Data protection advice for UK charities

9 January 2024

Charities, like any other organisation, are subject to the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018. This means that they have a legal responsibility to protect the personal data of their donors, beneficiaries, staff, and volunteers.

What is personal data?

Personal data is any information that can be used to identify an individual, either directly or indirectly. This can include things like name, contact details, date of birth, and financial information.

Due to the nature of their charitable work, charities often collect and process sensitive or private personal data, such as health information or financial data. Some of this data is deemed ‘special category’ data and is subject to additional protection under the UK GDPR.

What are the data protection requirements for charities?

Charities must comply with the following key data protection requirements:

  • Lawfully collect and process personal data. Charities must have a legal basis for processing personal data. This could be consent, contract, legal obligation, vital interests, public task, or legitimate interests.
  • Be transparent about how they use personal data. Charities must provide individuals with clear and concise information about how they will use their personal data, before or at the time of collection.
  • Give individuals control over their personal data. Individuals have certain rights over their personal data, including the right to request access, rectification or erasure. Charities must comply with these requests unless an exemption applies.
  • Keep personal data secure. Charities must take appropriate technical and organisational measures to protect personal data from unauthorised access, use, disclosure, alteration, or destruction.

UK GDPR exemptions for charities

Some not-for-profit organisations are exempt from registering with the Information Commissioner’s Office (ICO). For example, charities that process personal data only for the purposes of establishing or maintaining membership, or providing activities for their members or other people the charity has regular contact with.

However, this exemption is narrow and there are a number of conditions that must be met. Some charities choose to register and pay the fee despite being exempt, so they can be listed on the ICO register.

Charities may also be exempt from complying with certain individual rights under the UK GDPR, where this would prevent or seriously impair the achievement of your charitable purposes. This exemption is particularly relevant to charities that process confidential data to provide support to vulnerable people or carry out research into sensitive topics.

You should be mindful that these exemptions must only be relied upon where they are strictly necessary, and you meet the criteria. If you are unsure whether the exemption applies to your charity, you should seek advice.

How to comply with the UK GDPR

Charities can comply with the UK GDPR by following these steps:

  • Conduct a data audit. This will help charities to identify what personal data they collect and how they use it.
  • Develop data protection policies and procedures. These policies and procedures should cover all aspects of data protection, from collecting and using data to storing and disposing of it.
  • Train staff and volunteers on data protection. All staff and volunteers who handle personal data should be trained on their data protection responsibilities.
  • Implement appropriate technical and organisational security measures. This could include using strong passwords, encrypting data, and having a data breach response plan in place.

Charities also often work with third parties such as fundraisers. When sharing personal data with third parties, charities must put appropriate agreements in place and carry out due diligence to ensure the third parties have adopted suitable security measures.

Appointing a charity Data Protection Officer (DPO)

Q: What is the role of a DPO in a charity?

Your DPO is responsible for overseeing the charity’s compliance with data protection law. They must be independent and have the necessary expertise and experience. The DPO’s tasks include:

  • Advising the charity on its data protection obligations
  • Monitoring the charity’s compliance with data protection law
  • Raising awareness of data protection issues within the charity
  • Training staff and volunteers on data protection
  • Acting as a contact point for data subjects and the Information Commissioner’s Office (ICO)
Q: Does my charity need to appoint a DPO?

The charity’s board of trustees is responsible for appointing a DPO. You are legally required to appoint a DPO if your charity processes special category personal data on a large scale or uses personal data to monitor individuals on a regular and systematic basis.

Even if you are not legally required to have a DPO, it is still a good idea to appoint one if you handle a lot of personal data. A DPO can help you protect your charity’s reputation and avoid costly fines and penalties.

Q: What are the benefits of a DPO service?
  • Peace of mind knowing that your charity is compliant with data protection laws
  • Reduced risk of data breaches and fines
  • Improved reputation as a trustworthy organisation
  • Access to expert advice and training

Outsourcing your DPO as a service provides several advantages over the traditional in-house model. For more information, see our web page here.

We understand that charities have limited resources, so we offer a flexible and affordable service. We can provide you with as much or as little support as you need, depending on your budget and requirements.

Contact us today to find out more about our DPO service for charities.