Guide · Data protection

GDPR for Irish charities & nonprofits

If your organisation holds details of donors, members, staff, volunteers or beneficiaries, GDPR applies to you. Here's what it actually asks for — without the jargon.

Updated 29 June 2026 · about 7 minutes

The short version

  • GDPR and the Data Protection Act 2018 apply to any organisation handling personal data — size doesn't exempt you.
  • You need a lawful basis for every use of personal data, and a privacy notice that tells people what you do with theirs.
  • People have rights — access, correction, erasure — and you must respond, usually within one month.
  • A personal-data breach that risks people must be reported to the DPC within 72 hours.
  • Most small charities don't need a formal DPO, but someone should clearly own data protection.

Does it apply to us?

Almost certainly yes. GDPR applies to any organisation that processes personal data — information about identifiable living people. For a charity that's donors, members, staff, volunteers, service users and beneficiaries. There's no small-organisation exemption; what changes with size is how much formality is proportionate.

Charities often hold special category data too — health, religious belief, and similar — particularly about beneficiaries. That data carries extra conditions and needs more care.

The core obligations

1. A lawful basis

Every use of personal data needs one of six lawful bases — commonly consent, legitimate interests, legal obligation or contract. Decide the basis before you process, not after. Note that consent for electronic marketing (email/SMS) is governed separately by the ePrivacy Regulations, and is stricter.

2. Transparency — a privacy notice

Tell people, in plain language, what data you hold, why, your lawful basis, how long you keep it, and their rights. That's your privacy notice — on your website and wherever you collect data.

3. Data minimisation & retention

Collect only what you need, keep it accurate, and don't keep it forever. A simple retention schedule — what you hold and for how long — is the practical heart of compliance.

4. Security

Appropriate technical and organisational measures: access controls, encryption where sensible, and care with anything especially sensitive (PPS numbers for CHY3, for example, should be encrypted and access-logged).

5. Records of processing

Keep a record of your processing activities (a RoPA) — what data, why, who it's shared with, how long it's kept. Even where not strictly required, it's the document that proves you've thought it through.

People's rights

Individuals can ask to access their data (a DSAR), have it corrected, erased, restricted, ported, or object to its use. You generally must respond within one month (extendable by two months for genuinely complex requests), and usually for free. Have a simple process so a request doesn't catch you out.

When something goes wrong — breaches

A personal-data breach that's likely to risk people's rights must be reported to the Data Protection Commission within 72 hours of becoming aware of it. If the risk is high, you must also tell the people affected. Keep an internal log of breaches — even the ones you don't have to report.

Do we need a DPO?

A statutory Data Protection Officer is required only in specific cases — public authorities, or organisations whose core activities involve large-scale monitoring or large-scale special-category data. Most small and medium charities don't need one — but you should still assign clear responsibility for data protection to a named person.

Common pitfalls

Official sources

This guide is a plain-English overview. For the authoritative detail and guidance for organisations, go to:

How EasyGovernance handles this

EasyGovernance builds the GDPR pieces as real records — privacy documentation, a records-of-processing register, a retention schedule, and a breach log with the 72-hour deadline tracked — all kept in your vault.

See the governance engineSee what applies to you →
No commitment

Want to hear more?

Leave your email for the occasional update — new features and the Irish compliance changes worth knowing about. No more than once a month.

This guide is general information, not legal advice. Data protection law is applied case by case — check the current guidance from the Data Protection Commission, or take advice, before you rely on it.