GDPR for small charities - data protection guide

GDPR small charities

The legislation on data protection and e-privacy was shaken up on 25 May 2018. In this post, we set out the key requirements relevant to the marketing activities of UK charities and voluntary organisations so that you can be confident you are in full compliance.  

Introducing the GDPR and ePrivacy Regulation

Data protection legislation that applies to charities and voluntary organisations is based on two EU regulations: 

  • The General Data Protection Regulation (GDPR), which came into force in the UK from 25 May 2018 and lays out general rules about data protection. 
  • The proposed new ePrivacy Regulation, which will set out specific rules applicable to digital systems and cover things like cookie notices

The GDPR contains no exemptions for charities or voluntary organisations. 

Why charities and voluntary organisations should care

You should care for two reasons:

  • First the carrot: the legislation contains sensible provisions to make life better for consumers. By ensuring compliance you should also be improving the quality of experience that people have when they engage with your charity. 
  • Second the stick: there are substantial fines for non-compliance.

What do I need to know?

As a charity marketer, you don’t need to know everything about the legislation but you need to be aware of certain key points. 

Principle-based not rule-based

The old Data Protection Act 1998 was a principle-based legal structure and the GDPR continues that approach. This means that rather than a set of rigid rules, the law gives broad principles that will be applied differently by different organisations depending on their circumstances. 

Here are the six data protection principles contained in the GDPR:

  • Lawfulness, fairness and transparency
  • Purpose limitations
  • Data minimisation
  • Accuracy
  • Storage limitations
  • Integrity and confidentiality

Many of these GDPR principles are similar to the preceding data protection principles but we’ll discuss below some key data protection changes. We have a post and free template explaining what to include in your Data Protection Policy.

To process data you need a ‘lawful basis’ 

The GDPR sets out six lawful bases for processing personal data:        

  • Consent - the individual has given clear consent for you to process their personal data for a specific purpose. More on that in the next section.
  • Contract - the processing is necessary for a contract you have with the individual, or because they have asked you to take specific steps before entering into a contract.
  • Legal obligation - the processing is necessary for you to comply with the law.
  • Vital interests - the processing is necessary to protect someone’s life.
  • Public task - the processing is necessary for you to perform a task in the public interest or for your official functions, and the task or function has a clear basis in law.
  • Legitimate interests - the processing is necessary for your legitimate interests or the legitimate interests of a third party unless there is a good reason to protect the individual’s personal data which overrides those legitimate interests.

GDPR - the biggest change is consent

Much of the data processed by charities will be covered by the 'legitimate interests' basis and in those cases, no consent is needed. But most marketing activity done by charities will rely on consent as its lawful basis.

Consent means offering people genuine choice and control over how you use their data and the new rules are much clearer about exactly what this means. 

Under GDPR, consent must be:

  • Unbundled - separate from general terms and conditions
  • Active opt-in - no pre-ticked boxes
  • Named - clear who is given consent; not just ‘third parties’
  • Documented - records are kept of the consent)
  • Easy to withdraw 

The GDPR also introduces special considerations to make privacy information clear when targeting children.

ePrivacy Regulation - changes to cookie compliance

The new ePrivacy Regulation is still in development but it looks likely that it will enhance restrictions on anonymously tracking user behaviour online (often done through ‘cookies’). The current law on cookie consent is unsatisfying, leading many websites to adopt pop-ups telling users they are being tracked but offering them no alternative other than not using the website. In line with the general principle of active opt-in for consent contained in GDPR, the new ePrivacy regulations are likely to force websites to offer users a genuine choice about whether or not their usage is tracked while they browse. A new 'best practice' is, therefore, emerging ahead of changes to the ePrivacy Regulation. For example, rather than an invasive pop-up that offers no choice, websites built on the White Fuse platform allow users to either accept or decline cookies that track their website usage. 

How does GDPR affect my charity?

Collecting supporter information

When you collect supporter information on your website you must give the supporter a clear option about whether or not they give consent for their data to be processed and for what purposes. If you don’t get consent at this point, through a clear opt-in, then you don’t have permission to use that data. For example, on a donation form, you will need an unchecked checkbox asking whether the donor would like to receive updates. On newsletter subscription forms you’ll need to explain clearly what the subscriber will receive. 

Storing supporter information

Storing information securely is already important and will only become more so. GDPR requires you to keep records demonstrating that your supporters have actively opted in. This means that across all the systems in which you store personal data you need to also be storing communication preferences and be able to associate those preferences with the communication through which the supporter actively opted-in. This will require a new level of integration and data management for many small charities.

