Does GDPR apply to non-profits?

Yes. GDPR is applicable to all organisations that can be considered data controllers and data processors in the EU. If you are a non-profit organization or charity and process the personal data of individuals residing in the EU/EEA, then GDPR applies to you. Nonprofits should take measures to secure and protect the personal data of their employees, donors, volunteers, beneficiaries and grantees. 

Non-profits and charities have certain exemptions, mainly regarding data held on the well-being of ‘at risk’ minors. For guidance on this, you can refer to ​ exemptions that are available in Article 23 and Chapter 9 of the GDPR and Schedules 2, 3 and 4 of the Data Protection Act 2018.