DEV Community

Custodia-Admin
Custodia-Admin

Posted on

GDPR for Charities: The Complete Compliance Guide for Non-Profit Organisations

#gdpr #nonprofit #privacy #compliance

GDPR for Charities: The Complete Compliance Guide for Non-Profit Organisations

Charities occupy a unique place in the public imagination — trusted, mission-driven, often staffed largely by volunteers. That trust is precisely why GDPR compliance matters so much for the sector. A data breach or a fundraising consent scandal doesn't just result in a regulatory fine; it erodes the donor confidence that charities depend on to survive.

The starting point that catches many trustees and operations managers off guard: there is no GDPR exemption for charities. The regulation applies to your organisation in exactly the same way it applies to a commercial business. If you process personal data — and virtually every charity does — you are a data controller, and you have the same obligations as any other data controller.

This guide covers everything charity trustees, operations managers, and volunteer coordinators need to know.

Charities Are Data Controllers — Full Stop

GDPR defines a data controller as any entity that determines the purposes and means of processing personal data. When your charity decides to keep a donor database, run a beneficiary support programme, or manage a volunteer roster, you are making those determinations. You are a data controller.

This means you must:

  • Have a lawful basis for every category of data you process
  • Maintain records of your processing activities
  • Respond to data subject rights requests (access, erasure, portability, etc.)
  • Report data breaches to the ICO within 72 hours if they meet the threshold
  • Implement appropriate technical and organisational security measures
  • Have a compliant privacy notice on your website and in your intake processes

The Charity Commission expects trustees to have oversight of GDPR compliance as part of their governance responsibilities. The Commission's guidance treats data protection as a matter of organisational risk — which it is.

ICO Registration: Most Charities Must Register

Many charities assume they are exempt from ICO registration. Most are not. Under the Data Protection (Charges and Information) Regulations 2018, organisations that process personal data must pay a data protection fee to the ICO unless a specific exemption applies.

The exemptions that might apply to a small charity include processing only for staff administration, accounts and records, or advertising and marketing of your own organisation — but these are narrow. If you process beneficiary data, run fundraising campaigns, or hold donor records beyond basic transactions, you almost certainly need to register and pay the fee (currently £40/year for most small charities; £60 for medium organisations).

Failure to register when required is a criminal offence. Check the ICO's self-assessment tool if you are unsure.

What Data Charities Typically Process — and the Lawful Bases

Different categories of people your charity interacts with require different lawful bases. Getting this wrong is one of the most common GDPR mistakes in the sector.

Donor Records

For individual donors, the typical lawful bases are:

  • Contractual necessity — for processing Gift Aid, sending acknowledgement letters, and fulfilling any benefits associated with a donation
  • Legitimate interests — for keeping a record of past donations to support future fundraising, where the donor would reasonably expect this
  • Consent — for sending marketing communications by email or text (more on this below)

Do not assume that a donation constitutes consent to receive future marketing. It does not.

Beneficiary Data

Beneficiary data is often the most sensitive data a charity holds. Depending on your charitable purpose, you may hold data about mental health conditions, addiction, domestic abuse, housing status, immigration status, financial hardship, disability, or homelessness.

Many of these categories fall under Article 9 special category data (health, racial or ethnic origin, sexual orientation, religious belief) or are closely linked to vulnerability in ways that require heightened care even where Article 9 doesn't technically apply.

The typical lawful basis for processing beneficiary data is Article 6(1)(b) — contractual necessity (delivering the service the beneficiary has engaged you for) combined with Article 9(2)(b) — employment, social security and social protection law or Article 9(2)(h) — health or social care purposes where applicable. Some charities also rely on explicit consent under Article 9(2)(a).

Critically, beneficiary data should be kept strictly separate from fundraising data. A beneficiary's circumstances must never be used for fundraising without their separate, explicit consent.

Volunteer Data

Volunteers are not employees, but their data requires similar care. You will typically hold contact information, emergency contacts, role history, training records, references, and potentially DBS check results.

The lawful basis for most volunteer data processing is legitimate interests — the mutual benefit of the volunteering relationship. Some processing (DBS checks, references) may require different bases depending on the role.

