Login Get in touch
Business Applications Not for Profit 10 min read

Charity Data Protection: Why Modern CRM Software Is Vital

Charity Data Protection: Why Modern CRM Software Is Vital

Charities and not-for-profit organisations have a lot to consider regarding data protection. Today’s digital world means that there are many new risks and challenges that were unheard of just a few years ago.

Charities and non-profits handle a wealth of sensitive data, encompassing personal, financial and commercial information that can be of great interest or monetary value to cyber criminals.

While many organisations are aware of the sensitivity of the data they store, the National Cyber Security Centre (NCSC) has identified a lack of awareness among charities who often underestimate their attractiveness as potential targets.

If the data you collect is exposed or lost, the consequences can be devastating for those involved. And this will cause severe damage to the organisation’s reputation. The threat cybercriminals pose is outlined in a recent report from the NSCC.

Charities have been entrusted with this information and are responsible for protecting it, and now, with GDPR legislation in place, failure to do so may result in financial penalties. These are just some of the reasons why data protection for charities is an important matter.

All organisations are responsible for storing data and must take steps to secure it. Yet, small charities face an increased risk of breaches. Data can fall into the wrong hands because they rely on outdated technology. Data protection for small charities is just as crucial as for large charities. The same issues and risks are present, and data must be handled with the same level of security.

Most organisations employ some form of Customer Relationship Management (CRM) system, which may be either a contemporary solution or legacy software housed on outdated servers. These applications are vulnerable to modern threats and often struggle to meet present-day requirements.

To compensate for functionality gaps, reliance on spreadsheets and other applications may compound security concerns and increase administrative burdens.

Securing Constituent Data in the Cloud.

Transitioning to a cloud Charity CRM system will safeguard your organisation. Data is stored on the provider’s secure servers, separating this from your location. Beyond data security, you’ll enjoy increased availability, cost efficiency and scalability.

Crucially, a cloud CRM provider handles software updates. Many providers release weekly patch updates to address new and emerging security threats.

Cloud CRM doesn’t have to mean increased operating costs. Discounted user licenses and storage services are available for charities and non-profit organisations. Some free licences, such as through Microsoft’s Technology for Social Impact programme, may be available. ANS can help you take advantage of such programs.

A cloud-based CRM system could reduce costs depending on your existing IT and data management processes. This is because the platform will handle some administrative tasks.

Moving to cloud-based CRM strengthens data security for charities through the following platform capabilities:

Automated backup

Even with the best intentions, accidental data deletions or modifications can occur. However, modern cloud CRM systems offer a valuable safety net through automatic daily backups. This feature allows for seamless data restoration when needed, providing peace of mind and ensuring data integrity.

Password security rules

Setting a password policy can be confusing, so providers often have pre-defined password policies. These commonly include enforcing minimum character lengths and banning common passwords.

Implementing a robust password policy is vital in bolstering security. To simplify this process, CRM providers often incorporate pre-defined password policies. These policies typically include enforcing minimum character lengths and prohibiting commonly used passwords.

Multi-factor authentication

MFA serves as a powerful deterrent against unauthorised access to your CRM system. By requiring users to provide multiple credentials during the login process, MFA adds an extra layer of security. Typically, this involves a combination of something the user knows (username/password) and something they possess, such as an authenticator app or a unique security key on their mobile device. Even if a password is stolen, the additional authentication factor makes it significantly more challenging for third parties to gain access to your data.

Role-based user security

These privileges are managed and granted through role-based security profiles. This controls what data each user can access, update or delete. These settings can also prevent user roles from exporting data into local spreadsheets.

Access is not given to individual users, only to security roles. CRM users are assigned one or more roles that enable them to access the permissions associated with the role(s).


Cloud CRM auditing features track system usage and support data security policies to help administrators identify potential security issues. For example, logs can include failed login attempts or user details when records are modified or deleted. You can also see previous field values to revert accidental changes.

Platform encryption

To ensure charities meet their obligations for handling data, cloud CRM systems are encrypted. Database encryption keys protect personal data while at rest in a data centre. But they also secure that data in transit between user devices and the provider’s data centres.

Marketing automation integration

You can connect your Charity CRM with marketing automation platforms such as Mailchimp, dotDigital, or ClickDimensions to avoid potential vulnerabilities when spreadsheets export data. Automated processes ensure data is securely synchronised between systems, which enables you to see a unified view of each constituent’s interaction in your CRM system.

