GDPR and Fundraising: What Charities and Campaign Organisations Must Know

Fundraising is where GDPR gets hardest for charities. The sector relies on data — extensive, detailed, often sensitive data about donors' wealth, health, family circumstances, and giving history. And for decades, it operated in ways that GDPR and its predecessor legislation have made problematic: sharing donor databases between charities, screening wealth using commercial data sources, cold-calling lapsed donors, and sending postal campaigns based on purchased lists.

The ICO's enforcement actions against the charity sector in the mid-2010s were a watershed moment. Major household-name charities received civil monetary penalties. The Fundraising Regulator rewrote its codes of practice. The sector underwent a reckoning that is still being processed a decade on.

This guide covers the specific fundraising data practices that regulators have scrutinised, what the rules actually require, and what a compliant fundraising programme looks like in 2026.

---

The ICO's Enforcement Actions Against the Charity Sector

In 2016 and 2017, the ICO issued civil monetary penalties and enforcement notices against a significant number of UK charities. The cases included:

• RSPCA — fined £25,000 for unlawfully sharing and trading donor data without donors' knowledge or consent
• Cancer Research UK — fined £16,000 for similar practices involving third-party data sharing
• British Heart Foundation — fined £18,000
• Macmillan Cancer Support, Great Ormond Street Hospital, Guide Dogs for the Blind, and others received enforcement notices or undertakings

The common thread was wealth screening and data appending. These charities had engaged agencies to analyse donor databases, overlay commercial and public data sources (electoral roll, property registers, Companies House, social media, lifestyle databases) to estimate donors' financial capacity, and segment donors for major gift approaches — all without telling donors this was happening and without their consent.

The ICO found that donors had no reasonable expectation that their charitable giving history would be used to conduct detailed financial profiling. The fact that the data was technically available from public sources did not make processing it lawful.

The impact was sector-wide. The Charity Commission, the Fundraising Regulator (then newly established), and HMRC all issued guidance. The Institute of Fundraising rewrote its guidance on data management. And the sector moved — belatedly — toward consent-based fundraising models.

---

Wealth Screening: The Legitimate Interest Minefield

Wealth screening is the practice of using external data sources to estimate a donor's financial capacity. It ranges from basic approaches (is this person a company director?) to sophisticated profiling using multiple commercial datasets covering property ownership, declared income, shareholdings, and lifestyle indicators.

Under GDPR, wealth screening requires a lawful basis. Charities typically argue legitimate interest — but the ICO's position is clear: legitimate interest for wealth screening purposes must pass a three-part test:

1. Purpose test — Is there a legitimate interest? (Generally yes — identifying major gift prospects is a genuine organisational interest)
2. Necessity test — Is the processing necessary for that purpose? (Problematic — is full commercial profiling really necessary, or would less intrusive means work?)
3. Balancing test — Does the legitimate interest override the individual's rights and freedoms? (This is where it typically fails)

The balancing test is critical. Donors give to charities expecting their data to be used for the charitable purpose — not for financial profiling. A donor who gave £50 to a cancer charity almost certainly does not expect that gift to trigger a commercial wealth assessment. The "reasonable expectation" test is the key question: what would a reasonable donor think their data would be used for?

The ICO has consistently found that wealth screening without disclosure fails the balancing test. The solution is transparency: if you conduct wealth screening, you must tell donors you do this, in your privacy notice, in clear and specific language. Not buried in a 20-page legal document — in a way that genuinely informs the processing.

Even with transparency, major donor wealth screening using multiple commercial datasets may be difficult to justify under legitimate interest without something closer to explicit consent. If you are conducting deep financial profiling of individuals (not just basic directorship checks), the better legal basis is likely explicit consent.

---

Data Appending and Database Sharing

Data appending is the practice of taking your existing donor database and enriching it with additional data from external sources — typically address updates, telephone numbers, email addresses, or demographic information — sourced from data brokers or public sources.

Database sharing between charities — either direct swapping or through brokers acting as intermediaries — was widespread before GDPR. Charities would exchange or sell their donor lists, allowing other charities to prospect to proven givers.