Volunteers have the same data subject rights as anyone else: the right to access their data, to correct inaccuracies, and to request deletion once the volunteering relationship ends (subject to any retention requirements).

Employee Data

Your paid staff are covered by employment law as well as GDPR. The lawful basis for most employee data processing is contractual necessity (processing necessary to perform the employment contract) and legal obligation (payroll, tax, employment law requirements).

Sensitive employee data — health information for sick leave, disciplinary records — requires Article 9 compliance where health data is involved.

Fundraising Data and the PECR Overlap

This is where the charity sector has faced the most significant regulatory scrutiny. The Privacy and Electronic Communications Regulations (PECR) sit alongside GDPR and govern electronic marketing — email, text messages, and automated calls.

Under PECR, you need opt-in consent to send marketing emails or texts to individuals. The key word is opt-in: pre-ticked boxes, "by donating you agree to receive communications," and implied consent from a previous donation are not valid.

The ICO fined the British Heart Foundation, Cancer Research UK, and other major charities in 2016-2019 for using donor data for fundraising without proper consent — under the pre-GDPR regime. Post-GDPR, the requirements are stricter. The soft opt-in exemption (which allows marketing to existing customers without fresh consent) does not apply to charities in the same way it applies to commercial businesses, because a donation is not the same as a purchase of a similar product or service.

Best practice for charities:

  • At the point of donation, include a clear, separate opt-in for marketing communications
  • Separate different types of communications (impact updates, fundraising appeals, events) and get consent for each
  • Record when and how consent was obtained
  • Honour opt-outs immediately
  • Don't assume that a donor who gave five years ago consented to communications under today's standards — run a re-permission campaign if your records pre-date GDPR

Gift Aid and Data Sharing with HMRC

Gift Aid enables UK charities to reclaim 25p for every £1 donated by a basic rate taxpayer. To claim Gift Aid, you must collect and hold a Gift Aid declaration from each donor and share data with HMRC as part of the claims process.

The lawful basis for processing Gift Aid data is legal obligation (compliance with HMRC requirements) and contractual necessity. The sharing with HMRC is permitted under Article 6(1)(c) — processing necessary for compliance with a legal obligation.

Retain Gift Aid declarations for six years after the tax year in which the last claim was made. This is both an HMRC requirement and a GDPR data retention consideration — you have a legitimate reason to retain the data for this period.

Important: Gift Aid declarations contain financial information (tax status) and must be stored securely. Ensure your donor management system restricts access appropriately.

Beneficiary Data as Special Category Data

Article 9 of GDPR creates a higher protection regime for certain categories of personal data: health and medical data, racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, sexual orientation, and data concerning criminal convictions and offences.

Many charities process special category data as part of their core mission:

  • Health charities — medical conditions, treatment history, disability status
  • Homelessness charities — mental health, substance use, criminal history
  • Domestic abuse organisations — details that could put beneficiaries at risk if disclosed
  • Refugee and asylum support — nationality, ethnic origin, religion
  • LGBTQ+ charities — sexual orientation and gender identity

Processing special category data requires both a lawful basis under Article 6 and an additional condition under Article 9. The most commonly applicable conditions for charities are:

  • Article 9(2)(a) — explicit consent
  • Article 9(2)(b) — employment, social security, or social protection
  • Article 9(2)(h) — provision of health or social care

You must document which Article 9 condition you are relying on for each category of special category data. This should be part of your Records of Processing Activities (ROPA).

DBS Checks and Criminal Record Data

Charities working with children, vulnerable adults, or in regulated activities are required or entitled to carry out Disclosure and Barring Service (DBS) checks. DBS data — criminal record information — is subject to additional restrictions under GDPR and Schedule 1 of the Data Protection Act 2018.

Key rules for DBS data:

  • Only request DBS checks for roles where they are appropriate and proportionate
  • Store DBS certificates securely; don't retain them longer than necessary (the DBS recommends six months in most cases)
  • Don't keep a copy if the individual shows you the certificate — note the date, level, and reference number instead
  • Only people with a legitimate need should have access to DBS information
  • Maintain a policy on the secure handling of DBS data

Volunteers in roles involving regulated activity with children or vulnerable adults require enhanced DBS checks. The legal basis for processing this data is typically Article 9(2)(b) combined with a Schedule 1 condition under DPA 2018.