Small charities risk data breaches when bulk messages are sent from personal devices. Integrated marketing automation to your CRM will prevent most data breach scenarios. It does this by ensuring personal data is not exposed through misuse of the BCC field. Plus, a modern CRM ensures messages aren’t sent to unsubscribed individuals.

Payment gateway integration

Using CRM to track credit card information to handle recurring donations is never recommended. To collect payments, details should be captured via a dedicated PCI-compliant payment gateway. One example known for its highly secure payment protocols is Stripe. A payment gateway also enables seamless processing, including Gift Aid claims.

GDPR Compliance

Cloud-based CRM also helps organisations follow General Data Protection Regulation (GDPR). This further strengthens charities’ data protection.

GDPR is vital for charity organisations due to the sensitive data stored and their extensive marketing activity. The regulations cover how organisations get, process, transfer and keep personal data. This is another area where cloud CRM can strengthen data protection for charities. It makes your charity’s designated data protection officers’ job much easier.

Modern CRM systems include GDPR-compliant features to help organisations demonstrate accountability and transparency for how they use personal data; these include.

Tracking consent

When consent is used as the legal basis, GDPR requires charities to prove that each individual granted consent for collecting and processing personal data. Individuals can withdraw their consent anytime, which should be easy to do with your system. Using CRM, organisations can digitally track each record of consent as the legal basis for storing data, how this consent was provided and who updated the information.

Identifying data for deletion

The GDPR doesn’t specify data retention limits but requires that personal data is stored no longer than necessary for the task performed. To support compliance and avoid usability issues caused by large data volumes, all charities should have a data retention policy.

Organisations are also subject to legal requirements for the time they are expected to keep certain records. For example, Gift Aid declaration records must be retained for six years after the most recent donation is claimed.

CRM features can be configured to support organisations in enforcing their data retention policy. Using the above Gift Aid example, automated rules could be set to archive legacy Gift Aid entries or mark these for deletion.

Charities can amass high volumes of supporter data, but how active are these relationships, and how long should this data be retained? An effective data retention policy should answer these questions enabling CRM administrators to apply the appropriate rules that ensure information is only kept for as long as needed.

Depending on your criteria, an active supporter could be defined as someone who has donated within the past 18 months or has volunteered in the last year. By tracking each supporter transaction and interaction in CRM, this data can be used as the trigger to enforce retention rules. For example, dynamic views and reports will provide transparency to identify any supporters deemed ‘inactive’. This prompts an organisation to re-engage or remove this data in line with its retention policy.

Anonymising data

Removing personal data from CRM to follow GDPR doesn’t necessarily mean that data should be deleted in every instance. Charities may have a legal basis to keep a record of these entries. Personal data should be removed by a ‘right to be forgotten’ instruction or its data retention policy, as outlined in GDPR. But if data has been anonymised so that it no longer relates to a person, it can be retained.

Modern CRM systems provide anonymisation features. This is better than deleting records in most cases. This lets you remove or encrypt specific fields in your database so that the data can’t be seen or accessed.

Anonymisation allows organisations to follow GDPR while enabling meaningful historical data reporting. CRM anonymisation also provides a safeguard to match and block contacts from being re-added after they have exercised their ‘right to be forgotten’.

Responding to subject access requests

In old systems, constituent data may be stored in many applications and spreadsheets. That makes responding to a subject access request laborious because you have to collate those details.

By contrast, when data is stored centrally in a modern CRM system, these requests can easily be handled promptly. With report templates, information about individuals can be easily forwarded to constituents.

Next Steps.

As emphasised throughout this post, data lies at the heart of every charitable organisation’s operations. To ensure the seamless management of vital information about your donors and volunteers while enhancing overall operational efficiency, it’s crucial to adopt a modern charity CRM system.

If your charity is seeking to fortify its data protection, we are here to support you. Our team specialises in transitioning your data to the trusted Microsoft cloud and deploying a CRM solution tailored to specific needs. By deploying Dynamics 365 with our Charity Hub accelerator, we minimise compliance risks and empower your organization with a solid data protection regime.

We will work closely with you to configure the appropriate features and functionalities, ensuring your CRM system aligns seamlessly with your unique requirements. With our guidance, you can confidently navigate the complexities of data protection and streamline your day-to-day operations.

Take the first step towards a secure and efficient data management approach for your charity. Contact ANS today to discuss your requirements and discover the perfect CRM solution for your organisation that will safeguard your valuable data.