Both practices are heavily restricted under GDPR:

• Data appending requires that the individual would have a reasonable expectation of their data being enhanced in this way, or explicit consent. Simply purchasing a phone number from a data broker to call a donor who never gave you their number is almost certainly unlawful.
• Database sharing requires a lawful basis for the transfer. Consent obtained for one charity's communications does not cover another charity's use of the data. The ICO has made clear that historic "opt-outs" and industry-wide consent models do not satisfy GDPR's requirements.

The Fundraising Preference Service (FPS), established in 2017, provides a suppression mechanism for donors who want to stop receiving fundraising communications. Checking against the FPS is a basic compliance requirement, not an optional good practice.

---

Legitimate Interest for Existing Donors

Despite the complexity above, legitimate interest remains a valid legal basis for certain fundraising communications to existing donors — those who have previously given and have a live relationship with your charity.

The ICO's guidance on direct marketing (which incorporates the charity sector) allows legitimate interest for:

• Postal fundraising appeals to existing donors with a recent giving relationship
• Certain internal analytics and segmentation that donors would reasonably expect

The key phrase remains "reasonable expectation." An existing donor who gave last year would generally expect to continue receiving communications from that charity. A donor whose last gift was fifteen years ago, or who explicitly requested no further contact, has a much weaker connection to that expectation.

Practical requirements for legitimate interest fundraising:

• Conduct and document a Legitimate Interest Assessment (LIA) before relying on this basis
• Provide a clear and easy opt-out mechanism in every communication
• Honour opt-outs promptly (within one calendar month)
• Maintain a suppression list — do not simply delete opted-out records, or you will re-contact them when importing new data
• Check against the Fundraising Preference Service

---

Telephone Fundraising: Consent Is Non-Negotiable

Telephone fundraising — outbound calls to existing or prospective donors — is governed by a combination of GDPR and the Privacy and Electronic Communications Regulations (PECR). PECR applies to electronic communications including telephone calls made by automated means.

For live telephone calls to individuals:

• You must check the Telephone Preference Service (TPS) — calling a registered number is a PECR breach
• You need a lawful basis under GDPR for holding and using the telephone number
• If the call is to a new prospect (someone who has not previously donated), you need more than legitimate interest — the ICO's position is that unsolicited fundraising calls require either consent or a very strong legitimate interest case

For automated or recorded calls (robocalls):

• These require prior explicit consent — there is no legitimate interest basis for automated fundraising calls to individuals

Consent for telephone fundraising must meet GDPR standards: freely given, specific, informed, unambiguous. Pre-ticked boxes, bundled consent, or consent buried in terms and conditions does not work. If you are building a calling list from consent, that consent must specifically reference telephone fundraising calls.

Charities that rely on telephone fundraising agencies must ensure those agencies operate under a Data Processing Agreement (DPA) and comply with TPS, PECR, and GDPR. The charity remains the data controller and is responsible for the agency's compliance.

---

The Soft Opt-In: Why It Does Not Apply to Charities

A common misconception is that the soft opt-in — the rule that allows organisations to send marketing emails to customers who bought a similar product, without separate consent — applies to charities. It does not.

The soft opt-in is a PECR rule (Regulation 22(3)), and it applies only to the sale of goods or services. A charitable donation is not a sale of goods or services. This means:

• Charities cannot use the soft opt-in to send email fundraising appeals to people who have donated
• Every email fundraising appeal to an individual requires either explicit consent or a separately justified legitimate interest basis
• The legitimate interest basis for email (as opposed to post) is much harder to establish under PECR, because PECR sets a stricter standard than GDPR for electronic communications

In practice: if your charity sends email fundraising appeals, you need positive opt-in consent from recipients for those emails. Re-obtaining consent from your existing email database — if consent was not gathered to the current standard — is a significant but necessary task.

The ICO has published a direct marketing checklist that charities should work through. Email fundraising without proper consent is a PECR breach, not just a GDPR one, and PECR enforcement is separate from GDPR enforcement.

