Charity GDPR compliance: What you need to know

1st April 2025

Regardless of the industry you operate in, any UK or European organisation that processes people’s personal data needs to comply with the General Data Protection Regulations (GDPR)—and this includes charities and non-profits. Note that ‘processing’ includes collecting, recording, storing, retrieving, analysing, using and deleting personal data.

As a charity, you’re probably storing data on donors, volunteers, service users, members of staff and so on, and you need to make sure you're managing the data of these stakeholders properly.

In this article we’re going to take a closer look at the subject of charity GDPR compliance, what your GDPR policy should cover, and provide a practical checklist.

Where GDPR risks arise for charities

The two primary data risks relating to charities are similar to that of most organisations: either an external data breach, or inadvertent internal error that results in the accidental or unlawful loss, alteration, destruction or disclosure of personal data.

There are a number of potential things that can lead to these types of breaches. For example:

Insufficient or outdated cyber security software—the charity and non-profit sector often looks for opportunities to reduce costs wherever possible, but underinvesting in IT infrastructure and cyber security processes significantly increases the chance of a malicious data breach.
Lack of restrictions on who has access to data—if everyone in the organisation, or external parties, has easy access to personal data, the chance of an accidental data leak increases.
Lack of consent and usage rights management processes—charities that don’t put in place robust processes for managing user consent and usage rights of data are most likely to misuse personal data, or retain it for longer than they have permission to.
No process for identifying and reporting breaches—organisations that have experienced a data breach have 72 hours to report it to the ICO, but if charities don’t have a process for identifying them in the first place it’s going to be difficult to meet this regulatory requirement.

What a GDPR data protection policy should cover

A GDPR data protection policy is essential for any charity or non-profit organisation that handles personal data.

A data protection policy sets out how data is collected, processed, stored and protected while safeguarding individuals' rights, and for a policy to be fully compliant with GDPR it should cover eight key areas.

Data collection and processing.

Charities must clearly define what personal data they collect, why they collect it, and how it will be used.

This section should outline the legal basis for processing data, such as consent, contractual necessity or legitimate interest. Transparency is crucial, with individuals being informed about data collection practices through clear and unambiguous privacy notices.

Data storage and security

A GDPR policy must specify how personal data is stored and protected, including the implementation of appropriate security measures, such as encryption, access controls and secure servers.

Charities should also have a process for regularly reviewing and updating security measures to protect against cyber threats and unauthorised access, whether that’s supported by an internal IT team or third-party cyber security provider.

Data subject rights

Under GDPR, individuals have specific rights over their personal data, including the right to access, edit, erase and restrict processing. Your policy should therefore outline how the people whose data you store and process can exercise these rights, providing clear procedures for responding to requests within the legally required timeframe.

Data sharing and third-party processors

If an organisation shares personal data with third parties, such as cloud storage providers or marketing agencies, the policy must explain how these relationships are managed. This includes ensuring that third-party processors are also complying with GDPR requirements through data processing agreements and adequate security measures.

Data retention and deletion

A GDPR policy should detail how long personal data is retained and the criteria used to decide what period of time is reasonable and appropriate.

The policy should also include procedures for securely deleting data when it is no longer needed, ensuring compliance with the principle of data minimisation.

Data breach response plan

Even when the best efforts have been made to avoid one, sometimes a data breach can't be avoided. However, if a data breach does occur, organisations must act quickly to contain the issue, minimise potential harm and resolve the issue that led to the breach.

A GDPR policy should also outline how data breaches are detected, reported and investigated, while it should also specify when and how affected individuals and regulatory authorities will be notified (in line with GDPR requirements).

Staff training and accountability

Employees and volunteers working for the charity play a key role in data protection, so training should be a core part of any GDPR policy.

Staff need to be educated on data protection principles, security protocols and how to handle personal data responsibly. The policy should also define who is ultimately responsible for ensuring compliance, whether that’s a dedicated Data Protection Officer (DPO) or someone with a different role in the organisation.

Regular policy review and updates

Finally, GDPR compliance is an ongoing process, so data protection policies must be reviewed and updated regularly. This ensures that any changes in legislation, business practices or technology are reflected in the policy, and makes it more likely that the charity stays compliant with the law while minimising the chances of a data breach.

A practical GDPR checklist for charity teams

Follow the below checklist, based on the EU’s own guidance, to help you secure your organisation, protect stakeholder data and avoid penalties for failing to comply.

Carry out a comprehensive audit to identify what information you process and who, within the charity, has access to it.
Ensure you have a legal justification for all of your data processing activities.
Clearly outline how you process data and under which legal justification you do so within your privacy policy.
Encrypt or anonymise personal data whenever possible.
Develop an internal security policy for all staff and volunteers, and provide training about data protection.
Put a process in place for conducting data protection impact assessments.
Put a process in place for notifying the ICO and data subjects in the event of a data breach.
Choose a dedicated employee (ideally not a volunteer) who is responsible for GDPR compliance, and if necessary a Data Protection Officer.
Ensure data processing agreements are in place between your organisation and any third-parties that process personal data on your behalf.
Make it easy for service users, donors and subscribers to request and receive all the information you have about them.
Make it easy for those stakeholders to update inaccurate or incomplete information you hold on them.
Make it easy for those stakeholders to request that their personal data is deleted.
Make it easy for those stakeholders to request that you stop processing their data.

Protecting the data of stakeholders and ensuring the proper management of consent is essential for charitable organisations and non-profits, particularly those that operate in the UK or EU and fall under the remit of GDPR.

To find out more about how ResourceSpace is the ideal Digital Asset Management solution for charities, including how it supports digital rights management get in touch with the team today. Alternatively, you can book a free product demo below and see the relevant functionality in action.