GDPR and Grantmaking: What’s Required

Grantmakers must process personal data lawfully, transparently and securely, with proportionate retention and clear rights for individuals.

• Identify a lawful basis (usually legitimate interests or contract).
• Provide privacy notices to applicants and reviewers.
• Respect access, correction and deletion rights where applicable.

Practical steps for compliance

Keep documentation simple but complete.

• Data map of what you collect and why.
• Retention schedule linked to grant lifecycle.
• Procedures for subject requests and incident response.

Key takeaway: small, maintained docs beat complex binders.

Special category data and safeguards

Only collect sensitive data when necessary and protected.

• Use explicit consent or appropriate policy conditions.
• Limit access and apply stronger security controls.
• Aggregate for reporting whenever possible.

Key takeaway: collect the minimum useful data.

Working with processors and partners

Ensure contracts and controls are in place.

• Processor agreements with clear security obligations.
• International transfer assessments where relevant.
• Regular reviews of suppliers and shared projects.

Key takeaway: Plinth supports GDPR with EU hosting and strong privacy controls.

FAQs

Do applicants need to consent?

Not always; another lawful basis may be more appropriate.

How long should we keep data?

Only as long as needed for grant purposes, audits and legal obligations.

Can we use data for evaluation?

Yes if consistent with your lawful basis and privacy notices.