---

Gift Aid Data and HMRC Sharing

Gift Aid creates a specific data processing obligation. When a donor makes a Gift Aid declaration, the charity collects:

• Full name
• Home address
• The declaration itself (including the statement about taxpayer status)

This data is shared with HMRC to reclaim the tax. The sharing with HMRC is covered by law (the Finance Act 1990 and subsequent legislation), so there is a clear legal basis. However:

• Donors must be informed that their data will be shared with HMRC for Gift Aid purposes — this must be in your privacy notice
• Gift Aid data must not be used for any other purpose (you cannot use a Gift Aid form as a de facto data collection exercise for marketing)
• Gift Aid declarations must be retained for a minimum of 6 years after the last gift to which they relate — this creates a minimum retention requirement that overrides shorter general data retention periods
• Historic Gift Aid declarations (paper forms, etc.) must be stored securely and covered by your data retention and destruction policies

One specific compliance issue: some charities use Gift Aid sign-up as an opportunity to collect marketing consent. If you do this, the two things must be clearly separated — Gift Aid and marketing consent are independent, and one cannot be made conditional on the other.

---

Direct Mail to Lapsed Donors

Postal marketing occupies a different regulatory space from email. Under PECR, postal direct mail does not require prior consent in the same way electronic communications do. This means legitimate interest is more frequently available as a legal basis for postal fundraising appeals — but it is not unlimited.

For lapsed donors (those who have not given in several years), the legitimate interest calculation shifts:

• The longer the lapse since last contact, the weaker the legitimate interest claim
• If a donor explicitly requested no further contact, any further contact is unlawful regardless of how it is sent
• The MPS (Mailing Preference Service) must be suppressed against — contacting MPS-registered individuals is a red flag for regulators
• Data quality matters: sending postal appeals to deceased individuals, or to individuals who have moved, causes genuine distress and reputational damage

The practical question: if a donor last gave in 2018 and has not responded to any contact since, can you legitimately send them a postal appeal in 2026? The answer is probably not — eight years without engagement makes the "reasonable expectation" argument very difficult to sustain. Industry guidance generally suggests a 3-5 year rule for postal contact to lapsed donors, with suppression processes in place.

---

Legacy Giving and Sensitive Financial Information

Legacy fundraising — encouraging donors to leave a bequest in their will — involves particularly sensitive data. Information about whether someone has pledged a legacy, or is being cultivated for a legacy gift, amounts to information about their financial circumstances and estate planning. This is not technically a "special category" under GDPR (which covers health, biometric, political, religious, racial, and sexual orientation data), but it is highly sensitive.

Key considerations:

• Legacy pledge records must be stored securely and with strict access controls — not in shared spreadsheets
• Wealth screening of legacy prospects carries the same issues as major donor screening — requires disclosure and a defensible legal basis
• Communication with confirmed legacy pledgers requires a lawful basis — typically ongoing consent or legitimate interest, with clear opt-out
• Information shared with solicitors about the charity's identity as a beneficiary should be handled with a clear privacy notice

Legacy giving is often managed by small teams with informal processes. A legacy manager's personal spreadsheet of prospects is a GDPR risk. Legacy prospect data must be brought within the organisation's formal data governance framework.

---

Online Giving Platforms: JustGiving, GoFundMe, and Data Processor Relationships

Online fundraising platforms occupy an interesting position in the data ecosystem. When a donor gives through JustGiving, GoFundMe, or Enthuse, who is the data controller?

The answer depends on the platform's terms:

• JustGiving operates as a data controller in its own right for donor data. It has its own privacy policy and its own relationship with donors. Charities receive some donor data (name, amount, message), but JustGiving retains control of the wider data
• Enthuse (formerly JustGiving's white-label product and other charity-focused platforms) may operate differently, with the charity as the primary controller
• GoFundMe operates primarily as a controller for individual fundraiser data

Implications:

• Charities should check the terms of any platform they use to understand what data they receive and what they can do with it
• Data received from platforms cannot be assumed to carry the same consent as data collected directly — if JustGiving collected consent for its own purposes, that doesn't mean the charity can add donors to its mailing list
• A Data Processing Agreement is appropriate where the platform is acting as a processor on the charity's behalf
• Platform donor data must be handled separately from other donor data in terms of consent and lawful basis

If you are running a fundraising appeal and want to follow up with donors who gave through an external platform, verify what permissions those donors gave to the platform, and whether any such permission extends to direct contact from your charity.

---

A Fundraising Data Compliance Checklist

Use this checklist as an audit starting point. It covers the most common compliance gaps in charity fundraising operations.

