Introduction
Compliance is often misunderstood as paperwork. In reality, it is the system that protects people, money, reputation and mission. In NGO projects, compliance covers personal data, image rights, child protection, financial transparency, conflicts of interest, procurement, documentation and reporting.
A project can have a noble goal and still create risk if participants’ data are mishandled, children are not protected, photos are published without proper consent or board members approve contracts with related entities without transparency.
Good compliance is not bureaucracy. It is responsible care.
Data protection
NGOs collect personal data in many ways:
- registration forms,
- attendance lists,
- donor databases,
- volunteer agreements,
- newsletter forms,
- photographs,
- survey responses,
- child participation forms,
- recruitment documents,
- payment records.
Your organization should know what data it collects, why it collects it, how long it stores it, who has access and how it is protected.
Practical data protection checklist
- Identify data categories.
- Define legal basis for processing.
- Prepare privacy notices.
- Limit access to data.
- Use secure tools.
- Avoid collecting unnecessary data.
- Store documents safely.
- Delete data when no longer needed.
- Use processor agreements when necessary.
- Train staff and volunteers.
Image rights
Photos and videos are essential for project communication, but they create legal and ethical responsibilities.
Before publishing identifiable images, especially of children, vulnerable people or sensitive situations, the NGO should ask:
- Do we have consent?
- Is the person clearly identifiable?
- What is the publication purpose?
- Where will the image be published?
- How long will it be used?
- Can consent be withdrawn?
- Is the image respectful?
- Could publication harm the person?
Image consent should not be hidden inside a general participation form. It is better to separate participation, data processing and image publication.
Child safeguarding
Projects involving children require special care. Safeguarding should include:
- safe recruitment of staff and volunteers,
- rules for adult-child interaction,
- reporting procedures,
- supervision,
- parental consent,
- online communication rules,
- image publication rules,
- response procedures for suspected harm,
- child-friendly version of rules,
- designated safeguarding person.
Child safeguarding is not only relevant for schools or camps. It applies to workshops, mentoring, online groups, sports, cultural programs and youth projects.
Conflict of interest
A conflict of interest occurs when a person’s private, professional, family or financial interest may influence decisions made for the NGO.
Examples:
- board member’s company provides services to the project,
- evaluator is connected with the applicant,
- project coordinator selects a family member as contractor,
- partner influences procurement,
- public official connected with NGO participates in funding decision.
Conflicts of interest are not always illegal, but they must be identified, disclosed and managed.
Conflict of interest procedure
A simple NGO procedure should define:
- what counts as conflict,
- who must report it,
- how it is documented,
- who decides on exclusion,
- how procurement is protected,
- how related-party contracts are approved,
- how records are stored.
Transparency is the best protection.
Compliance and grant agreements
Grant agreements may require specific compliance rules:
- visibility and promotion,
- procurement,
- participant documentation,
- data protection,
- safeguarding,
- anti-discrimination,
- accessibility,
- conflict of interest declarations,
- audit rights,
- document retention.
Before signing, the board should review the agreement and identify obligations that require internal procedures.
Compliance matrix
| Area | Document or procedure |
| Data protection | Privacy notice, register, access rules |
| Image rights | Consent form |
| Child safeguarding | Protection standards and reporting path |
| Conflict of interest | Declaration and exclusion procedure |
| Procurement | Market research or selection note |
| Finance | Invoice approval workflow |
| Accessibility | Needs assessment and support plan |
| Communication | Branding and visibility rules |
| Reporting | Evidence folder and indicators |
Common compliance mistakes
- Collecting too much personal data.
- Publishing photos without proper consent.
- No child protection policy.
- Selecting related contractors without transparency.
- No procurement notes.
- No access control to documents.
- Mixing private and organizational accounts.
- No record of participant consent.
- Ignoring accessibility needs.
- Treating compliance as the coordinator’s problem only.
Grantowo perspective
Compliance should be designed before the project starts. It is much harder to fix missing consents, unclear procurement or undocumented conflict of interest after the fact.
A credible NGO protects both beneficiaries and funders. This is why compliance is part of impact.
Frequently Asked Questions
Does every NGO need a data protection policy?
Every NGO processing personal data should have basic data protection rules appropriate to its scale.
Can we publish photos from a public event?
Sometimes, but identifiable images still require careful analysis, especially when children or vulnerable people are involved.
What is the safest way to handle child images?
Use separate written consent, define publication channels and avoid images that may expose children to risk.
Is a conflict of interest always forbidden?
Not always, but it must be disclosed and managed transparently.
Who is responsible for compliance in an NGO?
The board is ultimately responsible, but coordinators, staff and volunteers must follow procedures.
Links
Grants and funding for NGOs – https://grantowo.pl/
Knowledge base for non-governmental organizations – https://grantowo.pl/baza-wiedzy/