People are crucial to your charity, those you help and the generous ones who support you. But aside from appreciation, you also have another responsibility to these groups — data protection.

Your charity will work with sensitive personal information, which means you must comply with General Data Protection Regulations (GDPR)

But how does it relate to what you do, and how can you make sure you follow it? Well, we’ve put together the critical information to help your organisation.

This guide discusses GDPR for small charities, which includes:

  • Core principles
  • Controllers and Processors
  • Disclosures
  • Data storages

GDPR for small charities:

Core principles

The Information Commissioner’s Office is responsible for enforcing the GDPR rules in the UK. They instruct you to use your charity’s data with these fundamental principles in mind:

  • Lawful and transparent — can’t gather the data illegally, and must be open when you ask for information.
  • Purpose limitation — be clear of the purpose for collecting data, can outline it as privacy information.
  • Data minimisation — don’t ask for more data than necessary, make sure information is relevant to your purpose.
  • Accuracy — to the best of your knowledge, data shouldn’t be misleading and aim to be correct.
  • Storage limitation — can’t keep data for longer than you need and must delete it after use.
  • Confidentiality — ensure that you have security in place to avoid stolen data or breaches.
  • Accountability — take responsibility for the information you take and ensure you comply with the principles.

Those principles are law within the Data Protection Act 2018, so you must consider them all before asking anyone for information. 

The Information Commissioner’s Office suggests that if you use these in your charity early on, you’ll find it easier to store safe and legal data.

If you don’t comply with those principles, it could mean that your organisation could face fines, which could put a financial strain on your operations.

Controllers and processors

When it comes to GDPR for small charities, it’s important to understand two terms that identify different parties’ relationship with the data:

  • Controllers — they decide the purpose and means of processing data (e.g. if your charity takes phone numbers to ask for more donations in future)
  • Processors — they process the data on behalf of the controller (e.g. external call centre that rings people to seek donations for your charity)

For example, suppose you have the details of people who sponsor guide dogs. In that case, you might pass those onto the marketing agency to email your donors updates. 

You’re likely a data controller. But you might use processors to help you carry out specific tasks with the information.

As a controller, you hold the highest responsibility to comply with the GDPR principles. You must ensure your processors do as well.


Another crucial part of GDPR for small charities is communicating your intentions for the information. 

You must make sure that you have consent from the individuals. The Information Commissioner’s Office recommends that you give them the option to change their mind in future.

In practical terms, that could mean that you offer ‘terms and conditions’ with a box that a donor can tick to hear more information about your charity. 

After contacting them they might ask you to stop and, following GDPR, you delete their details.

If you kept details despite an individual’s withdrawal of consent, you’d breach GDPR rules. They could take legal action against your organisation, and you might have to pay court fees and compensation.

Terms and conditions — are defined by the UK Government as written contracts between businesses and customers (or charities and donors).

The Consumer Rights Act 2015 means you can’t put anything unfair into your terms and conditions. But you can ask an individual if they are happy to give you consent to take, store and use their data.

Data storage

Store the data properly to follow GDPR for small charities correctly. The Information Commissioner’s Office describes this principle as ‘data protection by design and default‘.

It means that to follow the law, it’s your responsibility to integrate a safe practice when you design or decide how you hold the data

For example, suppose you have a digital document that includes people’s information. In that case, be careful about keeping it secure before you create it.

Additionally, you must have safeguards in place across your business to ensure that you avoid breaches of regulations. 

For example, you could backup digital information physically. That would mean if you face a data hack, you could still alert the individuals and let them know what’s happened.

After a ‘high risk’ breach of data that could put the rights or freedoms of individuals at risk, you need to alert them immediately. For example, if criminals steal medical information.

If the risk to the individuals is not as severe, those affected don’t need to be informed. For example, you accidentally deleted details but could not find them in your backup system.

You should decide the severity of the breach, but contact the Information Commissioner’s Office if you’re unsure. They’ll assess the case and tell you the follow-up steps to take.

Intelligent data management

With these considerations and principles, ensure you carry on helping people while protecting everyone along the way. Sensible data usage can help you avoid legal trouble or damage to your reputation.

Donations are likely to be a critical part of your organisation. Still, people won’t provide details or support to a charity they can’t trust. So make sure you keep GDPR in mind in every instance.

We’ll let you in on Countingup

Data should remain confidential, but accessible financial management shouldn’t be a secret. It’s easy to maintain bookkeeping conveniently with one app.

Countingup is a business account with built-in accounting software that can help simplify your finances. The app cash flow insights feature lets you keep track of the money that comes in or goes out of your business at any time.

Get started for free.

For more tips to help your organisation, see: