Data protection for charities

Read our article below to understand data protection, compliance measures to implement, and the lawful bases and special considerations that apply to help charities focus on their cause while protecting the rights of the people they benefit.

What is GDPR?

The General Data Protection Regulation (GDPR) is a law introduced in May 2018 to protect people’s personal data and give individuals greater control over their personal data. It governs how organisations collect, store, and use personal data. In the UK, the GDPR continues to apply as the UK GDPR (‘GDPR’), supported by the Data Protection Act 2018. Charities, like any other organisation, must comply with the GDPR rules if they process personal data of individuals.

For a more in-depth explanation of the regulation, read our guide to GDPR.

What is personal data?

Under UK GDPR, personal data is any information relating to an identified, or identifiable, living individual. This includes obvious details such as names and addresses, and covers email addresses, phone numbers, identification numbers, photographs, and online identifiers like IP addresses. The UK GDPR singles out some types of personal data to be more sensitive and requires they are given extra protection; special category data includes information relating to a person’s race or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data and sex life or sexual orientation.

There are many examples of personal data sets held by charities which are subject to GDPR requirements, such as:

• Donor details and donation records
• Volunteer applications and contact information
• Beneficiary data, including sensitive information
• Staff records
• Mailing lists for newsletters and campaigns

How charities should comply with the UK GDPR

Charities have a duty to comply with GDPR and ensure that all personal data they handle is processed lawfully, fairly, and transparently. Below are key steps, and guidance from DataGuard, that charities can follow to prioritise data protection:

1. Lawfulness and transparency: Charities must process personal data lawfully, fairly, and in a transparent manner by informing individuals about how their data is used. Identify an appropriate lawful basis for processing personal data (e.g., legitimate interests, legal obligation or contract, consent, etc.). Where consent is relied upon, it must be documented, clear, informed and easy to with withdraw.
2. Purpose limitation: Data should only be collected for specified and legitimate purposes and not processed in a way that is not covered by the purposes stated.
3. Integrity, confidentiality and data security: Ensure security of the data through secure technical and organisational measures to protect data from unauthorised access or loss.
4. Data minimisation: Only collect and keep the minimum amount of data necessary for your charity’s activities.
5. Storage limitation: Do not keep personal data for longer than necessary and have clear policies for data retention and deletion.
6. Accuracy: Keep personal data accurate and up to date.
7. Accountability: Be able to demonstrate compliance with GDPR. For example, through policies, records of processing activities (ROPA) and documented decisions.
8. Rights of individuals: Ensure individuals can exercise their rights under GDPR, such as accessing their data, requesting corrections, or objecting to processing – your charity must be equipped to respond to any requests promptly.
9. Training: Provide regular data protection training for staff and volunteers who handle personal data. Develop and regularly review a data protection policy tailored to your charity’s needs.
10. Data breach procedures: Establish a clear process for identifying, reporting, and managing data breaches, including notification to the Information Commissioner’s Office (ICO) when required.
11. Working with third parties: If you share data with external partners or use third-party services (such as fundraising platforms) you must ensure these partners comply with GDPR.

Lawful bases for processing personal data

Charities, and any other organisation, must have a valid lawful basis under GDPR to process personal data. There are six available lawful bases for processing, which must be determined and documented before you begin processing.

At least one of these must apply:

(a) Consent: The individual(s) has given clear consent for you to process their personal data for a specific purpose.

(b) Contract: The processing is necessary for the purposes of complying with a contract you have with the individual(s).

(c) Legal obligation: The processing is necessary for you to comply with the law.

(d) Vital interests: Vital interests are relevant in emergencies where processing personal data protects an individual’s life.

(e) Public task: The processing is necessary to carry out a task that is in the public interest or part of your official duties, where that task or function is set out in law.

(f) Legitimate interests: The processing is necessary for your organisation’s legitimate interests, or the legitimate interests of a third party, provided those interests are not overridden by the individual’s rights and freedoms. This lawful basis does not apply where a public authority is processing data as part of its official functions.

For more information, visit the ICO’s website for guidance.

What happens if a charity is not GDPR compliant?

If a charity fails to comply with GDPR, the ICO has the power to investigate any breaches and issue warnings, enforcement notices, and substantial fines. Upper fine limits are contextual and depend on severity.

Beyond financial penalties, Charity Finance Group share how failing to follow the UK GDPR can damage a charity’s reputation and the trust of donors and beneficiaries, in addition to operational damage and potentially exposing the organisation to legal claims if individuals’ data rights have been infringed.

To learn more about the penalties for non-compliance with GDPR, read our dedicated article.

Appointing a Data Protection Officer

A charity must appoint a Data Protection Officer (DPO) if any of the following apply:

• The charity is a public authority or body
• Its core activities involve regular and systematic monitoring of individuals on a large scale
• Its core activities involve large‑scale processing of special category data or data relating to criminal convictions and offences

Discover help and guidance for charities or read more about our charity insurance.

Please note: This article does not constitute legal advice and should not be relied upon as a complete statement of the law. This article provides guidance for information purposes only. It should not be relied upon wholly when making or taking important business decisions – always seek the services of an appropriately qualified professional. The views expressed by websites referenced to are limited to those of the websites, and do not necessarily reflect the views of Markel Direct. Markel Direct is not affiliated with any of the brands, companies or websites mentioned in this article.