Data protection for charities is essential, yet many third sector organisations underestimate its importance.
If your organisation processes personal data – whether of donors, beneficiaries, staff or suppliers – you’re subject to the same legal obligations and financial penalties as for-profit businesses. The General Data Protection Regulation (GDPR) and data protection regulations apply to all organisations that are either data controllers or processors.
That means the stakes are high: fines for non-compliance can reach £17.5 million or 4% of global turnover, and even administrative missteps can cost millions. But navigating data protection rules doesn't need to feel overwhelming. Our data protection solicitors support charities with practical, plain-English advice to help you avoid risk and build trust with your stakeholders. From data audits and policy reviews to tailored data protection training, we help you stay compliant without draining valuable time and resources.
Contents:
Top data protection tips for charities to stay compliant
Consent
According to the Information Commissioner's Office (ICO), charities must ensure that donors or individuals provide a positive opt-in, offering individuals real choice and control. Genuine consent should put individuals in charge, build trust and engagement, and enhance your reputation.' It’s important to remember that Consent should be easy to withdraw as it was to give. Charities should also consider whether Consent is indeed the correct lawful basis to use, and if it is, then make it easy for the individual to withdraw should they wish to do so effortlessly and quickly.
Transparency
Charities should inform people about why they are gathering information and what they intend to do with it. This should be in the form of a privacy notice and readily available, as well as easy to understand.
Review Data
Information collected should be sufficient and relevant.
Accuracy
There’s no point in collecting data that’s inaccurate; you may as well not have it. Charities should verify that the information they have is accurate and useful for the purposes for which they are processing that personal data.
Retention
Personal data should not be stored longer than necessary. Charities should review their retention schedules and store only the information they need, ensuring compliance with local retention and privacy laws. The reasons for storage should be justified.
Security
Charities should ensure that data is protected and access is granted on a need-to-know basis, i.e., only to those who have a legitimate reason to access it. Data sharing should be done securely, and charities should use encrypted and password-protected files for sharing data to ensure it remains secure and not compromised.
Training
Charities should ensure that those entrusted with processing personal data are provided with GDPR training to ensure that technical and organisational measures are adhered to. Each person has their part to play in an organisation where personal data is being processed, it may be considered necessary to train all staff and volunteers, but the level of training may differ dependant on job roles, for example, some roles may require a more in-depth training if they handle a lot of personal data on a daily basis.
Accountability
Records demonstrate compliance. Whether some projects or documents are in progress or complete, it is necessary to keep records of these documents, as well as processing activities, to prove compliance and adherence to the GDPR.
Legitimate Interest Assessments - How do they apply to Charities?
Charities may often find 'legitimate interest' to be the most flexible lawful basis for processing, but it cannot be assumed that it will always be the most appropriate.
A Legitimate Interest Assessment can help charities ensure they are legitimately processing personal data and demonstrate compliance.
The ICO recommends applying the following three questions when considering legitimate interests as a lawful basis:
- Purpose test - Is there a purpose to processing the data?
- Necessity test - Is the processing of data necessary for that purpose?
- Balancing test – The charity must balance its interests against those of the individual. If individuals would not reasonably expect the processing, or it would cause unjustified harm, their interests are likely to override the charities’ legitimate interests.
Charities should specify the purpose for processing personal data; for example, having a legitimate interest in increasing donations. The ICO’s Legitimate Interests Assessment (LIA) template can help charities determine whether legitimate interests are likely to apply to processing.
The ICO has also helpfully provided the following examples to assist charities in how legitimate interests may be used as a lawful basis to process personal data:
A charity wants to send fundraising material by post to individuals who have donated to them in the past but have not previously objected to receiving marketing material from them. The charity’s purpose of direct marketing to raise funds for its cause is a legitimate interest.
The charity then looks at whether sending the mailing is necessary for its fundraising purposes. It decides that it is necessary to process contact details for this purpose, and that the mailing is a proportionate way of approaching individuals for donations.
The charity considers the balancing test and takes into account that the nature of the data being processed is limited to names and addresses, and that it would be reasonable for these individuals to expect to receive marketing material by post, given their previous relationship.
The charity determines that the impact of a fundraising mailing on these individuals is likely to be minimal; however, it includes details in the mailing (and each subsequent one) about how individuals can opt out of receiving postal marketing in future.
We understand that it can be a difficult task to complete an LIA and assess whether legitimate interests can be applied to processing activities; however, the team at Harper James are here to help you every step of the way.
Where do you report breaches?
Just like any other data controller, if a breach has occurred at a charity and is likely to result in a risk to the rights and freedoms of individuals, then it must be reported to the ICO within 72 hours. If the breach is likely to result in a high risk to the rights and freedoms of individuals, then the charity must also notify those concerned (data subjects) without undue delay. Failure to notify of a breach when required to do so can result in a fine.
For charities, there is a second line of reporting, in addition to reporting a data breach to the ICO. A charity will also need to consider whether the data breach constitutes a serious incident and, if so, whether it requires reporting to the Charity Commission. The Charity Commission is the regulator of charities in England and Wales, maintaining the charity register. They are an independent, non-ministerial government department accountable to Parliament. The charity trustees or Data Protection Officer (DPO) should decide whether an incident is significant and should be reported to the Charity Commission. To assist, a list of types of incidents to report and not to report is provided.
The Charity Commission guidance states:
If trustees fail to report a serious incident that subsequently comes to light, the Commission may consider this to be mismanagement…may prompt regulatory action….if further abuse or damage has arisen following the initial incident.
How we can support your charity with data protection?
Complying with GDPR is not only a legal requirement but also essential for maintaining donor confidence and operational integrity. Whether you need help drafting legitimate interest assessments, creating effective privacy notices, managing training or responding to breaches, our data protection solicitors can guide you through every step. We work with charities of all sizes to ensure your data practices are robust, lawful and proportionate. If you're unsure whether your organisation is meeting its obligations, or you want a second opinion, our team is here to help you get it right.