Why GDPR Compliance Matters for Nonprofit Websites

GDPR applies to any organisation that processes personal data of people in the UK or EU — and that includes your website. Every time someone fills in a contact form, makes a donation, signs up for a newsletter, or even visits a page that sets cookies, your website is processing personal data.

For nonprofits, GDPR compliance is both a legal obligation and a credibility signal. Institutional funders conducting due diligence check whether your website handles data responsibly. A privacy policy that hasn’t been updated since 2018, a cookie banner that doesn’t actually block tracking scripts, or contact forms that don’t explain how data will be used — these are governance failures that undermine the trust you’re trying to build.

This checklist covers the specific GDPR obligations that apply to nonprofit websites on Webflow, what to check, and what to fix.

Section 1: Privacy Policy

Checklist

• Privacy policy exists and is accessible from every page (typically in the footer)
• Privacy policy is written in clear, plain English — not legal boilerplate copied from another site
• Policy identifies the data controller (your organisation name, registered address, contact details)
• Policy specifies what personal data is collected through the website: contact form submissions, donation data, newsletter sign-ups, cookies and analytics data, any other data collection points
• Policy explains the legal basis for each type of data processing (consent, legitimate interest, contractual necessity)
• Policy explains how long data is retained and when it is deleted
• Policy explains data subject rights: access, rectification, erasure, restriction, portability, objection
• Policy includes contact details for data protection enquiries (email address, not just a generic contact form)
• Policy states whether data is shared with third parties and, if so, which ones (donation platforms, email marketing services, analytics providers)
• Policy includes the date it was last reviewed or updated

Common Failures

The most common privacy policy failures on nonprofit websites: the policy exists but hasn’t been updated since GDPR came into effect in 2018, it was copied from a template and doesn’t reflect what the site actually does, it doesn’t mention third-party services that the site clearly uses (visible in the cookie scan), or it’s buried in a page that’s not linked from the main navigation or footer.

Section 2: Cookie Consent

Checklist

• Cookie consent banner appears on first visit
• Banner offers genuine choice: Accept, Reject, and Customise options (not just “Accept” with a hidden reject option)
• No tracking or analytics cookies fire before consent is given — verify this in browser developer tools
• Cookie preferences can be changed after initial choice (usually via a link in the footer)
• Cookie consent integrates with Google Consent Mode v2 if you use Google Analytics or Google Ads
• Cookie categories are clearly explained: Necessary, Analytics, Marketing, Preferences
• Cookie consent settings persist correctly across page navigation and return visits

How to Check

Open your site in an incognito/private browser window. Before clicking anything on the cookie banner, open the browser’s developer tools (F12), go to the Application tab, and check what cookies have been set. If you see Google Analytics cookies (_ga, _gid) or any marketing cookies before you’ve given consent, your implementation is broken.

For implementation guidance, see my full walkthrough on CookieYes and Google Consent Mode v2 setup.

Section 3: Contact Forms and Data Collection

Checklist

• Every form that collects personal data includes a link to the privacy policy
• Forms include a clear statement of what will happen to the data (“We’ll use this to respond to your enquiry and won’t share your details with third parties”)
• Newsletter sign-up forms use explicit opt-in (not pre-ticked checkboxes)
• Form data is transmitted securely (HTTPS — verify SSL is active)
• Form submissions are stored securely and accessible only to authorised staff
• There is a defined process for handling data subject access requests received through the website

Webflow-Specific Notes

Webflow native forms store submissions in the Webflow dashboard. These are accessible to anyone with site access — ensure your Webflow workspace permissions are appropriately restricted. If you use HubSpot, Mailchimp, or other third-party form embeds, the data goes to those platforms — ensure your privacy policy names them as data processors.

For related guidance, see Setting up webflow forms.

Section 4: Donation Processing

Checklist

• Donation platform (Fundraise Up, Donorbox, Enthuse, etc.) is named in the privacy policy as a data processor
• Donation page explains that payment data is handled by the third-party platform, not stored on the Webflow site
• Donation confirmation includes or links to privacy information
• Gift Aid declarations (if applicable) include appropriate data handling notices
• Recurring donation terms include information about how to cancel and how data is managed after cancellation

Section 5: Analytics and Tracking

Checklist

• Google Analytics 4 (or equivalent) is configured to respect cookie consent — does not fire until consent is granted
• IP anonymisation is enabled (GA4 does this by default, but verify)
• Data retention settings in GA4 are set appropriately (default is 2 months for user data — you may want to extend to 14 months for reporting purposes)
• Any additional tracking scripts (Meta Pixel, LinkedIn Insight Tag, Hotjar, etc.) are blocked until marketing consent is granted
• Google Tag Manager is configured with consent mode integration

For GTM setup guidance, see Google Tag Manager setup for Webflow nonprofits.

Section 6: Third-Party Services

Checklist

• All third-party services that process personal data through the website are identified and listed
• Each service is named in the privacy policy with a description of what data it processes
• Data Processing Agreements (DPAs) are in place with all third-party processors
• Third-party services store data in jurisdictions that provide adequate data protection (EU/UK adequacy decisions)

Common Third-Party Services on Nonprofit Webflow Sites

Google Analytics 4, Google Tag Manager, CookieYes (or equivalent consent manager), donation platform (Fundraise Up, Donorbox, Enthuse), email marketing (Mailchimp, Campaign Monitor, HubSpot), CRM (HubSpot, Salesforce), embedded video (YouTube, Vimeo), social media embeds (Twitter/X, Instagram), chatbots or live chat tools.

What the ICO Expects From Charities

The Information Commissioner’s Office (ICO) has specific guidance for charities on GDPR compliance. Key expectations:

• Charities must be registered with the ICO if they process personal data (the annual registration fee is £40 for most small organisations, £60 for medium organisations)
• The ICO expects charities to have a named Data Protection Officer or a clearly identified person responsible for data protection
• Fundraising communications must comply with both GDPR and the Privacy and Electronic Communications Regulations (PECR) — this affects how newsletter sign-ups and donation follow-up communications are managed
• The ICO has historically taken enforcement action against charities for data handling failures, particularly around fundraising data and donor profiling

Annual GDPR Review Checklist

GDPR compliance is not a one-off task. Schedule an annual review covering:

• Privacy policy accuracy — does it still reflect what the website actually does?
• Cookie consent functionality — does the banner still work correctly after any site updates?
• Third-party service audit — have you added or removed any services that process personal data?
• Data retention — are you deleting data that has passed its retention period?
• ICO registration — is your registration current?
• Staff awareness — does the team know how to handle data subject access requests?

This review should be documented and included in your website governance records. For the governance framework, see How to Create a Website Governance Policy.

For a comprehensive assessment of your site’s GDPR compliance alongside accessibility, content, and governance, the Blueprint Audit covers all of these areas as an integrated review.

Further Reading

• CookieYes and Google Consent Mode V2 for Webflow Nonprofit Sites
• Google Tag Manager Setup for Webflow Nonprofits
• WCAG AA Accessibility Compliance on Webflow