GDPR for Charities: The Complete Guide to Data Protection (2026)

Data protection shouldn't stop charities from communicating with donors. But it does require you to handle personal data responsibly. This guide explains what UK charities actually need to do.

Does GDPR Apply to Charities?

Yes. The UK GDPR (retained from EU law after Brexit) applies to every organisation that processes personal data, including charities of all sizes. The Information Commissioner's Office (ICO) is the regulator.

What Personal Data Do Charities Hold?

• Donor data — names, addresses, email, phone, donation history, Gift Aid declarations, bank details
• Beneficiary data — potentially sensitive data about the people you help
• Volunteer data — contact details, DBS check information
• Employee data — standard employment records
• Event attendee data — registrations, dietary requirements, accessibility needs

The 6 Lawful Bases

You need a lawful basis for every type of data processing. The six bases under UK GDPR are:

1. Consent — the person actively agreed (opt-in)
2. Contract — necessary to fulfil a contract
3. Legal obligation — required by law
4. Vital interests — necessary to protect someone's life
5. Public task — necessary for a task in the public interest
6. Legitimate interests — necessary for your legitimate interests (unless overridden by the person's rights)

For Charities, the Key Bases Are:

Email Marketing: The Rules

This is where most charities worry. The rules come from PECR (Privacy and Electronic Communications Regulations), not just GDPR:

Email / SMS marketing

• You need consent (opt-in) for marketing emails to individuals
• The consent must be freely given, specific, informed, and unambiguous
• Pre-ticked boxes do NOT count as consent
• Every email must include an unsubscribe link
• You must honour unsubscribe requests promptly (within 28 days, ideally immediately)

Exception: Existing Donors

The "soft opt-in" exception allows you to email existing donors about similar products/services without explicit consent, provided:

• You collected their email during a donation
• You gave them a chance to opt out at that time
• Every email includes an unsubscribe option

Essential GDPR Actions for Charities

1. Privacy policy — publish one on your website covering all data processing
2. Records of processing — document what data you hold, why, and for how long
3. Consent records — if you rely on consent, record when and how it was given
4. Data retention policy — don't keep data forever; set retention periods
5. Data breach procedure — know what to do if data is lost or exposed (72-hour notification to ICO for serious breaches)
6. Subject access request process — individuals can request all data you hold about them (respond within 1 month)
7. Staff training — everyone handling personal data should understand the basics

ICO Registration

Most charities need to register with the ICO and pay a data protection fee. The fee is tiered:

• Tier 1 (micro): £40/year — up to 10 employees, under £632K turnover
• Tier 2 (small/medium): £60/year
• Tier 3 (large): £2,900/year — over 250 employees

Charities with annual income under £1 million and no CCTV/complex processing may be exempt. Check the ICO's self-assessment tool.