Skip to main content
Book a call — £89
Menu

Data Protection Policies for Charities: A Practical Guide | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCharity & NFP

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Charities sit on a surprising amount of personal information. Donor records, beneficiary case notes, volunteer applications, staff files, Gift Aid declarations, safeguarding disclosures, it all adds up, and much of it is sensitive. That data powers the work, but it also carries real responsibility under the UK GDPR and the Data Protection Act 2018. A written data protection policy is how a charity turns those legal duties into day-to-day practice. It tells trustees, staff and volunteers what the charity collects, why it holds it, how long it keeps it, and what happens if something goes wrong. On this page I've set out what a good policy covers, how to put one together, and the questions trustees typically ask me when they're getting started or reviewing what they already have.

Overview

A data protection policy is the charity's written statement of how personal information is handled from the moment it comes in to the moment it is securely destroyed. It is an internal document rather than a public-facing notice, although it sits alongside the privacy notice you show to supporters and service users.

The policy explains the lawful bases the charity relies on, who is responsible for compliance, how data subject rights are dealt with, and the controls the organisation uses to keep information safe. For most charities it also covers training, supplier due diligence, retention periods and breach reporting.

A well-drafted policy does three jobs at once. It evidences accountability to the Information Commissioner's Office, which is a core requirement of the UK GDPR. It gives trustees comfort that they are meeting their governance duties. And it gives the people who actually handle the data, often volunteers with no formal legal training, a plain-English reference they can use when they aren't sure what to do.

Key steps

  1. Map what personal data the charity actually holds. Before writing a policy, list every category of personal information the charity processes and where it sits. Include donor databases, CRM systems, mailing lists, HR files, volunteer records, beneficiary case notes, CCTV and anything held by third-party processors. Without this picture, the policy will be generic rather than useful.
  2. Identify your lawful basis for each processing activity. Under the UK GDPR you need a lawful basis for every use of personal data, and a separate condition if special category data is involved (for example health or safeguarding information). Charities commonly rely on consent, legitimate interests, legal obligation or contract. Record the reasoning for each, because the ICO expects to see this.
  3. Set retention periods and deletion routines. Decide how long each type of record is kept and why. Gift Aid records have tax-driven retention rules, employment files have their own timelines, and safeguarding records often need to be held much longer. Build a schedule into the policy so information isn't kept indefinitely by default, which is a common audit finding.
  4. Define roles, training and breach response. Name the person accountable for data protection (a DPO if required, or a trustee lead if not), set out expectations for staff and volunteer training, and write a clear breach procedure covering internal escalation and the 72-hour ICO notification window where the threshold is met. Keep a breach log even for incidents that aren't reportable.
  5. Review, approve and refresh the policy regularly. The policy should be formally adopted by the trustees, communicated to everyone who handles data, and reviewed at least annually or whenever systems, suppliers or activities change materially. Treat it as a living document, a policy that never changes is usually a policy nobody is reading.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Common questions

Q Does every charity legally need a written data protection policy?
There is no single line in the UK GDPR that says 'charities must have a policy document', but the accountability principle requires you to demonstrate compliance, and a written policy is the most practical way to do that. Larger charities, and any that process special category data or children's data at scale, will struggle to evidence accountability without one. For small charities, a proportionate written policy is still strongly expected by the ICO.
Q Do we need to appoint a Data Protection Officer?
A formal DPO is mandatory where the charity's core activities involve large-scale monitoring or large-scale processing of special category data. Many smaller charities fall outside the mandatory threshold. However, even without a statutory DPO, trustees should appoint a named person with clear responsibility for data protection, and the policy should record who that is and how they can be contacted.
Q How should we handle donor and supporter marketing under the rules?
Direct marketing to individuals is governed by both the UK GDPR and PECR, the Privacy and Electronic Communications Regulations. Electronic marketing to individual supporters generally needs consent, with limited exceptions. Postal fundraising often relies on legitimate interests but must still respect opt-outs and Fundraising Preference Service requests. Your policy should reference how consent is captured, recorded and withdrawn.
Q What counts as a reportable data breach for a charity?
A personal data breach must be reported to the ICO within 72 hours of the charity becoming aware of it, unless it is unlikely to result in a risk to people's rights and freedoms. A lost unencrypted USB containing beneficiary details would typically be reportable; a misaddressed internal email to a colleague might not be. Keep an internal log of every incident, reportable or not, with your decision reasoning.
Q How do we deal with a subject access request from a former beneficiary?
Individuals have the right to ask for a copy of the personal data a charity holds about them, and you generally have one calendar month to respond. The policy should set out who receives requests, how identity is verified, and how you handle information that involves third parties or confidential safeguarding records. Redactions may be needed, but blanket refusal is rarely justified.
Q Who is responsible if a volunteer mishandles personal data?
The charity, as data controller, remains accountable for how its volunteers handle information on its behalf. That is why training, written procedures and access controls matter. Trustees carry ultimate governance responsibility, and the ICO looks at the systems the charity had in place, not just the individual error. A policy that has been actively communicated and trained on is a genuine protection here.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £89.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.