides the data subject to constantly make an informed decision on their data.

So how should the privacy notice be written?

When you are writing your privacy notice, make sure it is:

  • concise, transparent, intelligible by your target audience and easily accessible,
  • written in clear and plain language, particularly if addressed to a younger person (minor) and
  • free of charge.


“But it won’t look pretty!”, I hear you scream!

Well, let me share with you some of the rather beautifully crafted privacy notices from some of the companies that have already implemented GDPR (or are in the process of implementing it).


privacy notice example from AGE UK
Age UK privacy notice



Privacy notice example from Microsoft UK
Microsoft privacy notice

Microsoft have taken it a step further with their privacy subsite.

Privacy and GDPR compliance example Microsoft
Microsoft does it right with a privacy subsite


Further reading:


(to be continued)

Here’s where we can help:

Totale Learning create bespoke GDPR solutions (consultation, training and development, etc.) that is tailor made to your business. Our experienced consultants will help you through your GDPR process and when required, we’ll use specific training content that is relevant to your sector, industry and company. Get in touch with us at or visit You can also contact us on LinkedIn, Facebook or Instagram.

One Reply to “GDPR for charities and fundraising organisations (privacy notices)”

Leave a Reply

Your email address will not be published. Required fields are marked *