12
Data Protection & Compliance
GDPR basics, beneficiary data, photos, retention and breaches.
4 quiz questions
NGOs are heavy processors of personal data
Beneficiary lists, attendance sheets, photographs, testimonies, mailing lists, donor records, payroll — all of these are personal data. Most jurisdictions now require organizations to handle this data in a documented, accountable way, even if you are small and unfunded.
Core principles to internalize
•Purpose limitation: know why you collect every field, before you collect it.
•Data minimization: ask for less, store less, retain less.
•Accuracy: keep records correct and current.
•Storage limitation: define how long you keep each dataset, and delete on schedule.
•Integrity & confidentiality: protect data with appropriate technical measures.
•Accountability: be able to demonstrate that you do the above.
Special care for sensitive data
Data about health, religion, sexuality, political opinion, immigration status, victims of violence, and minors typically receives heightened legal and ethical protection. NGOs frequently handle exactly these categories — treat them with proportionate care.
Photographs and stories
•Obtain informed consent appropriate to the context, not a generic "I agree" tick.
•Make refusal genuinely cost-free: no one should fear losing services for not consenting to be photographed.
•Avoid identifying minors and at-risk individuals in public materials, even with consent, unless absolutely necessary.
Practical hygiene
•A short, plain-language privacy notice on your website and intake forms.
•A simple inventory of what data you hold, where, and who can access it.
•Defined retention periods per dataset, with scheduled deletion.
•A data-sharing policy for partners, contractors and donors who may request datasets.
•A documented breach-response process, integrated with the incident response plan.
Compliance is not "extra paperwork". It is the operational expression of respect for the people whose data you hold.