DEV Community

Custodia-Admin
Custodia-Admin

Posted on • Originally published at app.custodia-privacy.com

GDPR for Charities and NGOs: A Practical Compliance Guide

#gdpr #nonprofit #privacy #compliance

GDPR for Charities and NGOs: A Practical Compliance Guide

There's a persistent myth in the charity sector that GDPR doesn't really apply to non-commercial organisations — that because you're not selling data or turning a profit, the rules are somehow lighter. They are not.

In fact, charities and NGOs often face more complex GDPR challenges than commercial businesses. They process sensitive data about people's health, religion, political views, and financial circumstances. They manage large databases of volunteers whose data spans years or decades. They send fundraising emails to lapsed donors. They handle children's data for youth programmes. They retain safeguarding records indefinitely. And they do all of this — often with limited resources, volunteer-run governance, and without a dedicated data protection function.

This guide is written for UK and EU-based charities and NGOs. If you're a US-focused nonprofit, see our separate guide to GDPR for nonprofits. This guide focuses specifically on UK GDPR (which mirrors EU GDPR post-Brexit), the ICO's guidance for charities, and the practical realities of compliance for mission-driven organisations.

Why GDPR Applies Fully to Charities

GDPR applies to any organisation — commercial or non-commercial — that processes personal data. A charity processing donor names, volunteer contact details, or beneficiary records is as subject to GDPR as a retailer processing customer orders.

The UK GDPR (retained post-Brexit and now underpinned by the Data Protection Act 2018) applies if your organisation:

  • Is established in the UK or EU
  • Offers services to, or monitors the behaviour of, individuals in the UK or EU

There is no exemption for charitable status, small size, or good intentions. The ICO has investigated and fined charities — including the British and Foreign Bible Society (£100,000 fine in 2018 for a data breach) and multiple fundraising-related enforcement actions against major UK charities.

The good news is that many of GDPR's requirements align with good data stewardship that charities should be practising anyway. The task is making that stewardship explicit, documented, and defensible.

Special Category Data: Where Charities Face Unique Risk

GDPR's Article 9 identifies "special category" data — information that is particularly sensitive and therefore subject to additional protections. These categories are:

  • Health or medical data
  • Religious or philosophical beliefs
  • Political opinions
  • Trade union membership
  • Racial or ethnic origin
  • Biometric data (for identification purposes)
  • Genetic data
  • Sexual orientation or sex life data

Many charities process special category data as a matter of course — and often without realising it carries enhanced obligations.

Faith-based organisations processing membership records, donations linked to religious communities, or participant data for faith activities are processing religious belief data. This requires an explicit legal basis under Article 9 — not just a general legitimate interest, but one of the specific conditions such as explicit consent, or the "not-for-profit body" condition (Article 9(2)(d)) which applies where the processing relates to members or former members of a not-for-profit body, and the data is not disclosed outside the organisation without consent.

Health charities — cancer charities, mental health organisations, disability charities — may receive self-disclosed health data from beneficiaries, fundraisers sharing personal stories, or through grant applications. Every piece of health data must have a clear Article 9 basis, and must be handled with additional technical and organisational safeguards.

Political organisations and campaign groups collecting information about members' political affiliations or campaign activities are processing political opinion data, which carries the same Article 9 requirements.

Practical steps:

  • Audit your data to identify any special category data you hold
  • Document the specific Article 9 condition for each category
  • Ensure explicit consent where used is properly recorded
  • Apply stricter access controls and retention limits to special category data

Donor Consent Requirements

Fundraising has been one of the most contentious areas of charity GDPR compliance since the regulation came into force. The ICO and the Fundraising Regulator have both been clear: historical practices of collecting donor data without clear consent, sharing it with data brokers, or making inferences about wealth and giving capacity are not GDPR-compliant.

For new donors, the requirements are relatively straightforward:

  • Be transparent about what data you collect and how you'll use it
  • Obtain specific, freely given, informed, unambiguous consent for marketing communications
  • Make opt-in the default — pre-ticked boxes are invalid under GDPR
  • Keep records of when and how consent was obtained
  • Make it easy to withdraw consent at any time

For existing donors, the picture is more nuanced.

Legitimate Interest for Existing Supporters

Charities often ask whether they can rely on legitimate interest (Article 6(1)(f)) to continue contacting existing supporters without fresh consent. The answer is: sometimes yes, but with important caveats.

Legitimate interest can be a valid basis for processing donor data if:

  1. Purpose test: You have a genuine, legitimate purpose (e.g. fundraising communications to people who have previously donated)
  2. Necessity test: The processing is necessary for that purpose (you couldn't reasonably achieve it another way)
  3. Balancing test: Your interests don't override the individual's rights and expectations

The ICO has indicated that charities can use legitimate interest for postal communications to existing donors, provided they've had a reasonable recent relationship and the individual would not be surprised to receive communications.

