Knowledge Hub
for Growth


Data protection tips for charities

Data protection for charities is essential, yet many third sector organisations underestimate its importance.

If your organisation processes personal data – whether of donors, beneficiaries, staff or suppliers – you’re subject to the same legal obligations and financial penalties as for-profit businesses. The General Data Protection Regulation (GDPR) and data protection regulations apply to all organisations that are either data controllers or processors.

That means the stakes are high: fines for non-compliance can reach £17.5 million or 4% of global turnover, and even administrative missteps can cost millions. But navigating data protection rules doesn't need to feel overwhelming. Our data protection solicitors support charities with practical, plain-English advice to help you avoid risk and build trust with your stakeholders. From data audits and policy reviews to tailored data protection training, we help you stay compliant without draining valuable time and resources.

Top data protection tips for charities to stay compliant

Consent

According to the Information Commissioner's Office (ICO), charities must ensure that donors or individuals provide a positive opt-in, offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.' It’s important to remember that Consent should be easy to withdraw as it was to give. Charities should also consider whether Consent is indeed the correct lawful basis to use, and if it is, then make it easy for the individual to withdraw should they wish to do so effortlessly and quickly.

Transparency 

Charities should inform people about why they are gathering information and what they intend to do with it.  This should be in the form of a privacy notice and readily available, as well as easy to understand.

Review Data 

Information collected should be sufficient and relevant.

Accuracy 

There’s no point in collecting data that’s inaccurate; you may as well not have it. Charities should verify that the information they have is accurate and useful for the purposes for which they are processing that personal data.

Retention

Personal data should not be stored longer than necessary. Charities should review their retention schedules and store only the information they need, ensuring compliance with local retention and privacy laws. The reasons for storage should be justified.

Security 

Charities should ensure that data is protected and access is granted on a need-to-know basis, i.e., only to those who have a legitimate reason to access it. Data sharing should be done securely, and charities should use encrypted and password-protected files for sharing data to ensure it remains secure and not compromised.

Training 

Charities should ensure that those entrusted with processing personal data are provided with GDPR training to ensure that technical and organisational measures are adhered to. Each person has their part to play in an organisation where personal data is being processed, it may be considered necessary to train all staff and volunteers, but the level of training may differ dependant on job roles, for example, some roles may require a more in-depth training if they handle a lot of personal data on a daily basis.

Accountability

Records demonstrate compliance. Whether some projects or documents are in progress or complete, it is necessary to keep records of these documents, as well as processing activities, to prove compliance and adherence to the GDPR.

Legitimate Interest Assessments - How do they apply to Charities?

Charities may often find 'legitimate interest' to be the most flexible lawful basis for processing, but it cannot be assumed that it will always be the most appropriate.

A Legitimate Interest Assessment can help charities ensure they are legitimately processing personal data and demonstrate compliance.

The ICO recommends applying the following three questions when considering legitimate interests as a lawful basis:

  • Purpose test - Is there a purpose to processing the data?
  • Necessity test - Is the processing of data necessary for that purpose?
  • Balancing test – The charity must balance its interests against those of the individual. If individuals would not reasonably expect the processing, or it would cause unjustified harm, their interests are likely to override the charities’ legitimate interests.

Charities should specify the purpose for processing personal data; for example, having a legitimate interest in increasing donations. The ICO’s Legitimate Interests Assessment (LIA) template can help charities determine whether legitimate interests are likely to apply to processing.

The ICO has also helpfully provided the following examples to assist charities in how legitimate interests may be used as a lawful basis to process personal data:

A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them. The charity’s purpose of direct marketing to raise funds for its cause is a legitimate interest.

The charity then looks at whether sending the mailing is necessary for its fundraising purposes. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.

The charity considers the balancing test and takes into account that the nature of the data being processed is limited to names and addresses, and that it would be reasonable for these individuals to expect to receive marketing material by post, given their previous relationship.

The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal; however, it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.

We understand that it can be a difficult task to complete an LIA and assess whether legitimate interests can be applied to processing activities; however, the team at Harper James are here to help you every step of the way.

Where do you report breaches? 

Just like any other data controller, if a breach has occurred at a charity and is likely to result in a risk to the rights and freedoms of individuals, then it must be reported to the ICO within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the charity must also notify those concerned (data subjects) without undue delay. Failure to notify of a breach when required to do so can result in a fine.

For charities, there is a second line of reporting, in addition to reporting a data breach to the ICO. A charity will also need to consider whether the data breach constitutes a serious incident and, if so, whether it requires reporting to the Charity Commission. The Charity Commission is the regulator of charities in England and Wales, maintaining the charity register. They are an independent, non-ministerial government department accountable to Parliament.  The charity trustees or Data Protection Officer (DPO) should decide whether an incident is significant and should be reported to the Charity Commission. To assist, list of types of incidents to report and not to report is provided.

The Charity Commission guidance states:

If trustees fail to report a serious incident that subsequently comes to light, the Commission may consider this to be mismanagement…may prompt regulatory action….if further abuse or damage has arisen following the initial incident.

How we can support your charity with data protection?

Complying with GDPR is not only a legal requirement but also essential for maintaining donor confidence and operational integrity. Whether you need help drafting legitimate interest assessments, creating effective privacy notices, managing training or responding to breaches, our data protection solicitors can guide you through every step. We work with charities of all sizes to ensure your data practices are robust, lawful and proportionate. If you're unsure whether your organisation is meeting its obligations, or you want a second opinion, our team is here to help you get it right.


What next?

Please leave us your details and we’ll contact you to discuss your situation and legal requirements. There’s no charge for your initial consultation, and no-obligation to instruct us. We aim to respond to all messages received within 24 hours.

Your data will only be used by Harper James. We will never sell your data and promise to keep it secure. You can find further information in our Privacy Policy.


Our offices

A national law firm

A national law firm

Our commercial lawyers are based in or close to major cities across the UK, providing expert legal advice to clients both locally and nationally.

We mainly work remotely, so we can work with you wherever you are. But we can arrange face-to-face meeting at our offices or a location of your choosing.

Head Office

Floor 5, Cavendish House, 39-41 Waterloo Street, Birmingham, B2 5PP
Regional Spaces

Capital Tower Business Centre, 3rd Floor, Capital Tower, Greyfriars Road, Cardiff, CF10 3AG
Stirling House, Cambridge Innovation Park, Denny End Road, Waterbeach, Cambridge, CB25 9QE
13th Floor, Piccadilly Plaza, Manchester, M1 4BT
10 Fitzroy Square, London, W1T 5HP
Belsyre Court, 57 Woodstock Road, Oxford, OX2 6HJ
1st Floor, Dearing House, 1 Young St, Sheffield, S1 4UP
White Building Studios, 1-4 Cumberland Place, Southampton, SO15 2NP
A national law firm

Like what you’re reading?

Get new articles delivered to your inbox

Join 8,153 entrepreneurs reading our latest news, guides and insights.

Subscribe


To access legal support from just £149 per hour arrange your no-obligation initial consultation to discuss your business requirements.

Make an enquiry