Skip to main content
Book a call — £89
Menu

Data Protection Impact Assessments for UK Charities | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCharity & NFP

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Charities sit on a surprising amount of personal information. Donor records, volunteer files, safeguarding notes, beneficiary case histories, Gift Aid declarations, payroll data for staff, it all adds up, and much of it is sensitive. Handling this responsibly is not just good practice; under UK data protection law it is a legal duty. One of the tools the law gives trustees and charity managers to meet that duty is the Data Protection Impact Assessment, or DPIA. A DPIA is a structured way of looking at a proposed activity before it starts, working out what could go wrong from a privacy point of view, and putting sensible safeguards in place. This guide walks through when a DPIA is needed in a charity context, what it should contain, and how trustees can approach it without getting tangled in jargon.

Overview

A Data Protection Impact Assessment is a written exercise that helps an organisation identify and reduce privacy risks before personal data is processed in a new or changed way. The UK GDPR and the Data Protection Act 2018 both recognise DPIAs as a core part of the accountability framework that organisations are expected to follow.

For charities, a DPIA typically covers the nature of the processing, why it is being carried out, who is affected, what risks arise for those individuals, and what measures will be used to lower those risks to an acceptable level. It is not a tick-box form.

Done properly, it is a conversation on paper between the people designing a project and the people responsible for data protection. The output should give trustees confidence that a planned activity, whether that is rolling out a new CRM, sharing safeguarding information with partners, or launching a fundraising campaign using online profiling, has been thought through carefully. Where risks remain high after mitigation, the charity must consult the Information Commissioner's Office before going ahead.

Key steps

  1. Identify whether a DPIA is needed. Start by screening the proposed activity against the triggers set out in UK GDPR and the ICO's published guidance. Look for things like large-scale processing of special category data, systematic monitoring, profiling that affects people significantly, or use of new technologies. If any of these apply, a DPIA is required, and even where it is not strictly mandatory, running one is often sensible for charities handling beneficiary information.
  2. Describe the processing clearly. Write down, in plain language, what personal data will be collected, where it comes from, how it flows through the charity, who will have access, how long it will be kept, and where it will be stored. Include any third parties such as cloud providers, fundraising agencies, or delivery partners. A clear description is the foundation that everything else in the DPIA builds on.
  3. Assess necessity and proportionality. Ask whether the processing is genuinely needed to achieve the charity's aims, whether there is a less intrusive way to reach the same outcome, and whether the lawful basis under Article 6 (and Article 9 if special category data is involved) is sound. Consider how individuals will be informed, how consent or legitimate interests will be documented, and how rights such as access and erasure will be handled.
  4. Identify and evaluate the risks. Think through what could realistically go wrong and how serious the consequences would be for the people involved. Risks might include unauthorised access, accidental disclosure, data being kept too long, loss of control by individuals, or distress caused to vulnerable beneficiaries. Score each risk in terms of likelihood and impact so that the most pressing issues stand out and can be prioritised for action.
  5. Decide on mitigations and sign off. For every significant risk, record what the charity will do to reduce it, encryption, access controls, staff training, contract clauses with processors, shorter retention periods, pseudonymisation, clearer privacy notices. The DPIA should then be reviewed by the Data Protection Officer (if one is appointed) and signed off by someone with authority, usually at trustee or senior management level. Keep it as a living document and revisit it if the project changes.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Does every charity need to carry out DPIAs?
Not every activity triggers the formal requirement, but every charity that processes personal data should have a process for deciding when one is needed. DPIAs become mandatory where processing is likely to result in a high risk to individuals, which often applies to charities working with children, vulnerable adults, health information, or large-scale donor profiling. Even outside those triggers, running a lighter-touch assessment is generally good governance.
Q Who should lead the DPIA in a small charity?
In smaller charities without a dedicated Data Protection Officer, the responsibility often sits with a trustee or senior manager who has been given the data protection brief. They do not need to do all the work themselves, input from the people running the project, from IT, and sometimes from external advisers is important. What matters is that someone with enough authority owns the document and ensures its recommendations are actually put into practice.
Q What counts as 'special category data' in a charity setting?
Special category data includes information about health, racial or ethnic origin, religious or philosophical beliefs, sexual orientation, trade union membership, genetic and biometric data, and political opinions. Charities working in areas like healthcare, faith, disability support, or advocacy frequently handle this kind of information. Processing it requires both a lawful basis under Article 6 and a separate condition under Article 9 of the UK GDPR, and a DPIA is far more likely to be needed.
Q When must the ICO be consulted?
If a DPIA identifies a high residual risk that cannot be reduced through mitigations, the charity must consult the Information Commissioner's Office before starting the processing. This is known as prior consultation. In practice it is uncommon, because most risks can be brought down to acceptable levels through sensible safeguards, but trustees should know the route exists and not simply press ahead where serious concerns remain unresolved.
Q How long should a DPIA take to complete?
It depends on the complexity of the activity. A straightforward project, say, moving volunteer records to a new database, might be documented in a few hours of focused work. A larger programme involving multiple data flows, third-party processors, and vulnerable beneficiaries can take several weeks, with input from different people across the charity. Starting early in the project lifecycle is far more efficient than trying to retrofit a DPIA after decisions have been made.
Q Do DPIAs need to be published?
There is no general legal duty to publish them, and most charities keep DPIAs internal because they contain operational and sometimes sensitive detail. That said, publishing a summary, or at least being willing to share the headline findings with beneficiaries or funders, can strengthen trust and demonstrate accountability. The ICO encourages organisations to consider publication where it can be done without undermining security or confidentiality.
Q What happens if a charity skips a required DPIA?
Failing to carry out a DPIA when one is required is itself a breach of UK GDPR and can lead to enforcement action by the ICO, including fines and formal reprimands. Perhaps more importantly for charities, a missing DPIA often signals weak governance around data, which can surface painfully if something goes wrong, a breach, a complaint, or a safeguarding incident. Doing the assessment properly protects both the people you serve and the charity itself.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.