Charity Data Protection & GDPR: Practical Compliance Guide
GDPR compliance for UK charities. Data protection principles, lawful bases, donor data, consent, subject access requests, and ICO requirements.
GDPR compliance isn't optional — even for small charities. But it doesn't have to be overwhelming. This guide covers what you actually need to do in practice.
Key Principles
The UK GDPR (retained EU law) has 7 principles:
- Lawfulness, fairness, transparency — have a legal basis, be fair, tell people what you're doing
- Purpose limitation — collect data for specific, stated purposes only
- Data minimisation — only collect what you need
- Accuracy — keep data up to date
- Storage limitation — don't keep data longer than needed
- Integrity and confidentiality — keep it secure
- Accountability — be able to demonstrate compliance
Lawful Bases for Charities
Every piece of personal data you process needs a lawful basis:
| Basis | When to Use |
|---|---|
| Consent | Marketing emails, newsletters, non-essential communications |
| Contract | Employment data, service agreements |
| Legal obligation | Gift Aid records (HMRC), safeguarding records, financial reporting |
| Vital interests | Emergency contact details |
| Legitimate interests | Administrative communications, event invitations to existing supporters, analytics |
Practical Steps for Charities
1. Create a Privacy Notice
Tell people what data you collect and why. Publish on your website. Provide to donors, volunteers, and beneficiaries.
2. Audit Your Data
Where is personal data stored? Who has access? How long do you keep it? Create a simple data map.
3. Consent Management
- Use clear opt-in checkboxes (not pre-ticked)
- Record when and how consent was given
- Make it easy to withdraw consent
- Don't rely on consent for everything — legitimate interests often applies
4. Subject Access Requests (SARs)
Anyone can ask for a copy of their personal data. You must respond within 30 days, free of charge.
5. Data Breach Procedure
If personal data is breached:
- Assess the risk to individuals
- If high risk: notify the ICO within 72 hours
- If very high risk: notify affected individuals
- Log the breach and response (even if not reportable)
6. Data Protection Officer (DPO)
Most charities don't legally need a DPO, but you should have a named person responsible for data protection.
Common Charity GDPR Mistakes
- Emailing your entire database without consent — use legitimate interests for existing supporters, consent for new marketing
- No privacy notice on your website — required for all organisations
- Keeping data forever — set retention periods and delete data you don't need
- Not training staff — GDPR awareness training should be annual
GDPR-Compliant Systems
QuikCue builds data systems with GDPR compliance baked in — consent management, data retention policies, access controls, and audit trails.
We build autonomous systems for charities.
Pledge collection, payment processing, WhatsApp automation, analytics dashboards, and the infrastructure that lets a small team do the work of fifty. Free tools. Fractional technology leadership. No fluff.
Get the next deep dive in your inbox.
No spam. No weekly roundups. Just the occasional piece when we have something worth saying.
Related articles
Charity Trustee Recruitment: How to Build a Strong Board
How to recruit charity trustees. Skills audits, where to find candidates, interview processes, diversity, and induction. Complete board-building guide.
Impact Measurement for Charities: Frameworks & Tools
How to measure and report charity impact. Theory of Change, outcomes frameworks, data collection, and reporting tools. Practical guide for UK charities.
Charity Commission Serious Incident Reporting: When & How
When and how to report a serious incident to the Charity Commission. What counts, the reporting process, and what happens after you report.