How do we stay GDPR-compliant when grant applications contain personal data?

Grant applications are full of personal data, often more than teams realise. Names and contact details at a minimum. But frequently CVs, references, financial information, and sometimes special-category data like health details where the project touches on care or disability.

When that information lives in shared drives, inboxes and a tracking spreadsheet, the program is carrying real GDPR exposure without a clear way to manage it.

The questions that expose the gap are simple:

• Who has access to this data, and do they all need it?
• On what lawful basis are we holding it?
• How long are we keeping it?
• What happens when an applicant asks us to delete their information?

In a folder-and-inbox setup, nobody can answer those with confidence. A single subject-access or deletion request turns into a manual hunt across multiple systems.

We see compliance-minded teams, especially in regulated sectors and across multi-entity organisations, push to have personal data governed by the platform itself:

• Role-based access, so people see only what their job requires.
• Defined retention periods that enforce deletion automatically.
• Consent captured at the point of application.

The point is to make GDPR something the system handles by design, rather than something that depends on every team member remembering to do the right thing.