A simple solution to this will be to store a note on the person’s record in your CRM or database referencing the way they signed up and how they opted in. However, you will also need a robust system for managing changes in preferences when requested by supporters. Many email marketing systems offer these as standard, though bringing that data back to your database can be difficult. A manual approach would be to run monthly reports from your email marketing software listing who has unsubscribed. Users of the White Fuse platform can manage everything in one place: consent collection on donations and enquiries, secure data storage and sending email campaigns. 

Communicating with supporters

When you send communications to supporters you will need to be confident that they have opted-in to the particular type of communication you are about to send. Knowing this relies on robust integration between all the systems you use, as mentioned in the last section. You must also be confident that you are giving your supporters a simple way to opt out of communications. For email newsletters, this should come in the form of an ‘unsubscribe’ or ‘manage preferences’ link at the bottom of the email. 

Existing supporters

GDPR applies to historical data, not just data that has been collected after GDPR came into force. Depending on the quality of your existing systems and the way you collected data in the past, this means you may have to pro-actively contact your existing supporters to ensure that they have actively opted-in to your charity communications. 

Do I need a Data Protection Officer?

You already need to have someone in your charity responsible for data protection and the GDPR does not change that. However, it does introduce a new more formal role called a Data Protection Officer (DPO). This role is unlikely to be required in most small charities. A DPO must be appointed if you:

  • are a public authority;
  • carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or
  • carry out large-scale processing of special categories of data or data relating to criminal convictions and offences.

Tracking website usage

The new ePrivacy Regulation (still to be finalised) may make it harder to track website usage through systems like Google Analytics. The reality is that many small charities do not have the resources to make the most of tools like Google Analytics anyway. But for those that do, this new legislation will raise the bar and investment is likely to be needed to allow users an active choice between browsing with tracking and browsing without. It will no longer suffice to offer them the choice of accepting tracking or leaving the website. For more details on this, read our post on cookie notices.

GDPR small charities compliance summary

  • Written policy - Adopt a written policy in which you document your approach to data protection in your charity.
  • Specify management responsibility - assign someone responsibility for charity data protection and document this in your written policy.
  • Staff training - regularly offer staff training on practical data protection issues like clearing out old information, keeping their access passwords secure, etc. 
  • Registration with ICO - register your charity with ICO as an organisation that processes personal data.
  • Privacy notices - make your privacy policy clear on your website and all the forms through which you collect personal data.
  • Responding to requests - adopt a written policy to deal with requests individuals may make to access their personal data or have it removed from your systems.
  • Appropriate collection - audit your systems to ensure the data you collect is (a) the minimum data for legitimate business need and (b) kept up-to-date.
  • Appropriate disposal - include within your written policy details about how you will ensure that unused and out-of-date data will be safely disposed of.
  • Security - include within your written policy the steps you have taken and will take to ensure the systems you use to process data are secure.
  • Outsourcing - you are responsible for data processed on your behalf by a third party so check that their processing is also compliant.

More data protection resources for charity and voluntary organisations

Charities and voluntary organisations have a wide range of relationships with people and so inevitably end up collecting and storing a range of personal data. We have created a number of resources to help charities and voluntary organisations deal with their data protection responsibilities effectively.

Data protection policyData Protection Policy template

This post explains the role of the Data Protection Policy as an internal document that explains how your organisation protects data and ensures compliance with your legal obligations in this area. The post and template provide a simple framework for carrying out this exercise thoroughly but efficiently.

Get the Data Protection Policy template

Privacy policyPrivacy Policy template

This post discusses privacy notices and how they relate to your privacy policy. This post will help you adopt a comprehensive approach that is also short and easy for your audience to read and understand. One key objective of the GDPR was to make privacy notices more accessible.

Get the Privacy Policy template

Cookie lawCookie consent and cookie notices

A ‘cookie’ consists of information downloaded on to your computer when you visit a website. Cookies are widely used and can do a number of things, such as remembering your preferences, recording what you have put in your shopping basket, and counting the number of people looking at a website. This post explains, in plain language, what you need to consider as a charity or voluntary organisation in relation to the data your website holds through cookies. 

Learn more about cookies

Website securityWebsite security

As well as giving people information about how you will process their data, you also need to hold it securely. This post covers what you can do to ensure your website is as secure as possible and to avoid having your website hacked. 

Avoid hacking and increase website security

Website legal requirementsGeneral website legal requirements

Alongside data protection, there are a bunch of other legal issues that charities and voluntary organisations should consider. This post gives an overview covering topics such as company information and fundraising best practice. 

Get an overview of legal requirements


16 August 2017
Andy Pearson