Skip to content
CharityProof
Guides

Do Charities Have to Comply with GDPR? What Small Charities Need to Know

Yes. If your charity collects, stores, or uses personal data — names, addresses, email addresses, donation records, DBS check results, beneficiary information — the UK GDPR and the Data Protection Act 2018 apply. There is no exemption for charities, and there is no exemption based on size.

The good news: compliance for a small charity is not the same as compliance for a multinational corporation. The requirements are proportionate. Here is what you actually need to do.

What counts as personal data?

Personal data is any information that identifies or could identify a living person. For charities, this typically includes:

  • Donor and supporter records — names, addresses, email addresses, Gift Aid declarations, donation history
  • Beneficiary records — names, contact details, case notes, needs assessments
  • Trustee and volunteer records — names, dates of birth, addresses, DBS check results
  • Event attendees — sign-up lists, attendance records
  • Website visitors — if you use analytics that collect IP addresses or cookies

If you hold any of this data in any format — spreadsheet, database, paper files, email — GDPR applies.

Do you need to register with the ICO?

Most charities that process personal data need to register with the Information Commissioner's Office (ICO). Registration currently costs £40 per year for organisations with fewer than 10 staff and turnover under £632,000 (which covers most small charities). Check the ICO website for current fee levels, as these can change annually.

Exemptions: Some very small charities may be exempt if they only process personal data for core charity purposes (maintaining a membership list, managing accounts) and do not process data electronically beyond basic office functions. Use the ICO's fee guidance to check whether your charity needs to register.

The six lawful bases — which ones matter for charities

Under UK GDPR, every time you process personal data you need a lawful basis. There are six, but most small charities use three:

Legitimate interests — You have a genuine reason to process the data that does not override the individual's rights. This is the most flexible basis and covers much of what charities do: sending newsletters to existing supporters, managing volunteer records, processing donations. You need to document a Legitimate Interests Assessment (LIA) — a brief written record of why your interest outweighs any privacy impact.

Consent — The individual has given clear, specific consent to the processing. Use this for marketing emails to people who are not existing supporters, or for any processing that is not obviously expected. Consent must be freely given, specific, informed, and unambiguous — pre-ticked boxes do not count.

Legal obligation — You are required by law to process the data. Examples: keeping financial records for HMRC, submitting trustee details to the Charity Commission, conducting DBS checks for safeguarding.

Contract is relevant if you employ staff. Vital interests and public task are rarely relevant for small charities.

What you need to have in place

1. A privacy notice

Tell people how you use their personal data. Your privacy notice should cover:

  • What data you collect and why
  • Your lawful basis for each type of processing
  • Who you share data with (e.g., HMRC for Gift Aid)
  • How long you keep data
  • How people can access, correct, or delete their data
  • How to complain

Publish this on your website and reference it in any forms where you collect personal data.

2. A data protection policy

An internal document for trustees and volunteers covering:

  • Who is responsible for data protection (you do not need a formal Data Protection Officer unless you process sensitive data on a large scale, which most small charities do not)
  • How data is stored securely (password-protected files, locked cabinets for paper records)
  • Data retention periods — how long you keep each type of data
  • Breach procedures — what to do if data is lost, stolen, or accessed by the wrong person

3. A record of processing activities

Under Article 30 of UK GDPR, you should maintain a record of what personal data you process. For a small charity, this can be a simple spreadsheet listing: type of data, purpose, lawful basis, who has access, retention period, and where it is stored.

4. Breach response plan

If personal data is accidentally lost, stolen, or disclosed to the wrong person, you must assess the risk. If there is a risk to individuals' rights and freedoms, you must notify the ICO within 72 hours and inform the affected individuals. Have a simple plan in place before it happens.

Do you need a Data Protection Officer?

Probably not. A formal DPO is only required if your charity processes personal data on a large scale as a core activity, or processes special category data (health data, criminal records, ethnic origin) on a large scale. Most small charities do not meet this threshold.

You should still have a named person responsible for data protection — this can be a trustee or a volunteer, and it does not need to be a full-time role.

Common mistakes

Relying on consent for everything. Consent is not always the best lawful basis. For existing supporters and donors, legitimate interests is usually more appropriate and does not require opt-in consent for every communication. Over-relying on consent creates unnecessary admin and risks losing contact with supporters who forget to opt in.

Keeping data forever. Set retention periods for each type of data. Gift Aid declarations: 6 years after the last donation they cover. DBS check results: delete after the recruitment decision, keep only a record that a check was done. Old beneficiary records: delete when no longer needed.

No privacy notice. If you collect personal data without telling people how you use it, you are non-compliant regardless of how careful you are with the data itself.

Ignoring paper records. GDPR applies to paper files as well as digital records. If you have paper membership lists, donation forms, or case notes, they need the same protections — locked storage, controlled access, documented retention periods.

For a broader view of your compliance obligations, see our charity compliance checklist.

This guide applies to charities operating in the UK under the UK GDPR and Data Protection Act 2018. This is general guidance, not legal advice.

Sources

Last reviewed: 4 April 2026

Related guides

Charity Reserves Policy: Template and Best Practice Guide

How to write a reserves policy for your charity — what to include, how to set a target range, and a practical template for small UK charities.

How to Claim Gift Aid for Your Charity: Complete HMRC Guide

Step-by-step guide to claiming Gift Aid from HMRC — registration, declarations, the small donations scheme, and common mistakes small charities make.

Charity Governance Code 2025: A Practical Self-Assessment Guide for Small Charities

A practical guide to the Charity Governance Code 2025 for small UK charities — all 8 principles explained, with self-assessment questions for each.

Stop tracking compliance in spreadsheets

CharityProof brings annual returns, policy reviews, DBS renewals, and trustee admin into one dashboard — built for small UK charities.

No spam. Unsubscribe any time. Privacy policy