Operating in the UK as a Non-Profit: Your Salesforce and GDPR Compliance Checklist
If your organisation has recently made the move from the US (or elsewhere) and registered as a UK charity, congratulations — and welcome. You've navigated the legal and structural complexity of establishing yourself in a new country. But there's another layer of complexity that often catches international non-profits off guard: data compliance.
If you were using Salesforce in the US, your existing setup may not be compliant with UK and EU data protection law. Here's what you need to know.
UK GDPR: the basics for charities
Since Brexit, the UK operates under UK GDPR — its own version of the EU's General Data Protection Regulation, which is largely aligned but has some distinct requirements. As a UK charity, you are required to:
Have a lawful basis for processing every category of personal data you hold
Be transparent with individuals about how their data is used
Honour data subject rights (access, erasure, portability, objection)
Report certain data breaches to the ICO within 72 hours
Only transfer personal data internationally under approved mechanisms
That last point is particularly relevant if your Salesforce org is still based on US data infrastructure, or if you're sharing data with US-based teams or partner organisations.
Reviewing your Salesforce org for compliance
Here are the key questions to work through when reviewing an existing Salesforce setup for UK GDPR compliance:
Where is your Salesforce data stored? Salesforce allows you to specify data residency. UK and EU charities should ensure personal data is stored within the UK or EU.
What personal data are you holding, and on what lawful basis? Salesforce can be configured to capture and record consent, legitimate interest assessments, and other lawful bases against individual records.
Do you have retention policies in place? Salesforce doesn't automatically delete old records. You'll need to configure data retention and archiving rules.
Are your permissions set correctly? Staff should only be able to access the data they genuinely need — Salesforce's profiles and permission sets let you enforce this, but it requires careful configuration.
Do you have a process for handling data subject requests? When a supporter asks what data you hold on them — or asks to be forgotten — you need to be able to respond quickly and accurately.
Moving from a US non-profit structure to a UK charity
Beyond data compliance, transitioning your Salesforce org from a US context to a UK one often involves practical changes too:
Currency and financial settings — switching from USD to GBP and aligning with UK accounting practices
Terminology and record types — what's called a '501(c)(3)' in the US has no direct equivalent; your record types and processes may need renaming and restructuring
Reporting and gift aid — UK charities can claim Gift Aid on eligible donations, and Salesforce can be configured to track donor declarations and calculate claims
Regulatory alignment — the Charity Commission has different reporting requirements to the IRS, and your Salesforce data should support your annual return
Why working with a UK-based provider matters
Data compliance isn't just a technical issue — it's a legal one. Working with a Salesforce partner based in the UK means you're getting advice grounded in UK GDPR, ICO guidance, and UK charity law. We understand the landscape you're operating in, and we'll help you build a Salesforce org that keeps you on the right side of it.
Ready to get started? Get in touch with the team at Salesforce4sme — we'd love to learn about your organisation and explore how we can help. Contact us today at salesforce4sme