Data Protection for Charities

Regular giving, playing a lottery, running a marathon, responding to appeals, selling products, running events and volunteering.

Charities have many ways of creating a relationship between supporters and a cause. Nearly all of them will involve personal data and makes data protection for charities a unique challenge.

Charities have been in the data protection and fundraising spotlight recently and not always for the right reasons. The Charity Commission’s Statement of Strategic Intent 2018-2023 says that charities should demonstrate “more than just compliance with the minimum legal requirements” and that “charitable aims cannot justify uncharitable means.

This shows increasing scrutiny of charities’ personal data and fundraising practices by the Charity Commission. As a result, when it comes to handling personal data, charities need to embrace their unique position in society and live up to the Commission’s Strategy.


Volunteers are a great resource for charities but also create some specific risks around their use of personal data. Because they are not employed as regular members of staff, ensuring they are trained and aware of their data protection responsibilities can be a challenge.

The Board of Trustee are also often volunteers and present specific challenges. They regularly receive sensitive or special category data by email and insist on receiving on their personal or professional email accounts.


Fundraising is usually a charity’s primary way to provide a service or further a cause. As a result, there can be pressure to bring in enough income to remain sustainable. This pressure translates to the misuse of personal data. Practices such as audience profiling and wealth screening are subsequently common. Whilst these are possible, these need to be handled carefully.

Ethical values

As referenced above, the Charity Commission is pushing charities to think about more than just baseline legal compliance. You need to think about your ethical values across strategy and decision making. And this includes the use of personal data. It is about how you should behave rather than what you can get away with.


Financial restraints are an issue for many charities and finding the money to dedicate to data protection is not easy. However, it is a legal requirement to ensure you have appropriate measures in place to use personal data in line with the data protection principles. So how do you balance these competing pressures? You need to understand you risks.


Accountability is a key principles under GDPR. This means that your trustees and senior managers must be aware of their responsibilities. They must ensure the charity is managing data protection risks properly. Senior managers have other responsibilities though and often prioritise them. It is therefore common for data protection to be handed to a member of staff without support, training or authority to make changes. If you are trying to make improvements to data protection in your charity, senior leadership awareness is something you need to address early.

Special category data

If your charity provides a health or disability related service, support for addiction, you will handle an amount of special category data. This is data that is considered more sensitive and will real cause real harm to individuals if subject to a breach. As a result, this greatly increases a charity’s personal data risk. It makes it all the more important that measures are in place to ensure it is used appropriately.

Where to start

The most important place to start is to understand how personal data moves around your charity. Speak to each department and record what information is processed across the organisation. You need to know where the information comes from, how it is used and where it goes. Even without specialist data protection knowledge, this process will highlight some high risk activities that you can subsequently address.

The next steps are around:

  • Agreeing responsibilities
  • Policies
  • Improving Awareness
  • Understanding your lawful basis for processing
  • Assessing your risks

These aren’t always easy tasks and you may need some advice. If you decide you do, we have extensive experience with data protection for charities. We can help.

Want to understand the Mistakes that cost BA £20m?

  • By using this form, you agree to our Terms and have read our Privacy Information

  • This field is for validation purposes and should be left unchanged.

what we do

Protecture is a team of IT, Information Security and data protection experts who can provide planning, guidance and implementation of front line services and support to your organisation.