Skip to main content
Book a call — £89
Menu

Privacy Policies for Charity Fundraising in the UK | LegalDocuments.co.uk

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCharity & NFP

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
Donors give charities two things: their money and their personal details. Both deserve careful handling, and the way your charity treats donor data often shapes whether someone gives once or becomes a lifelong supporter. A privacy policy is where you set out, in plain terms, what happens to that information from the moment it lands in your CRM to the day it is deleted. For UK charities, getting this right is not optional. The UK GDPR and the Data Protection Act 2018 set the framework, the Information Commissioner's Office (ICO) regulates it, and the Fundraising Regulator's Code of Fundraising Practice layers further expectations on top. This page walks through what a privacy policy for charity fundraising should cover, the issues that trip charities up most often, and how to think about your own approach. If you would like to talk it through with someone before publishing or updating yours, you can book a call with one of our experienced legal advisers.

Overview

A privacy policy for charity fundraising is a public-facing notice that explains how your charity collects, uses, stores, shares, and deletes personal information relating to donors, supporters, beneficiaries, volunteers and anyone else whose data you handle in connection with raising funds. It is the document the ICO expects you to point people to when they want to understand what you are doing with their information, and it is the first place a curious donor will look if they have any concern about being added to a mailing list or receiving a phone call.

A good policy goes beyond a list of categories. It tells the reader, in language they can actually follow, why the charity holds their data, what lawful basis it relies on, who the data may be shared with (including processors such as fundraising platforms, mailing houses or analytics providers), how long it is kept, and what rights the individual has to access, correct, restrict or delete their information.

For charities running events, legacy campaigns, raffles or door-to-door collections, the policy should reflect each of those activities rather than treating fundraising as one undifferentiated activity.

Key steps

  1. Map the data you actually hold. Before drafting anything, list every category of personal data your charity collects through fundraising. That includes donor names, addresses, payment details, Gift Aid declarations, communication preferences, event registrations, legacy enquiries, and any profiling or wealth screening you carry out. You cannot describe what you do honestly until you know what you do.
  2. Identify your lawful basis for each activity. Under the UK GDPR you need a lawful basis for processing personal data, and the right one varies by activity. Processing a donation might rely on contract or legal obligation, sending marketing emails will usually rely on consent, and analysing donor history for fundraising may rely on legitimate interests subject to a documented balancing test.
  3. Draft in plain English, not legalese. The ICO is clear that privacy information must be concise, transparent and intelligible. Write as if you are explaining the policy to a longstanding supporter over a cup of tea. Use headings, short paragraphs and examples. Avoid lifting boilerplate from another charity's website without checking whether it actually reflects what you do.
  4. Address consent and PECR rules for marketing. The Privacy and Electronic Communications Regulations sit alongside data protection law and govern electronic marketing. Your policy should explain how supporters can opt in or out of email, SMS, telephone and postal communications, and reflect the Fundraising Preference Service. Make it genuinely easy for someone to change their mind at any time.
  5. Review, publish and keep it under review. Place the policy somewhere obvious on your website, link to it from donation forms, event sign-ups and email footers, and revisit it whenever you launch a new fundraising channel, change supplier, or adopt new technology such as AI-driven donor analytics. A privacy policy that has not been touched for three years is rarely accurate.

Common questions

If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £149.

Common questions

Q Does my charity legally need a privacy policy?
If your charity processes personal data, and almost every fundraising charity does, the UK GDPR requires you to provide clear privacy information to the people whose data you handle. A written privacy policy is the standard way of meeting that obligation. The ICO can take regulatory action where charities fail to be transparent, so treat it as a baseline requirement rather than a nice-to-have addition to your website.
Q What is the difference between a privacy policy and a privacy notice?
The terms are often used interchangeably, but a privacy notice tends to refer to the information you give an individual at the point you collect their data, for example on a donation form. A privacy policy is usually the longer, comprehensive document on your website covering all processing activities. In practice, many charities maintain one main policy and shorter notices linked to specific forms or campaigns.
Q Do we need separate consent for fundraising marketing?
In most cases, yes. Electronic marketing such as email and SMS to individual supporters generally requires opt-in consent under PECR, and the Fundraising Regulator expects charities to apply high standards even where the law might allow legitimate interests. Phone calls to numbers registered with the Telephone Preference Service or the Fundraising Preference Service have additional restrictions. Plan your consent capture carefully at the point of sign-up.
Q How should we handle data shared with fundraising platforms?
When you use platforms such as JustGiving, Enthuse or similar services, you and the platform are usually each acting as separate or joint controllers depending on the arrangement. Your privacy policy should explain which third parties receive donor data, why, and link to their own privacy information where relevant. A written data sharing or processor agreement should be in place behind the scenes.
Q How long can we keep donor information?
There is no fixed retention period in the legislation. You should keep personal data only for as long as necessary for the purposes you collected it, taking into account Gift Aid record-keeping requirements from HMRC, accounting obligations, and any ongoing supporter relationship. Your policy should set out indicative retention periods for the main categories of data and explain what triggers deletion.
Q What rights do donors have over their data?
Individuals have rights under the UK GDPR including access, rectification, erasure, restriction, objection, and data portability, plus specific rights in relation to direct marketing. Your privacy policy must explain these rights and how someone can exercise them, usually by contacting your data protection lead. You generally have one calendar month to respond to a valid request, and you cannot charge a fee in most cases.
Q Do small charities have to comply with the same rules as large ones?
Broadly, yes. The UK GDPR applies regardless of size, although some obligations such as the requirement to appoint a Data Protection Officer depend on the nature of your processing. Smaller charities may take a proportionate approach to documentation, but transparency to donors is non-negotiable. The ICO has guidance specifically aimed at small organisations, and the Fundraising Regulator's Code applies to charities of all sizes.
If you're dealing with this kind of situation, a call with an experienced legal adviser can help you work out the right next step — from £149.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.