Charity CRM Systems - AI and Data Protection

Many charity CRM systems now have AI. A simple checklist of data protection issues and UK GDPR requirements and a DPIA template

Charity CRM Systems - AI and Data Protection

Many charity CRM systems now have AI. A simple checklist of data protection issues and UK GDPR requirements, and a DPIA template for AI. There will be differences in the AI services for the various CRM systems, AI is developing very rapidly and I make no claim to being a UK GDPR expert. This guide to assessing charity CRM system AI data protection is intended to provide a simple overview, flag some key issues but, if you need professional advice, you must source it because I'm not it.

Charity CRM - AI Data Protection Checklist

Purpose & Legal Basis for AI Processing

Explain why AI is being used in the CRM. For example, donor engagement, trend analysis and/or automated responses.
Identify the legal basis - legitimate interest or consent.

Transparency & Data Subject Rights

Update privacy notices to inform individuals that AI is processing their data.
Explain if decisions are automated and how individuals can challenge them.
Confirm compliance with the right to be informed, right to object, and right to explanation.

Data Minimisation & Security

Ensure only necessary personal data is used in AI processing.
Clarify data retention periods for AI-generated insights.
Implement security measures, such as encryption, and restricted access.

Third-Party AI Providers

If using an external AI service, check their Data Processing Agreement (DPA).
Confirm UK GDPR compliance, including where data is stored—if outside the UK, ensure a valid transfer mechanism is in place.

Bias & Fairness Considerations

If AI is making decisions about service users or donors, ensure the process is explainable and free from bias.
Document how AI is monitored to prevent unfair treatment.

Data Protection Impact Assessment (DPIA) Template

Charity Name: [Insert Name]
Date of DPIA: [Insert Date]
Completed By: [Insert Name/Role]
Reviewed By (if applicable): [Insert Name/Role]

Overview of Processing

What AI system is being used? [Describe the AI tool, e.g., donor engagement analysis, automated responses.]
What personal data is processed? [List data types, e.g., names, contact details, donation history.]
Why is AI being used? [Explain purpose, e.g., improving donor relations, automating responses.]
Who are the data subjects? [E.g., donors, volunteers, beneficiaries.]
Who has access to the AI system? [E.g., staff, external providers.]
Is a third-party AI provider involved? [Yes/No – If yes, name provider and confirm GDPR compliance.]

Identifying Risks & Safeguards

Risk Area	Potential Risk	Mitigation Measures
Transparency	Individuals may not know AI is processing their data.	Update Privacy Policy & Notices to include AI use.
Legal Basis	No clear GDPR basis for AI processing.	Confirm legitimate interest or obtain consent where needed.
Security	Risk of data breaches or unauthorised access.	Ensure encryption, access controls, and staff training.
Explainability	Risk of being unable to explain how the basis for a decision at, when challenged	Ensure this is dealt with in design/procurement.
Bias & Fairness	AI could create unfair outcomes (e.g., in fundraising segmentation).	Regularly audit AI decisions for bias & fairness.
Automated Decision-Making	AI may make decisions without human oversight.	Provide an option for human review and decision appeal.
Data Transfers	AI provider stores data outside UK/EU.	Ensure appropriate data transfer safeguards (e.g., UK IDTA, SCCs).

Assessment of Compliance & Justification

Does the AI processing align with the charity’s purpose? [Yes/No]
Does it respect individuals’ rights (e.g., access, objection, erasure)? [Yes/No]
Have risks been reduced to an acceptable level? [Yes/No]
Is further action needed before proceeding? [Yes/No – If yes, describe actions required.]

Approval & Next Steps

Decision: ⬜ Proceed ⬜ Modify AI use ⬜ Stop Processing
Actions to be Taken: [List any necessary actions, e.g., update policies, conduct staff training.]
Next Review Date: [Insert Date]

Signed By: [Insert Name/Role]
Date: [Insert Date]

Charity AI Resources

CEF: AI Design and Procurement Principles.

AI Regulatory Guidance

ICO

Find the Funding and Free Help Your Charity Needs

A registered charity ourselves, the CEF works for any non profit, not just charities.

Funding Finder - with categories for Core Cost Funding and Small Charities & Community Groups.
Help Finder – find anything for free, including companies that make financial donations and raffle prizes.
Data Finder – for fundraising bids & research, impact reporting, planning and campaigning.

Plus, 100+downloadable funder lists, 60+ policies, 8 online health checks and the huge resource base.

Quick, simple and very effective.

Find Funding, Free Help & Resources - Everything Is Free.

Register Now!

This Article on Charity CRM AI Data Protection is Not Professional Advice

This article on charity CRM and AI data protection is for general interest only and does not constitute professional legal or financial advice. I'm neither a lawyer, nor an accountant, so not able to provide this, and I cannot write guidance that covers every charity or eventuality. I have included links to relevant regulatory guidance, which you must check to ensure that whatever you create reflects correctly your charity’s needs and your obligations. In using this resource, you accept that I have no responsibility whatsoever from any harm, loss or other detriment that may arise from your use of my work. If you need professional advice, you must seek this from someone else. To do so, register, then login and use the Help Finder directory to find pro bono support. Everything is free.

Ethics Note: AI was used in the creation of this web page.

Register Now

We are very grateful to the organisations below for the funding and pro bono support they generously provide.