GDPR starter kit for foundations + non-profits

Non-profits + foundations have the same GDPR requirements as commercial businesses, but often less budget + less expertise. Therefore: pragmatic focus on core matters. Priorities: (1) Donor data: separate one-off donors (only for transaction + charitable confirmation) from structural relationships (CRM + opt-in marketing). 7-year fiscal obligation for donations >€100. (2) Volunteers: VOG (Dutch background check) for certain functions (working with children) — VOG may ask questions but not retain after registration. (3) Email campaigns (Mailchimp, Brevo, MailerLite): opt-in via double confirm. Unsubscribable in every expression mandatory (Tw + GDPR). (4) Charitable status publication: only aggregated donor info publishable (totals), never names + amounts without consent. (5) Partnerships: data sharing with partner organisation (e.g. campaign) requires DPA or joint-controller arrangement. (6) Crowdfunding platforms (Geef, GoFundMe): they are usually processor — DPA via platform. (7) Lobbying data: who spoke with which MP = personal data of politician. Secure + restrict access. Free help: AP has specific guides for non-profits, NOV (Dutch volunteer-org association) provides templates. WBTR impact: foundation directors personally liable since 2021. Co-insure privacy liability.