GDPR fines issued to nonprofits are rising sharply. In 2024, three European charities received fines totalling over €1.2M — not for malicious data use, but for poor consent management and inadequate data subject rights processes. This guide explains exactly what you need to fix, and how Salesforce helps.
GDPR turns six years old in 2026 — yet most European NGOs we work with still have significant compliance gaps in their donor data practices. The good news: Salesforce, when implemented correctly, solves the majority of these risks. The less good news: there are still things only humans and processes can fix.
This guide gives you the complete picture.
What GDPR Actually Requires From NGOs
Charities and NGOs are not exempt from GDPR. If you process personal data of EU/EEA residents — which includes donors, volunteers, beneficiaries, and staff — you're subject to GDPR regardless of where your organisation is registered.
The six core obligations every NGO must meet:
- Lawful basis for processing — You must have a legal basis (usually consent or legitimate interest) for every category of personal data you process.
- Transparency — Individuals must know what data you hold, why, and for how long.
- Data subject rights — Individuals can request access, erasure, rectification, portability, or restriction of their data — and you must respond within 30 days.
- Data minimisation — You should only collect data you actually need for a stated purpose.
- Retention limits — Data shouldn't be kept indefinitely. You need documented retention schedules and automated deletion processes.
- Breach notification — If you suffer a data breach affecting personal data, you must notify your supervisory authority within 72 hours.
What Salesforce Solves Natively
When properly configured, Salesforce handles the majority of GDPR technical requirements automatically. Here's exactly what it covers:
1. Consent Management
Salesforce's Individual object and Data Use Purpose framework lets you record exactly what each donor has consented to — email communications, SMS, sharing with third parties, profiling — and track when consent was given, how, and whether it's been withdrawn.
Combined with Marketing Cloud's Contact Builder, you can ensure no communication is ever sent to a contact who hasn't actively consented to that channel. When consent is withdrawn, the system stops all communications automatically.
In every European implementation, we configure consent capture on all web forms, set up automated consent expiry (typically 2 years for inactive donors), build suppression lists that sync in real-time, and create consent audit reports that DPAs can review at any time.
2. Data Subject Rights Automation
Manually processing data subject access requests (DSARs) is time-consuming and error-prone. Salesforce lets you automate the entire workflow:
- A portal or form where individuals submit their request
- Automated case creation and routing to the right team member
- 30-day deadline tracking with escalation alerts
- One-click data export for Subject Access Requests
- Automated erasure workflows that anonymise records across all Salesforce objects
3. Audit Trail
Salesforce Shield's Field Audit Trail records every change to every field across your entire CRM — who changed what, when, and from what value to what value. This is invaluable for demonstrating GDPR compliance to a supervisory authority or handling a dispute.
4. Data Retention Automation
You can configure Salesforce to automatically archive or anonymise donor records after a defined inactivity period (e.g., 5 years since last gift, no active consent). This runs as a scheduled Flow, requires no manual intervention, and creates an audit log of every deletion.
What Salesforce Doesn't Solve (And What You Still Need)
Salesforce is a tool, not a GDPR compliance programme. There are things it cannot do for you:
Technology configures the pipes — but GDPR compliance also requires documented policies, staff training, and a designated Data Protection Officer (for organisations that process large volumes of sensitive data). Salesforce doesn't replace any of these.
- Privacy Policy and Data Processing Agreements — You still need legal documentation that describes your data practices. Salesforce can't write your Privacy Policy.
- Vendor risk management — If Salesforce is your processor, you need a Data Processing Agreement with them (Salesforce provides a standard DPA). You also need to assess every third-party integration.
- Staff training — GDPR requires that staff who handle personal data are trained. Salesforce doesn't train your people.
- Lawful basis documentation — You need to document why you process each category of data. This is a legal/governance question, not a technical one.
Our GDPR Implementation Checklist
When we run a GDPR-focused Salesforce implementation for a European NGO, this is our standard scope:
- Data audit — map every category of personal data, where it lives, and its legal basis
- Consent framework configuration — Individual object, Data Use Purposes, Marketing Cloud suppressions
- DSAR portal and workflow automation (30-day SLA enforcement)
- Salesforce Shield activation and Field Audit Trail configuration
- Automated retention and anonymisation flows
- Breach response workflow and 72-hour notification checklist
- GDPR compliance dashboard for your DPO / legal team
- Staff training on GDPR-compliant use of Salesforce
Getting Started
If you're a European NGO and you're not confident in your current GDPR compliance posture, the best first step is a data audit — understanding exactly what personal data you hold and whether you have a clear legal basis for each category.
AlmaMate offers a free 2-hour GDPR readiness assessment for European NGOs. We'll review your current Salesforce setup (or spreadsheet situation), map your data landscape, and give you a prioritised list of what to fix. No commitment required.
Download our 50-point GDPR Compliance Checklist for European NGOs — covers consent management, data subject rights, retention policies, breach protocols, and Salesforce configuration notes for each item.