However, legitimate interest for electronic communications (email, SMS, automated calls) is more restricted. The Privacy and Electronic Communications Regulations (PECR) layer additional requirements on top of GDPR for electronic marketing. For email and SMS, you generally need either:

  • Consent, or
  • The soft opt-in (discussed below)

Legitimate interest alone is not sufficient for electronic marketing under PECR, regardless of GDPR compliance.

The Soft Opt-In for Charitable Communications

The "soft opt-in" under PECR Regulation 22 allows organisations to send marketing emails without explicit consent if:

  1. The email address was obtained during a "sale" or negotiation of a sale (or in the charity context, the ICO has accepted this applies to similar relationships such as donations and membership)
  2. The marketing is for similar goods or services — for charities, this means similar charitable purposes
  3. The individual was given a clear opportunity to opt out at the time of data collection and on every subsequent communication

The ICO has specifically confirmed that charities can use the soft opt-in where a donor has previously given and their email was obtained in that context. If someone donated to your food bank appeal last year, you may be able to send them emails about your current winter appeal — provided you gave them an opt-out at the point of donation and on every email since.

The soft opt-in does not apply to:

  • Prospecting (contacting people who have never donated or engaged)
  • Fundraising for materially different causes
  • Third-party or shared databases

Volunteer Data

Volunteer databases are a major data processing activity for most charities — and one that often lacks the same governance as donor data.

Volunteers are not employees, but many of the same data protection principles apply. You will typically hold:

  • Contact details
  • Emergency contact information
  • DBS check results (criminal record data — a special category under UK GDPR)
  • Health or disability information (for reasonable adjustments)
  • References and application materials
  • Training records and qualifications
  • Availability and commitment history

Key issues for volunteer data:

DBS checks are criminal conviction data under Article 10 GDPR and Schedule 1 DPA 2018. You must have a Schedule 1 condition to process this data, and a relevant ICO registration. You should have a documented policy on DBS data, and typically should not retain full DBS certificates — only the outcome (clear/barred) and date of check.

Health and disability information collected from volunteers (for reasonable adjustments, for example) is special category data requiring an Article 9 basis. Explicit consent or the employment/social protection condition is typically appropriate.

Retention: Many charities retain volunteer records indefinitely, which is rarely justified. You should set a defined retention period — typically a reasonable period after the volunteer relationship ends (commonly 3-7 years depending on any legal requirements) — unless safeguarding or legal reasons justify longer retention.

Fundraising Email Rules

When sending fundraising emails in the UK, you must comply with both UK GDPR and PECR. The rules in practice:

  • New prospects (people who have never donated or engaged): You must have explicit consent before sending marketing emails. Buying email lists or using data from third-party enrichment tools is high-risk and likely non-compliant.
  • Existing donors: You can use the soft opt-in if the conditions are met (see above), or explicit consent.
  • Lapsed donors: Treat as new prospects unless you can demonstrate the soft opt-in still applies. A donation 10 years ago with no subsequent communications is unlikely to justify continued emailing.
  • Peer-to-peer fundraisers: If a supporter creates a fundraising page on your behalf, they are not automatically consenting to all future marketing from you — be careful about how you use that data.
  • Opt-out mechanism: Every marketing email must include a clear, working unsubscribe link. Honouring opt-outs promptly (within 10 business days at most) is a legal requirement, not a courtesy.

The Fundraising Regulator's Code of Fundraising Practice works alongside PECR and GDPR — compliance with both is expected by regulators.

Grant Application Data

Many charities receive and hold substantial data through grant applications — from applicants who are individuals, from beneficiaries described in applications, or from partner organisations' staff details.

This data is often not well-governed. Some issues to address:

  • Applicant data: If individuals apply for grants, you're processing their personal data. Be transparent about how it will be used (assessment, reporting, future communications). Set a clear retention period — typically the current grant cycle plus 3-6 years for audit purposes.
  • Beneficiary data in applications: Grant applications sometimes include detailed personal information about beneficiaries (including health data, family circumstances, immigration status). This is special category data even if the beneficiary hasn't submitted it directly. Apply appropriate restrictions on access and retention.
  • Unsuccessful applicants: Many organisations hold data on unsuccessful applicants indefinitely. Set a proportionate retention period — perhaps 1-2 years — after which data should be deleted unless there's a specific reason to retain it.
  • Third-party data in applications: If applicants share data about their staff, volunteers, or beneficiaries, you should inform them of this in your grant guidelines and your privacy notice.

Children's Data

Charities working with young people, schools, youth groups, or families must pay particular attention to children's data requirements.

Under UK GDPR and the DPA 2018:

  • Children under 13 cannot provide their own consent for information society services (apps, online platforms). Parental consent is required.
  • For in-person activities and services, there is no hard age threshold for consent, but children's best interests must be paramount and you should apply a higher standard of care.
  • The ICO's Children's Code (Age Appropriate Design Code) applies to online services likely to be accessed by children — if your charity has an app or online platform accessible to under-18s, you must comply.