Consent and Lawful Basis

• [ ] Every fundraising communication channel (email, post, telephone, SMS) has a documented lawful basis
• [ ] Email fundraising uses positive opt-in consent — not assumed, not soft opt-in
• [ ] Legitimate Interest Assessments (LIAs) completed and documented for any processing relying on LI
• [ ] Privacy notice specifically describes fundraising data processing, including any wealth screening
• [ ] Consent records stored and auditable — can prove when, how, and what individuals consented to

Suppression and Opt-Out

• [ ] TPS (Telephone Preference Service) checked and suppressed before any telephone campaign
• [ ] MPS (Mailing Preference Service) checked and suppressed before any postal campaign
• [ ] Fundraising Preference Service (FPS) checked and suppressed before any fundraising contact
• [ ] Internal suppression list maintained for opt-outs, deceased donors, and "no contact" requests
• [ ] Opt-outs processed within one calendar month

Wealth Screening

• [ ] If wealth screening is conducted, privacy notice discloses this clearly
• [ ] LIA documented for wealth screening activities
• [ ] Scope of screening proportionate to need (not excessive commercial profiling without strong justification)
• [ ] Third-party screening agency operating under a Data Processing Agreement

Database and Third-Party Data

• [ ] No donor data shared with other charities without explicit consent
• [ ] Data appending (purchasing phone numbers, emails, addresses) only where lawful basis is clear
• [ ] Data brokers and prospect agencies operating under DPAs
• [ ] Any data purchased from brokers has provenance documentation (how was consent obtained?)

Gift Aid

• [ ] Privacy notice covers HMRC data sharing for Gift Aid
• [ ] Gift Aid declarations retained for 6 years minimum after last related gift
• [ ] Gift Aid sign-up separated from marketing consent — not bundled or conditional

Telephone Fundraising

• [ ] All calls to individuals TPS-checked
• [ ] Automated fundraising calls only to those with explicit prior consent
• [ ] Telephone fundraising agencies operating under DPAs
• [ ] Call records maintained to demonstrate compliance

Legacy and Major Donor

• [ ] Legacy prospect data within formal data governance (not personal spreadsheets)
• [ ] Access controls on legacy prospect records
• [ ] Major donor wealth screening disclosed and legally justified

Online Giving Platforms

• [ ] Terms reviewed for all platforms used (JustGiving, GoFundMe, Enthuse, etc.)
• [ ] Data received from platforms used only within the permissions donors gave to those platforms
• [ ] DPAs in place where platforms act as processors

General

• [ ] Records of Processing Activities (RoPA) includes all fundraising processing activities
• [ ] Data retention policy covers fundraising data (with specific rule for Gift Aid)
• [ ] Staff and volunteers involved in fundraising trained on GDPR basics
• [ ] Process in place for Data Subject Access Requests touching fundraising data

---

The Path Forward

The charity sector's reckoning with GDPR is ongoing. Enforcement actions have subsided since the 2016-2017 peak, but the regulatory framework has tightened. The ICO's direct marketing guidance, updated in recent years, applies fully to charitable fundraising. The Fundraising Regulator's Code of Fundraising Practice incorporates data protection requirements. And donors are more aware of their rights than they have ever been.

The practical challenge for most charities is not understanding what the rules require — it is having the systems to implement them. Legacy CRM databases with inconsistent consent records, paper Gift Aid declarations stored in filing cabinets, telephone fundraising agencies with unclear data handling practices: these are operational realities that require active remediation, not just policy updates.

Start by understanding what your website is actually collecting. Run a scan at app.custodia-privacy.com/scan to see which tracking technologies are operating, whether consent is being collected correctly, and what your current exposure looks like. Then work outward to your donor database, your fundraising channels, and your third-party relationships.

Compliant fundraising is achievable — and it builds donor trust in ways that ultimately benefit the organisation. Donors who understand how their data is used, and who feel in control of that relationship, are more likely to give and more likely to give again.

---

This post provides general information about GDPR and fundraising compliance. It does not constitute legal advice. Requirements vary by jurisdiction and individual circumstances differ significantly. Consult a qualified data protection professional for advice specific to your organisation.