DPO for Nonprofits
and NGOs.
Social NGOs, friends-of organizations, charities and social institutions manage donor, volunteer, beneficiary, and direct-mail databases — sometimes at very large scale. Amendment 13 + Spam Law + Registrar of Associations reporting = a complex framework. Outsourced DPO for NGO, with pricing tiers tailored to nonprofit budgets.
8 typical NGO databases
| Database | Details |
|---|---|
| Active donors | Contact details, donation history, marital status (for family mailing), preferences |
| Prospect donors | Prospects database, list purchases, event leads |
| Volunteers | Details, police clearance (when relevant), hours, specialties |
| Beneficiaries & clients | Families in distress, Holocaust survivors, people with disabilities — sometimes special-sensitive data |
| Program participants | Workshop / camp / enrichment program registration |
| Direct mailing | Mailing lists, consent and unsubscribe management |
| Employees & activists | Employee files, salaries (for paid-staff nonprofits) |
| Events & registrations | Fundraising event registration, thank-you events, vendors |
Six issues unique to NGOs
Direct mail at scale
NGO sending newsletter to 50,000 subscribers, multi-year fundraising appeals. Spam Law, Communications Law + Amendment 13 — complex combination.
Data on families in distress
Aid NGOs (Aksen, Pitchon Lev, Latet) manage beneficiary databases with special-sensitive data. High security level + careful handling procedures.
CRM with donation companies
NGO CRM — Salesforce, NeonOne, Plotis — contains detailed donation history. Requires DPA + Transfer Impact Assessment for US vendor.
Volunteers working with databases
Volunteer working from home with a phone database — got access to beneficiary list. Requires confidentiality agreement, training, and controls.
Dual regulatory reporting
Registrar of Associations + Companies Authority (for benefit corp) + Tax Authority — each requires reporting. Sometimes DPO is part of annual report.
Fundraising, grants, and foundations
Application to a foundation or major donor requires compliance check. Including DPO proof and Privacy program. More international donors require this.
Which NGO must have a DPO?
Small NGO
<100,000 ILS annual revenueUsually not required
No significant sensitive data, no large-scale mailing, no public-body sharing — usually exempt. Still recommended: internal privacy policy.
Mid-size NGO
100,000-2,000,000 ILSCheck
Depends on type: welfare NGO with beneficiary databases = required. Cultural NGO with subscriber list = usually not. Personal consultation needed.
Large NGO
2,000,000-10,000,000 ILSYes, required
Usually has a large CRM, donor list, volunteer activity, and sometimes beneficiaries. All trigger scale.
Very large NGO / charity
>10,000,000 ILSYes, required + complexity
Complex management systems, branches, sharing with international vendors. Requires full GRC or DPO + GRC Lite.
Frequent questions from nonprofits & NGOs
Small NGO — required to have DPO?
What about direct mail?
NGO CRM — requires DPA?
Do you have NGO-friendly pricing?
What about volunteers working from home?
What about international foundations requiring compliance?
Do you have NGO experience?
Where NGOs typically start
If you are still unsure whether the obligation applies, start with our explainer on who must appoint a DPO. The first project for nearly every nonprofit is structured data mapping (the RoPA) across donor CRMs, volunteer rosters, and beneficiary files. For nonprofits with paid staff, we also help draft an employee privacy policy that fits Israeli employment law.
NGO directors, CEOs, board chairs — let's talk.
30-minute call, adapted to NGO type and pricing tier.
Book a call