GDPR Compliance

Data protection

Avoid the reputational damage and financial penalties which can come with data protection breaches

62% of companies do NOT comply with the most basic requirements of the GDPR

That is the worrying finding of a 2016 survey which looked at the readiness of European businesses for the General Data Protection Regulation “GDPR”, which came into force in May 2018.

Data Health Check

Bloom Fundraising run what are known as Data Impact Assessments (DIAs) to help charities comply with the law.  DIAs identify areas of non-compliance with present and future data protection legislation (including GDPR).

  • Each ‘contact point’ where personal data is collected, stored and used is thoroughly audited.
  • We look at things like on and offline data capture forms, procedures for moving personal data securely between third parties, and whether marketing campaigns are lawful.

DIAs are not a legal requirement, but, should a breach be reported the ICO may ask an organisation whether it has carried out a DIA. Conducting a DIA is one of the most effective ways to demonstrate to the ICO that you take your donors’ privacy seriously, and that you’re diligently striving to comply with data protection laws and regulations.

Focus on direct marketing (consent)

A Marketing DIA helps you get to grips with all the important issues around marketing consent. The auditing process we have adopted strictly adheres to the ICO’s own best practice guidance for direct marketing.

  • direct marketing scrutinised through a GDPR data privacy lens
  • donor consent, preferences and security requirements brought up to speed.

We advise you how to swiftly and economically put in place any changes you may need to action to in order to become compliant.

We even help you design policies to guide your staff and help keep your data handling compliant with the law for the time to come.

Focusing on ALL aspects of data compliance (consent + security)

Bloom Fundraising’s Comprehensive DIA is an audit which cover ALL data protection ‘touch points’ throughout your entire organisation. This means that as well as direct marketing, the administrational aspects of your business are audited too.

Areas covered

  • Data protection assurance
    registration, processing, data quality, accuracy and retention
  • Records management
    record maintenance and access, storage and disposal
  • Information security
    mobile working, removable media, access controls and malware protection
  • Data sharing & subject access
    sharing policy and agreements, as well as compliance monitoring
  • Direct marketing
    consent and bought-in lists, as well as telephone, electronic and postal marketing

Our audit process is modelled on the ICO’s best practice guidance for small and medium sized organisations.

We advise on practical measures relating specifically to compliance, including guidance in drafting policies and risk assessments.

GDPR: How does it impact your charity?

The General Data Protection Regulation “GDPR” came into force in May 2018

The new regulation from the European Commission will expand and deepen existing privacy UK laws, regardless of Brexit.

The ICO is the government body set up to uphold personal information rights. The ICO is the enforcer of UK data privacy legislation, including the Data Protection Act (now GDPR), the Privacy and Electronic Communications Act (PECA), and the Freedom of Information Act. It has the power to impose fines of up to €100 million or 5% of annual turnover (whichever is higher) for non-compliance of the GDPR.


Since 25 May 2018, a higher standard of consent is required of charities who collect and store their supporter and prospects’ personal data for marketing purposes.

Data Protection DOs and DONTs

  • Charities DONT require explicit consent to send fundraising emails to existing supporters who’ve previously given consent. Consent is only needed from new supporters – so there’s nothing new here
  • Charities DONT require consent to send POSTAL appeals to prospects – so long as they can show that they have a Legitimate Interest in doing so.
  • When seeking consent to use personal data, charities must be “specific” about the “purpose/s” for which they collect data
  • Consent must also be “granular” – for instance, stipulating which ‘channels’ … email, phone, SMS, post etc …  you will use to communicate with donors and prospects – needs to be made clear when marketing consent is sought
  • Consent needs to be built-in to fundraising campaigns and replicated in back-end databases and CRM systems
  • Consent is “not for ever” but will have a limited shelf life requiring renewal after a period of time
  • Consent needs to be gained using simple language, not via a pre-filled opt-in boxes or hidden deep in your privacy policy.
  • Charities DO require explicit consent to use supporters’ personal data to identify and target with high donating propensity (wealth screening)
  • Charities DO require consent to obtain additional personal details about their supporters – such as phone, email and postal address in order to maximise marketing opportunities (data appending)

To learn more about how we can help prevent your charity breaching data protection laws, fill in the form below

It is our policy never to sell, swap or in anyway trade your details to a third party for marketing purposes. All enquiries (including via this form) are treated in strict confidence.  Should you choose Bloom Fundraising as a fundraising partner, we shall take all practical steps to safeguard sensitive data, including fundraising strategies, tactics, performance data, and where applicable, the handling of your supporters’ data.  Our privacy policy complies with the Fundraising Regulator’s Code of Fundraising Practice and Chartered Institute of Marketing guidelines.

    Free Consultation

    We offer A FREE 30-minute, no obligation phone consultation to help you what your options are.

    I was paired with Gordon as part of the Institute of Fundraising Mentoring Scheme. Being able to come to him with new ideas, concerns and questions about an area of charity work that I was relatively new to at the time was incredibly useful, and he was always able to provide great input and feedback that I used to improve my performance in the role and get a promotion.

    Josh Hillier
    Community Events Manager, National Osteoporosis Society, Bath

    Gordon manages to consistently out-perform bench marks for direct marketing response rate, average value and retention.
    You don’t often see ROI in the range of 8:1 for marketing campaigns in our industry. That’s impressive.

    Nick Thomas
    Partner, Tangible UK

    We ran a test of our copy against some Gordon had written. It was a treat to come up against such stiff competition
    (Drayton Bird’s clients include: American Express, Hargreaves Lansdown plc [financial services], Readers Digest and Save the Children.)

    Gerald Woodgate
    Partner, Drayton Bird Associates