Is It Safe to Use AI for Nonprofits and Charities? (Donor and Beneficiary Data)
Yes, with one condition: anonymise donor and beneficiary identifiers before any AI prompt. Much charity case-note data is special category data.
Yes, with one firm limit. AI can help you draft a grant application or an appeal letter. It has no business seeing a beneficiary's name, address or case file. A nonprofit holds two data sets. Donors, with their names, giving history and payment details. Beneficiaries, with their health, family circumstances, sometimes an abuse record. Much of that second set is special category data under Article 9 of the GDPR. If it leaks, the harm is not embarrassment. It is danger. The fix is simple: anonymise the identifiers before you send, and let the model work on the structure.
Two data sets, two very different risks
Most charities think like a small business. One contact base, one file, a few spreadsheets. That framing is wrong. You actually hold two files of opposite nature, and only one of them can hurt someone.
- Donors: name, contact details, giving history, payment details, sometimes wealth-screening or capacity notes. A leak here is a commercial and reputational problem. It is serious, but it is recoverable.
- Beneficiaries: health conditions, disability, ethnicity, faith, safeguarding files, domestic-abuse cases, asylum journeys. A leak here can expose a real person to physical risk.
Take the hardest case. A woman supported after domestic abuse. Her refuge address sits in a case note. If that note escapes your control, this is not an admin incident. It is a physical-safety event. The same logic applies to an asylum seeker whose file reveals ethnicity, religion or health.
This has to be said soberly, without drama. The risk is not theoretical. It has a name and a face. That is what separates a charity from an ordinary small company.
GDPR Article 9: the bar is higher
The GDPR (and its UK version) treats certain categories of data apart. Article 9 gives them extra protection. Racial or ethnic origin. Political opinions. Religious or philosophical beliefs. Trade union membership. Genetic data. Biometric data used to identify someone. Health data. Data about sex life or sexual orientation.
The Information Commissioner's Office (ICO), the UK regulator, states the rule plainly. Processing this data is prohibited by default. To lift that ban you need a condition from Article 9, on top of your ordinary lawful basis under Article 6. In other words: two justifications, not one.
Now look at your case notes. Health, disability, ethnicity, faith, vulnerability tied to an immigration journey. Immigration status is not itself listed in Article 9. But the data sitting next to it almost always is. An asylum file speaks of origin, religion, health, sometimes persecution. You are squarely inside Article 9.
The ICO adds a decisive test. Most Article 9 conditions require the processing to be genuinely necessary. Necessary means targeted and proportionate to the purpose. Not merely convenient or habitual. Pasting a whole beneficiary file into a consumer chatbot to save time does not pass that test. The same draft can be produced from an anonymised outline.
Charity status is not an exemption
This is the sector's most common misunderstanding. "We are a small volunteer charity, the law will go easy on us." It will not. The law applies according to what you do with personal data. Not according to your size, and not according to your charitable purpose.
The ICO even runs an advice stream for small and medium organisations, small charities and clubs included. It offers self-assessment checklists, a helpline and bite-size guidance. The underlying message never changes. Some very small organisations may be exempt from the registration fee, but none are exempt from the data-protection principles. Your charity remains a data controller. It must be able to show compliance.
On the security side, the UK's National Cyber Security Centre (NCSC) publishes guidance built for small organisations, charities included. Its advice is deliberately cheap and low-skill. Back up essential data. Encrypt devices and lock screens. Use strong, distinct passwords. Spot and report phishing. Keep software updated. Train your people. The NCSC names supporter and beneficiary databases as exactly the data a charity cannot function without, and points to Cyber Essentials certification.
Now add the missing ingredient. Volunteers who rotate. Personal devices. Consumer AI accounts opened in two clicks. Those free tiers usually come with no signed DPA (Data Processing Agreement). They may reuse inputs to improve models. And they leave no usable audit trail. Thin security, untrained volunteers and consumer tools: that is a bad combination.
What the AI actually needs to help you
Good news: AI remains genuinely useful to a charity. It structures a grant bid. It tightens an appeal letter. It turns bullet notes into readable prose. For all of that, it needs the shape of the story, not the person.
| Your task | What the model needs | What must never leave your desk |
|---|---|---|
| Draft a grant application | The type of need, the outcomes, aggregate figures, the overall budget | Beneficiary names, dates of birth, addresses, case reference numbers |
| Write a donor appeal letter | A composite, anonymised story and the tone you want | Donor name, giving history, payment details |
| Summarise case notes | The useful facts, with no identifiers and no named diagnosis | Health, safeguarding, abuse or ethnicity tied to one person |
| Prepare an annual report | Aggregate numbers and trends | Any individual row from your beneficiary database |
The fix: anonymise before you send
The measure that works is boring, and that is a good sign. Strip the identifiers before any prompt. The model does not need a name, a date of birth, an address or a diagnosis. It needs the structure of the case.
- 1Collect the least data possible, starting at the intake form.
- 2Spot the identifiers in your text: names, addresses, dates, case numbers, amounts, health details.
- 3Replace them with reversible tokens, in the browser, before you send.
- 4Send only the anonymized text to the model, then restore the real values locally.
- 5Pick tools that come with a DPA and exclude your inputs from model training.
- 6Train staff and volunteers on the same rules, and keep the most sensitive safeguarding files off consumer AI entirely.
This list costs almost nothing. For a charity budget, that matters. The ICO's self-assessments are open to anyone, and the NCSC's guides are written for small teams. You do not need an expensive compliance programme to protect your beneficiaries. You need one simple rule that everybody follows.
That is exactly what ONYRI Sanitize is for. The engine detects sensitive data — names, addresses, dates, case numbers, donation amounts, health mentions — and replaces it with reversible tokens before sending. Detection and the mapping stay in your browser. Only anonymized text reaches the model. Your grant bid still gets drafted, your appeal letter still gets written, and no beneficiary is identifiable in the prompt.
Frequently asked questions
- Is it safe to use AI for nonprofits and charities?
- Yes, provided you anonymise before you send. AI can draft a grant application or an appeal letter from an anonymised outline. It does not need a beneficiary's name, address or case file. Much of that data is special category data under Article 9 of the GDPR, which demands an extra justification. And a beneficiary data leak can put a real person in physical danger.
- Is our beneficiary data special category data under the GDPR?
- Very often, yes. Article 9 of the GDPR protects health, ethnicity, religion, trade union membership, genetic and biometric data, and sex life. The ICO explains that processing it is prohibited by default: you need an Article 9 condition on top of your Article 6 lawful basis. Immigration status is not listed as such, but asylum files almost always carry Article 9 data alongside it. Criminal offence data falls under Article 10.
- Is a small volunteer-run charity exempt from data protection law?
- No. The law applies according to what you do with personal data, not your size or your charitable status. The ICO runs dedicated advice for small organisations, small charities included. Some very small organisations may be exempt from the registration fee, but none are exempt from the data-protection principles. Your charity is still a data controller, and it must be able to show compliance.
Sources & references
- What is special category data? (GDPR/UK GDPR Article 9: protected categories, Article 9 condition on top of the Article 6 lawful basis) — Information Commissioner's Office (ICO)
- Advice for small and medium organisations (small charities included: self-assessments, helpline, no size-based exemption) — Information Commissioner's Office (ICO)
- Cyber security advice for small to medium sized organisations (charity collection: backups, passwords, phishing, Cyber Essentials) — UK National Cyber Security Centre (NCSC)
Keep your sensitive data in your browser
ONYRI Sanitize detects and masks your sensitive data before it reaches the AI, then restores the answer — from names to API keys.
Anonymize my prompt