Grant data with intention: Collect less, protect better

How much personal information would you share in a grant application? For many applicants, every piece of information is also a question of trust.

Grant managers work with sensitive information every day: contact details, financial data, personal backgrounds, sometimes even health or social data. That responsibility is significant. Yet in practice, data privacy often takes a back seat.

It’s worth looking at more closely: organisations that are deliberate about what they collect and careful about how they protect it don’t just strengthen the legal integrity of their program, they also build trust with applicants.

Why data privacy matters in grantmaking

The General Data Protection Regulation (GDPR) applies to grant programs and foundations too. It sets clear requirements for how personal data must be handled, from collection to storage and processing.

In the context of grantmaking, data privacy goes beyond mere compliance. Applicants share sensitive information with the expectation that it will be handled responsibly.

Being thoughtful about data therefore contributes not only to meeting legal obligations, but also to the fairness and accessibility of grant programs. Organisations that handle information transparently and carefully lower the barriers for applicants and strengthen the integrity of the entire process.

What you actually need to collect—and what you don’t

One of the most common mistakes in grant management is collecting more data than necessary. The principle of data minimisation is straightforward: only collect what is genuinely needed for the purpose at hand.

Before building an application form, it’s worth asking: Do we actually need this information to make our decision?

A useful rule of thumb: if you can’t point to where a data field feeds into your selection or reporting process, it probably doesn’t belong in the form.

Some practical examples:

• Date of birth is often unnecessary when only age or an age range is relevant.
• Bank details should be collected upon approval, not at the application stage.
• Data on ethnicity or health is only permissible where it directly serves the purpose of the grant and a clear legal basis exists.

Platforms like Good Grants make it easy to build application forms around your specific program needs, including only the fields that are actually relevant. That makes data minimisation far easier to put into practice. For more on what to leave out of your forms, see our guide on common application form mistakes.

Anonymising data: Protecting privacy during analysis

For program evaluations, reports and internal analysis, you need data, but not personal data. That’s where anonymisation comes in.

Anonymisation vs. pseudonymisation: Anonymised data can no longer be linked to any individual. Pseudonymised data uses a code that can be traced back to a person with the right key. For external reports and analysis, fully anonymised data is the way to go wherever possible.

Some practical approaches:

• Aggregate: Rather than analysing individual responses, group data together (e.g. “30–40% of applicants came from rural areas”).
• Remove directly identifying information: Names, addresses and contact details are stripped out before analysis begins.
• Categorise: Precise figures (such as annual income) are converted into ranges, making it harder to draw conclusions about individuals.

For reviewers involved in the selection process, anonymous review is well worth considering: applications are assessed without names, locations or other potentially identifying details. This protects applicant privacy and helps reduce unconscious bias at the same time.

Technical and organisational safeguards

Data protection starts the moment data is collected. The GDPR requires what are known as technical and organisational measures (TOMs) to ensure personal data is kept secure.

In practice, this means:

• Restricting access: Not everyone on your team needs to see everything. Be clear about who can access which data. Reviewers, for example, should only see what’s relevant to their decision.
• Secure transmission: Application portals should use encrypted connections (HTTPS). Files should never be sent unencrypted via email.
• Setting retention periods: How long do applicant records need to be kept? Once the legal or program-specific retention period has passed, data should be securely deleted.
• Preventing and reporting breaches: Under the GDPR, data breaches must be reported to the relevant supervisory authority within 72 hours. A clear internal escalation process is essential.

For more best practices on secure data handling in grantmaking, see our practical security checklist for grant programs.

Transparency with applicants: An underrated strength

Data privacy isn’t a one-way street. Applicants have the right to know what data you collect, why you collect it and how long it will be stored.

A solid privacy notice in a grant context should cover:

• What data is collected and why
• Who has access (internally and externally)
• How long data is retained
• How applicants can exercise their rights (access, deletion, objection)

Plain language goes a long way here. Legal jargon tends to put people off, and a privacy notice buried at the end of a form does little for trust. Ideally, make it visible before applicants enter any data at all. For more on creating a positive experience throughout the application journey, see our article on enhancing the applicant experience.

Data privacy is the foundation of good grantmaking

Treat data privacy for what it is: An investment in the credibility and quality of your grant program.

Getting started doesn’t have to be a big project. Take a look at your current application form: What data are you actually collecting? What could be left out? Where might anonymisation make your analysis more secure?

Platforms like Good Grants are designed to help you build grant processes where privacy is built in from the start—no deep technical expertise required. Good grantmaking, after all, means handling the information people share with you with the care it deserves.