Stéphanie Mathieu & Nick Diplock: Is your CRM system GDPR compliant?

31 Jan 2018 Expert insight

What steps should charities be taking ensure CRM systems are GDPR compliant? Stéphanie Mathieu and Nick Diplock offer some suggestions.

If you are a charity in the EU or UK right now, you may feel like you are going crazy with the overload of information about GDPR out there. Although useful and serviceable, the new data protection law is quite extensive (and maybe even a little scary).

First, remember that the GDPR was designed to harmonise data privacy laws across the EU (including the UK). The aim of GDPR is to protect and empower all citizens from privacy and data breaches in an increasingly data-driven world. GDPR will give you the opportunity to re-organise your database and implement new processes to ensure that your donors’ data is stored appropriately. To avoid fines, you as a charity will need to start thinking about how you’ll ensure that supporters and donors aren’t contacted once they’ve withdrawn consent.

Preparing for GDPR

There’s a lot to do to get ready; we suggest that you begin with these steps:

Communicate and awareness

Make sure that decision-makers and key people in your organisation are aware that the law is changing. Designate someone to take responsibility for data protection compliance.

Information audit

Review the personal data you hold, where it came from and who you share it with. Consider an information audit. GDPR requires you to maintain records of your processing activities. Any audit should include checking your procedures to ensure they cover all the rights individuals have. Review and plan how you will handle access requests to take account of the new rules, and update your procedures, if required.

Privacy information

Review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation. Consider adopting a privacy-by-design approach and to carry out a privacy impact assessment (PIA) as part of this. However, GDPR makes privacy by design an express legal requirement, under the term data protection by design and by default. It also makes PIAs – referred to as data protection impact assessments or DPIAs – mandatory in certain circumstances. A DPIA is required in situations where data processing is likely to result in high risk to individuals.


You should review how you seek, record and manage consent and whether you need to make any changes to your marketing and contacting your supporters. Put in place a plan to refresh existing consents if they don’t meet the GDPR standard. You need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity. GDPR includes special protection for children’s personal data.

Data processing review

Identify the lawful basis for your processing activity in GDPR, document it and update your privacy notice to explain it. Make sure you have the right procedures in place to detect, report and investigate a personal data breach.

Are your systems prepared for GDPR?

You will also need to ensure your data is properly protected. The best way to accomplish this is with software, specifically where your donor data is recorded on a system, whether it is a CRM solution, fundraising software, or an Excel spreadsheet.

Therefore, most GDPR responsibility falls on your system provider. So how can you be sure they’re ready to go? Here are three questions you should ask your system provider:

What does GDPR mean to you?

Call them and ask them what their understanding is of the new regulations and how they will help you meet your own obligations. You can also seek information about how important data security is for them as a company:

  • Do they follow best practices?
  • What procedures do they have in place?
  • Where is the data stored?
  • Is there third party access?

You need to have a good idea of what their commitment is to you. If your system provider isn’t confident in their response, you may want to start looking into a new system that will ensure the protection of your donors and their data.

Are you GDPR compliant?

An important part of compliance lies within the effectiveness of your CRM system. Don’t take a simple yes for an answer. Dig deeper. Ahead of GDPR, you should be asking your CRM supplier how their system will support you through the regulation changes. Ask them for a demonstration of the new features that will be released prior to May 2018 when GDPR comes into effect. See the new processes in action, and evaluate them.

  • Are they automated?
  • Are they easy to use?
  • Can I expect an efficient and effective support team, and webinars, documents and/or blog resources to help me through the process?

Assess whether your current system will enable you to deliver GDPR-compliant fundraising, direct marketing and membership services. Will it enable you to manage the use of personal information for all the different purposes you require? Does it record proof of consent, provide your supporters or donors with self-service, maintain audit trails, and identify which user has amended consent fields?

How are you going to prepare me for GDPR? Does your service provider have your best interest at heart? If so, you should find a page on its website describing its commitment to you in regards to GDPR. Look for help and resources. The elements you find should help you reach out to your supporters prior to the start of GDPR, which will allow you to get their consent before it’s too late.

Some examples:

  • A calendar would help you identify when you should contact supporters and how (phone, email, letter).
  • A step-by-step process would inform you on what you should get from your donors for consent, and how you should translate that information in your donor management system.
  • Communication templates would alleviate the work on your shoulders, and make for a great start when you’re ready to contact your supporters to get their consent.

Your donors expect high standards, especially when it comes to data protection. If you are censured by the ICO for breaching GDPR and the case receives media attention, it could be very damaging for your charity. The public are increasingly concerned about how their information is being used and they want to know that they can trust you before parting with their details and donations.

Here are the ICO’s top five data protection tips for small and medium-sized charities and not-for-profit organisations:

  1. Tell people what you are doing with their data
  2. Make sure your staff and volunteers are adequately trained on data protection
  3. Use strong passwords
  4. Encrypt all portable devices
  5. Only keep people’s information for as long as necessary

Those charities which thrive under GDPR will be those who recognise that the key feature of GDPR is to put their individual supporters at the heart of their data protection approach. You need to think first about how your supporters want their data handled and then use these principles to underpin how you go about preparing for GDPR. Being clear with your supporters how their personal data is being used can only enhance your reputation and feeling of trust.

Your CRM software should be able to take most of the compliance burden off your shoulders. You just need to be sure your vendor is adequately prepared to help it do so.

Stéphanie Mathieu is international marketing coordinator and Nick Diplock is UK director of DonorPerfect UK

Charity Finance wishes to thank DonorPerfect UK for its support with this article

More on