The Challenge
International Relief Foundation (IRF) is a UK-registered charity operating humanitarian programmes across the UK, Germany, Netherlands, France, Poland, Sweden, Austria, and Denmark. They had 280,000+ donor records across these countries — collected over 20 years — spread across three legacy CRMs, multiple Excel databases, and a Mailchimp account.
In early 2025, their legal team flagged a serious problem: less than 30% of their donor records had documented consent to receive marketing communications. The remaining 70%+ were based on assumed opt-ins, legacy data, or outdated consent records that pre-dated GDPR. With regulators in Germany and the Netherlands increasingly active on nonprofit enforcement, the risk was significant.
Their in-house team had attempted to address this twice before — both times the project stalled due to complexity and resource constraints.
280,000+ donor records. 3 legacy CRMs. 8 countries. Less than 30% with documented GDPR-compliant consent. Two previous failed attempts to fix it. A looming ICO inquiry triggered by a donor complaint.
Our Approach
AlmaMate's European Practice was brought in with a clear brief: get IRF to full GDPR compliance without disrupting ongoing fundraising campaigns, and do it in under 12 weeks.
We started with a full data audit — cataloguing every system that held personal data, the legal basis for each data category, and the consent status of every donor. This took two weeks and involved interviews with 14 team members across 6 countries.
Phase 1: Data Consolidation & Audit (Weeks 1–3)
We migrated all donor data into a single Salesforce NPSP instance, deduplicating 47,000 records in the process. For each record, we tagged the consent status, legal basis, source, and date — building a complete data map that the DPO could review at any time.
Phase 2: Consent Framework Build (Weeks 3–6)
We configured Salesforce's Individual object and Data Use Purpose framework to track consent per communication channel, per country, per purpose. We built a GDPR preference centre — available in 6 languages — that donors could access from any communication to update their preferences in real time.
For the 70%+ of records without documented consent, we designed a re-consent campaign: a single, transparent email asking donors to confirm their preferences. We configured Marketing Cloud to automatically suppress any record that didn't respond within 30 days.
Phase 3: Rights Automation & Shield (Weeks 6–9)
We built automated workflows for every data subject right: access requests, erasure, rectification, portability, and restriction. Each workflow had a 30-day SLA tracker with escalation alerts. We activated Salesforce Shield and configured Field Audit Trail across all donor objects.
Phase 4: Training & Handover (Weeks 9–10)
We ran GDPR-in-Salesforce training sessions for 18 staff members across 4 countries, produced documentation in English and German, and handed over a GDPR compliance dashboard the DPO could use for ongoing monitoring.
The Timeline
What IRF Can Do Now
Twelve months on from the project, IRF's DPO has a live compliance dashboard showing consent rates, DSAR volumes, and audit trail health across all 8 countries. Their legal team no longer has to manually compile consent data for regulatory requests. And the fundraising team can communicate with confidence, knowing every send is fully consented and suppression lists are always current.
The re-consent campaign, while temporarily reducing their active donor list by 34%, actually improved email open rates by 42% — because every remaining donor genuinely wanted to hear from them.
Losing 34% of a donor list to a re-consent campaign sounds alarming. But a smaller, genuinely opted-in list outperforms a large, unconsented list on every metric that matters: open rates, click rates, conversion, and lifetime value. GDPR compliance and fundraising performance are not in conflict — they reinforce each other.