Children's Programmes and Parental Consent

If your charity runs programmes for children — youth clubs, educational projects, sports activities — you are likely processing children's personal data. GDPR and the ICO's Children's Code (also known as the Age Appropriate Design Code, now also applicable to services likely to be accessed by children) set higher standards for this processing.

For children under 13, parental or guardian consent is required for online services. For activities generally, if you are collecting health, contact, or emergency information about a child, consent must come from a parent or guardian with parental responsibility.

Practical steps for charities running children's programmes:

  • Use age-appropriate registration forms completed by parents
  • Clearly explain what data is collected and why
  • Do not use children's data for any purpose beyond the programme they are enrolled in
  • Apply strict access controls — only staff with DBS clearance should have access to children's data
  • Have a clear data retention policy — delete data when a child ages out of the programme and you are no longer required to keep records

The Charity Commission's Expectations

The Charity Commission expects trustees to manage data protection as part of their governance responsibilities. This means:

  • Trustees should be aware of the charity's data protection obligations
  • The board should have oversight of compliance — it should appear on risk registers
  • Significant data breaches that could affect charitable assets or reputation may need to be reported to the Charity Commission in addition to the ICO
  • Charities with annual incomes over £25,000 must file annual returns; trustees are personally accountable for governance failures

The Commission has made clear that a data breach or systemic non-compliance is a governance failure, not just an administrative one.

GDPR Compliance Checklist for Charities

Use this checklist to assess your charity's current compliance posture:

Foundations

  • [ ] ICO registration checked and completed if required
  • [ ] Privacy notice published on website covering all categories of data subjects
  • [ ] Records of Processing Activities (ROPA) documented
  • [ ] Data Protection Officer (DPO) appointed if required (charities processing special category data at scale)

Donor and Fundraising Data

  • [ ] Separate opt-in consent obtained for marketing communications
  • [ ] Gift Aid declarations stored securely with 6-year retention policy
  • [ ] Suppression list maintained for opted-out contacts
  • [ ] Old donor records reviewed — re-permission campaign completed if needed

Beneficiary Data

  • [ ] Lawful basis and Article 9 condition documented for all special category data
  • [ ] Beneficiary data held separately from fundraising/donor data
  • [ ] Access controls in place — only staff who need it can access beneficiary information
  • [ ] Data minimisation applied — only collecting what is necessary

Volunteer and Staff Data

  • [ ] DBS check policy in place with secure handling procedures
  • [ ] Volunteer data retention policy documented
  • [ ] Staff privacy notice provided at onboarding

Children's Programmes

  • [ ] Parental consent obtained for children under 13
  • [ ] Children's data stored separately with strict access controls
  • [ ] Retention policy applied when children leave the programme

Security and Breach Response

  • [ ] HTTPS on all web presences
  • [ ] Data breach response procedure documented
  • [ ] Staff training on recognising and reporting data incidents
  • [ ] 72-hour ICO notification process understood

Ongoing

  • [ ] Annual GDPR review on board agenda
  • [ ] ROPA updated when new programmes or tools are introduced
  • [ ] Supplier contracts reviewed for data processor agreements

Get Your Website Scanned

Most charities have websites that collect more data than trustees realise — contact forms, donation platforms, embedded social media, analytics tools, and third-party fundraising widgets can all result in personal data being transferred to processors you haven't reviewed.

Start with what you can see. Scan your website with Custodia to get a free audit of trackers, data flows, and compliance gaps in 60 seconds. No signup required.

Understanding what your digital presence actually collects is the first step toward understanding your full GDPR obligations as a charity.

This guide provides general information about GDPR compliance for charities operating under UK and EU law. It does not constitute legal advice. Requirements vary by organisational type, size, and the nature of data processed. Consult a qualified data protection professional for advice specific to your charity.

Top comments (0)