Data protection is not just a legal obligation for charities — it is a trust obligation. Donors hand over personal and financial information on the understanding that you will look after it. This definitive guide explains UK GDPR in plain English for charity trustees and operations teams. It is general guidance, not legal advice; for anything contentious, confirm with a qualified adviser or the Information Commissioner’s Office.
What GDPR means for a charity
UK GDPR and the Data Protection Act 2018 govern how you collect, store and use personal data. For a charity that means donor records, supporter contact details, Gift Aid declarations, volunteer data and beneficiary information all sit within scope. The core principle is simple: process the minimum data you need, for a clear purpose, securely, and only for as long as you genuinely need it.
Lawful basis for processing donor data
Every use of personal data needs a lawful basis. Charities most often rely on two.
Consent
Consent must be freely given, specific, informed and as easy to withdraw as it was to give. It is the right basis for marketing emails and SMS to supporters who have opted in.
Legitimate interests
Legitimate interests can cover administration, postal communications and some analysis — but it requires a documented balancing test weighing your interest against the supporter’s rights. Record that assessment; do not assume it.
Fundraising and the rules that bite
Fundraising adds a second layer on top of GDPR. The Privacy and Electronic Communications Regulations (PECR) govern electronic marketing, and the Fundraising Regulator’s code sets sector expectations. In practice: get clear opt-in consent for email and SMS marketing, honour the Fundraising Preference Service, and never assume a donation is permission to market.
Consent records and the right to object
You must be able to show when and how consent was captured, and supporters must be able to object or unsubscribe at any time. A CRM that stores consent against each contact — with a timestamp and source — turns this from a spreadsheet nightmare into an audit trail. Our charity management system keeps consent and communication preferences against every donor record by design.
Data retention — how long to keep donor records
Keep personal data only as long as you have a reason to. Two important exceptions for charities: Gift Aid records must be retained in line with HMRC rules so you can defend a claim under inspection, and financial records have their own statutory retention period. Write a retention schedule, set it inside your systems, and review it annually rather than keeping everything forever by default.
Subject access requests
A supporter can ask for a copy of the personal data you hold about them. You generally have one month to respond, free of charge. The practical test is whether you can find everything a person’s data touches — across your CRM, email platform and donation system — within that month. Centralising donor data makes this far easier.
Data security and breaches
Security is a GDPR requirement, not an extra. Use strong access controls, role-based permissions, encryption in transit, and reputable hosting. If a breach is likely to risk people’s rights, you must notify the ICO within 72 hours. Reliable hosting and maintenance with patching and backups is part of your compliance posture, not separate from it.
Working with software suppliers
When a supplier processes data on your behalf they are a data processor, and you need a written data processing agreement setting out what they can do, where data is hosted and how it is protected. Ask for it before you sign, not after a breach.
Practical next steps
Document your lawful basis for each use of data, capture and store consent with a timestamp, write a retention schedule that respects HMRC and financial rules, and confirm a data processing agreement with every supplier. For a deeper look at how Gift Aid records fit into all of this, read the UK charity Gift Aid complete guide. Take the GDPR quick-start with you below, or talk to our team about getting your systems compliant by design.
Trustee & Compliance Pack
A ready-to-fill board report plus a GDPR data-audit workbook — the governance paperwork trustees and the ICO expect. Free to download and use — no account, no email required.
- Two-page quarterly board report template (Word)
- Data asset register — what personal data you hold and who can see it
- Lawful basis record and retention schedule
- Subject access request (SAR) log with the one-month deadline


