Practical issues for charities:

  • Youth clubs, sports groups, and similar organisations often collect significant amounts of data from children and their parents — contact details, medical information, photo consent
  • School outreach programmes may result in children's data being shared with the charity
  • Photography of children at events is a sensitive area — explicit parental consent is strongly recommended, and images should not be published without it

Always appoint a named individual responsible for children's data, maintain separate records for children's data, and apply stricter retention limits.

Safeguarding Records: When Long Retention Is Justified

Charities working with vulnerable adults or children often ask how long safeguarding records must be kept. This is one area where the normal data minimisation principle can be overridden by a stronger public interest argument.

The Charity Commission and sector guidance (such as the NSPCC's guidance for charities) generally recommends:

  • Safeguarding incident records involving children: Retain until the child's 75th birthday (or 25 years after the incident if that is later)
  • Safeguarding records involving vulnerable adults: Typically 7 years after the end of involvement
  • DBS disclosures: Do not retain the certificate itself — retain only the outcome and date

The justification for extended retention of safeguarding records is the public interest in protecting children and vulnerable people, and the potential for historical abuse to come to light years later. This falls under Article 9(2)(g) GDPR (substantial public interest) and the DPA 2018 Schedule 1, Part 2.

However, this does not mean "keep everything forever." Safeguarding records should be retained under a specific, documented policy — not just by default. Access should be strictly limited, records should be clearly marked, and the policy should be reviewed regularly.

Your Privacy Notice

Your privacy notice must be written in clear, plain language — not legal jargon. It must cover:

  • What personal data you collect and how
  • The legal basis for each type of processing
  • Any special category data and the Article 9 condition
  • How long you retain data
  • Who you share data with (and why)
  • Individual rights (access, erasure, rectification, objection, portability, restriction)
  • How to make a complaint to the ICO
  • Contact details for your data protection queries (or your DPO if appointed)

Many charity privacy notices are outdated, incomplete, or simply copied from commercial templates. A notice that says "we collect your data to provide our services" without specifying what those services are, or what legal basis applies, is not GDPR-compliant.

Scan your website now to see what data is actually being collected — and whether your privacy notice reflects it: https://app.custodia-privacy.com/scan

Do You Need a Data Protection Officer?

Under GDPR, a Data Protection Officer (DPO) is mandatory if:

  • You are a public authority
  • Your core activities require large-scale, regular and systematic monitoring of individuals
  • Your core activities involve large-scale processing of special category data

Many health charities, charities working with vulnerable people, or charities running large-scale research programmes may be required to appoint a DPO. Smaller charities are unlikely to be required to appoint one, but may benefit from designating a named data protection lead internally.

Whether or not a DPO is required, you must:

  • Register with the ICO if you process personal data (there is a small annual fee, with exemptions for some organisations — check the ICO's self-assessment tool)
  • Maintain a Record of Processing Activities (ROPA) documenting what data you hold, why, who you share it with, and how long you keep it

Practical Steps to Get Compliant

If you're a charity that hasn't done a full GDPR review, here's where to start:

  1. Conduct a data audit. Map every type of personal data you hold, where it came from, why you have it, who can access it, and when it should be deleted.

  2. Review your legal bases. For each category of processing, document whether you're relying on consent, legitimate interest, legal obligation, or another basis. For special category data, document the Article 9 condition.

  3. Update your privacy notice. Make it accurate, plain-English, and complete.

  4. Review your consent mechanisms. Any consent forms, donation pages, or sign-up flows that use pre-ticked boxes or bundled consent need to be updated.

  5. Implement a retention schedule. Set defined deletion timelines for every category of data — and actually enforce them.

  6. Check your electronic communications. Are you sending emails or SMS with a valid legal basis under PECR? Do you have working opt-outs?

  7. Check your website. Are you using analytics, embedded social media, or other third-party tools that set cookies or collect data? Do you have a compliant cookie consent banner?

  8. Train your team and volunteers. Data breaches are most often caused by human error. Brief everyone who handles personal data on the basics.

  9. Establish a breach response process. You have 72 hours to notify the ICO of certain breaches. Have a clear internal process so you can act quickly.

  10. Scan your website. See what's actually being collected and identify compliance gaps in 60 seconds: https://app.custodia-privacy.com/scan

Final Thoughts

GDPR compliance for charities is not about bureaucracy — it's about treating the people who support your mission, benefit from your services, and give their time as volunteers with the respect they deserve. The data they share with you is given in trust. GDPR is the legal framework that makes that trust explicit and enforceable.

The ICO has been generally supportive of charities that make genuine efforts to comply and engage openly when issues arise. The organisations that face enforcement action are typically those that have ignored the rules entirely, suffered a breach through negligence, or engaged in practices (like unsolicited mass marketing) that show clear disregard for individuals' rights.

Get the basics right, document what you do, keep it under review, and your charity will be in a strong position — both legally and reputationally.

This guide provides general information about GDPR for charities and NGOs. It does not constitute legal advice. Requirements may vary based on your jurisdiction, the nature of your processing activities, and your specific supervisory authority. For advice tailored to your organisation, consult a qualified privacy professional or your supervisory authority's published guidance.

Top comments (0)