Virtuous and GDPR

GDPR Compliance

What is the GDPR?

The General Data Protection Regulation (GDPR) was a privacy regulation of the European Union (EU) that went into effect in May 2018. This legislation was created to help create stronger protections on the personal data of EU citizens and to require all businesses that control or process personal data of EU citizens are doing so in a secure and transparent manner.

GDPR regulations apply to non-EU businesses and nonprofits just the same. All organizations that have collected personal data of EU citizens – whether they are employees, donors, volunteers, or beneficiaries – are affected and will be responsible for GDPR compliance.

GDPR Compliance for Nonprofits

The Information Commissioner’s Office (ICO) defines that nonprofits can be ‘data controllers’ and ‘data processors’ and thus subject to GDPR compliance in several ways, which may include:

  • As an employer processing data of volunteers, trustees, and employees
  • As a provider of services to beneficiaries
  • As a fundraising or campaigning organization


Similarly, individual fundraisers also need to be educated about GDPR since they could be acting as data controllers if they collect supporter data while fundraising on behalf of a nonprofit organization. If you have a current or upcoming peer-to-peer campaign, it’s your responsibility to inform fundraisers and ensure their processes are compliant as well.

How Does This Affect My Nonprofit?

In order for your nonprofit to be compliant with GDPR, you must be transparent and meticulous when it comes to the collection and processing of personal data. This applies to the data of employees, volunteers, donors, and supporters—anyone from whom your nonprofit collects personal information. Organizations must have a written policy and procedure for how they handle personal data and abide by the privacy principles.

The legislation also requires compliance with the eight principles for data protection which are listed below.

The GDPR provides the following rights for individuals:

  • The right to be informed about the collection and use of personal data
  • The right of access to their personal data and supplementary information
  • The right to rectification of inaccurate personal data or completion of incomplete data
  • The right to erasure of personal data
  • The right to restrict processing which allows an organization to store data but not use it
  • The right to data portability which allows individuals to safely and securely obtain and reuse their own data for their own purposes
  • The right to object to processing based on legitimate interests, direct marketing, and for purposes of research
    Rights in relation to automated decision-making and profiling

How Does My Nonprofit Become Compliant?

Nonprofits are still allowed to use marketing tactics to promote, fundraise, and engage with donors, but the data processing must be done according to the six lawful bases outlined by GDPR legislation.

The following list is taken from the GDPR and Charitable Fundraising Introduction guide and as they have written it, the six lawful bases are:

  • Consent: You can show that an individual has performed a clear affirmative action (such as saying “yes” to a question or ticking an opt-in box) to allow you to process their personal data for a specific purpose. Pre-checked boxes don’t constitute consent.
  • Contract: The processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation: The processing is necessary for you to comply with the law (not including contractual obligations).
  • Vital interests: The processing is necessary to protect someone’s life.
  • Public task: The processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests: The processing is necessary for your legitimate interests or the legitimate interests of a third party unless the interests or rights and freedoms of the individual override those interests (this cannot apply if you are a public authority processing data to perform your official tasks).

Virtuous’ Compliance with GDPR

A single piece of software can never ensure GDPR compliance as it is a combination of organizational practices and data architecture across an organization.

Virtuous fully supports GDPR compliance across the scope of our application (as laid out in our Terms and Conditions) and is dedicated to the privacy and security of our customer’s data. Because Virtuous is also HIPAA compliant, our policies around PII encryption and projection typically go far beyond the standard requirements of GDPR.

The following lists outlines the common practices and concerns around GDPR—and how Virtuous helps support organizations in achieving GDPR compliance.

  • Encrypt all personal (PII) data – All Virtuous data is fully encrypted and Virtuous permission levels allow each organization to choose which team members can access certain PII.
  • Leverage HTTPs to ensure encryption throughout data journey – All digitally acquired Virtuous data is fully encrypted via HTTPs. Virtuous also conducts 3rd party Penetration testing, leverages CAPTCHA forms, etc to protect external digital data tampering.
  • Ensure explicit opt-in on all forms – Virtuous allows for explicit opt-in on all forms and strongly encourages all customers to leverage this field.
  • Be explicit about third party data sharing – It is up to each organization to disclose other 3rd parties who might have access to PII
  • Be explicit about cookies and data tracking – It is up to the Web Administrator at each organization to decide on how cookie tracking and cookie opt-outs appear on each site.
    Make Terms and Conditions clear on forms (if in EU, terms consent is required) – Virtuous allow explicit T&C assent on all forms
  • Allow hard deletes of constituent data – Virtuous allows for hard data deletes based on Opt-Outs or at the contacts request in compliance with GDPR
  • Make unsubscribe and opt-out obvious and easy – By default, Virtuous includes clear Unsubscribe options on all emails and allows organizations to deploy additional Opt-Out and Subscription Preference forms on their site.
  • Don’t collect personal data you don’t need – PII collection is largely based on the discretion of each organization


Every Virtuous customer has unique needs around GDPR. There is no one-size-fits all approach to compliance within an organization. In some cases, GDPR may even run contrary to IRS guidelines or your Donor Bill of Rights. Virtuous can work with customers during implementation to ensure that the practices and data collection patterns are in place at your organization to adhere to GDPR where applicable.

Grow generosity with Virtuous.

Virtuous is the responsive fundraising software platform proven to help nonprofit organizations increase generosity by serving all donors personally, no matter their gift size.

“Virtuous truly understands nonprofits and the importance of our mission. And their open access to data and built-in custom reports gave us access to the data we need.”
Todd Shinabarger​
Chief Information Officer