Skip to main content
Book a call — £89
Menu

Charity Privacy Notice UK: GDPR Guide for Trustees

We're not a law firm — we help you find the right legal support. For advice on your situation, speak to a legal adviser or find a solicitor.

Part ofCorporate Legal Documents UK

Written by Brad Askew Solicitor (non-practising)
Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice.
Updated June 2026 · England & Wales
If your charity collects any personal information at all, from donors, volunteers, beneficiaries, staff or supporters, you need a privacy notice that explains what you do with it. This is not optional. The UK GDPR and the Data Protection Act 2018 both require charities to be open about how personal data flows through the organisation. Trustees sit at the top of that chain, which means the buck stops with you. A good privacy notice is more than a compliance box to tick. It sets the tone for how your charity treats the people who support its work, and it can be the difference between a minor enquiry from the ICO and a genuine problem. This page walks through what a charity privacy notice should cover, where trustees often get stuck, and how to approach the trickier areas with a clear head.

What this document is

A privacy notice is the public-facing statement that tells individuals how your charity handles their personal data. It usually sits on your website, but it also needs to be referenced anywhere you collect data, including donation forms, volunteer sign-ups, newsletter opt-ins, event registrations and employment applications.

For a charity, the notice typically explains who you are as a data controller, what categories of personal data you collect, why you collect it, the lawful basis you rely on, who you share it with, how long you keep it, and what rights individuals have to access, correct or delete their data. It should also describe how someone can make a subject access request and how they can complain to the Information Commissioner's Office if they are unhappy.

The notice needs to be written in plain language. Burying the detail in legalese tends to attract criticism from regulators and puts off the very people you want to build trust with. Charities often deal with particularly sensitive information, so getting the notice right matters more here than in many commercial contexts.

How to use this document

  1. Map your data first. Before you write anything, list every category of personal data your charity holds and where it comes from. Donors, gift aid records, volunteers, beneficiaries, staff, trustees, event attendees and mailing lists all need to be accounted for. You cannot describe what you do with data if you do not know what you have.
  2. Identify your lawful basis for each activity. Under the UK GDPR you need a lawful basis for every processing activity. Charities commonly rely on consent, legitimate interests, legal obligation or, for some beneficiary work, vital interests. Getting this wrong is one of the most frequent mistakes, so think carefully about which basis fits each purpose.
  3. Address special category and sensitive data. If your charity processes health information, religious beliefs, ethnicity data, or information about criminal convictions, you need additional safeguards and a specific condition for processing. Children's data also carries extra responsibilities. Where this applies, the notice must deal with it explicitly rather than in general terms.
  4. Explain sharing, storage and retention. Be honest about who you share data with, whether that is a fundraising platform, a CRM provider, a professional adviser or a statutory body. If any of your providers store data outside the UK or EEA, you need appropriate transfer mechanisms in place and your notice must say so.
  5. Publish, review and keep it current. A privacy notice is a living document. Review it at least annually, and whenever you change systems, add new services, or start a new type of fundraising. Trustees should sign off material changes, and the updated version needs to be easy for people to find on your website.

Common questions

If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £149.

Common questions

Q Does every UK charity need a privacy notice?
In practical terms, yes. If your charity processes any personal data, and almost all do, the UK GDPR requires you to give individuals clear information about that processing. This applies whether you are a small community group or a large registered charity. The scale of your notice will reflect the scale of your activities, but the obligation itself does not disappear for smaller organisations.
Q Who is responsible for the privacy notice within a charity?
Ultimate responsibility rests with the trustees, because they are accountable for the charity's legal compliance. Day-to-day drafting is often handled by a manager, data protection lead or DPO where one is appointed. Trustees should still review and approve the notice, ask questions about how it reflects actual practice, and make sure it is kept up to date rather than filed and forgotten.
Q What is the difference between a privacy notice and a privacy policy?
The terms are often used interchangeably, but strictly speaking a privacy notice is the external statement given to data subjects, while a privacy policy is an internal document that sets out how staff and volunteers should handle personal data. Most charities need both. The public notice tells people what you do with their data, and the internal policy tells your team how to deliver on that promise.
Q Do we need a separate notice for donors, volunteers and beneficiaries?
Not necessarily. Many charities use a single layered notice that addresses each group in its own section. Others prefer separate notices where the processing is very different, for example between a general supporter and someone receiving services. What matters is that each group gets clear, relevant information about how their data is handled, rather than a one-size-fits-all paragraph.
Q What happens if a charity does not have a compliant privacy notice?
The Information Commissioner's Office can investigate complaints, require changes, and in serious cases impose financial penalties. Beyond regulatory risk, a missing or poor notice can damage donor trust and volunteer confidence, which for a charity can be just as costly. Most enforcement action starts with a complaint from an individual, so prevention is considerably cheaper than cure.
Q How often should a charity privacy notice be updated?
Review it at least once a year as standard, and straight away whenever something material changes. That might include a new fundraising platform, a change of CRM, new types of services, a merger with another charity, or a change in how you share data with partners. Keep a record of when the notice was last reviewed and what was changed.
Q Can we just copy another charity's privacy notice?
It is almost never a good idea. Another charity's notice reflects their data flows, their suppliers, their lawful bases and their activities, not yours. Copying it risks describing processing you do not actually do, or missing processing you do. Use other notices for inspiration by all means, but the final document has to be built around how your own charity operates.
If you're dealing with this kind of situation, speak to an experienced legal adviser who can walk you through it — from £149.

Sources

This guide is based on primary UK law and official guidance.

Brad Askew, Solicitor (non-practising)

Written & reviewed by

Brad Askew Solicitor (non-practising)

Brad is on the roll of solicitors of England & Wales but does not hold a practising certificate and does not provide legal advice. LegalDocuments.co.uk is not a law firm and does not provide regulated legal advice.

Full profile →SRA register ↗
Legal disclaimer
This article is for general information only. It is a tool to help you find your way — not legal advice, and not a substitute for speaking to a qualified adviser about your situation.