If your organisation holds details of donors, members, staff, volunteers or beneficiaries, GDPR applies to you. Here's what it actually asks for — without the jargon.
Almost certainly yes. GDPR applies to any organisation that processes personal data — information about identifiable living people. For a charity that's donors, members, staff, volunteers, service users and beneficiaries. There's no small-organisation exemption; what changes with size is how much formality is proportionate.
Charities often hold special category data too — health, religious belief, and similar — particularly about beneficiaries. That data carries extra conditions and needs more care.
Every use of personal data needs one of six lawful bases — commonly consent, legitimate interests, legal obligation or contract. Decide the basis before you process, not after. Note that consent for electronic marketing (email/SMS) is governed separately by the ePrivacy Regulations, and is stricter.
Tell people, in plain language, what data you hold, why, your lawful basis, how long you keep it, and their rights. That's your privacy notice — on your website and wherever you collect data.
Collect only what you need, keep it accurate, and don't keep it forever. A simple retention schedule — what you hold and for how long — is the practical heart of compliance.
Appropriate technical and organisational measures: access controls, encryption where sensible, and care with anything especially sensitive (PPS numbers for CHY3, for example, should be encrypted and access-logged).
Keep a record of your processing activities (a RoPA) — what data, why, who it's shared with, how long it's kept. Even where not strictly required, it's the document that proves you've thought it through.
Individuals can ask to access their data (a DSAR), have it corrected, erased, restricted, ported, or object to its use. You generally must respond within one month (extendable by two months for genuinely complex requests), and usually for free. Have a simple process so a request doesn't catch you out.
A personal-data breach that's likely to risk people's rights must be reported to the Data Protection Commission within 72 hours of becoming aware of it. If the risk is high, you must also tell the people affected. Keep an internal log of breaches — even the ones you don't have to report.
A statutory Data Protection Officer is required only in specific cases — public authorities, or organisations whose core activities involve large-scale monitoring or large-scale special-category data. Most small and medium charities don't need one — but you should still assign clear responsibility for data protection to a named person.
This guide is a plain-English overview. For the authoritative detail and guidance for organisations, go to:
EasyGovernance builds the GDPR pieces as real records — privacy documentation, a records-of-processing register, a retention schedule, and a breach log with the 72-hour deadline tracked — all kept in your vault.
See the governance engineSee what applies to you →Leave your email for the occasional update — new features and the Irish compliance changes worth knowing about. No more than once a month.
This guide is general information, not legal advice. Data protection law is applied case by case — check the current guidance from the Data Protection Commission, or take advice, before you rely on it.