Governance is the part of running a charity that everyone agrees matters and nobody has time for. Trustees ask for a clear picture at each meeting and rarely get one. Someone knows the charity should have a record of what data it holds and why — but there’s no template, so it never gets written. Then a funder asks, or the ICO gets in touch, and a quiet task becomes an urgent one.
This guide won’t turn you into a compliance officer. It gives you the two things most small charities are missing: a board report trustees can actually use, and a plain-English way to get your data protection house in order.
Why good reporting protects everyone
A trustee is personally accountable for the charity, but can only govern what they can see. When the quarterly report is a different shape every time — sometimes a spreadsheet, sometimes a verbal update, sometimes nothing — trustees can’t spot a trend, a risk or a good decision waiting to be made. A consistent, two-page report isn’t bureaucracy; it’s the instrument trustees steer by, and the record that protects them if a decision is ever questioned.
The trick is restraint. Trustees read what is short. A report that fits on two pages and always covers the same headings — income, impact, finance, risk, decisions needed — will be read and acted on. A twelve-page pack will be skimmed in the car park.
What belongs in a board report
Keep it to six things: a headline summary a trustee could repeat afterwards; fundraising and income against the same period last year; programme impact told with one number and one story; the finance position and reserves; risk and compliance (Charity Commission filings, data protection, safeguarding); and — the part most reports forget — a clear list of the decisions you actually need trustees to make today. End with what’s coming next quarter.
Our Trustee & Compliance Pack includes a ready-to-fill version of exactly this, so you’re editing a template rather than inventing a format every three months.
The data protection job nobody starts
Under UK GDPR, your charity has to know what personal data it holds, why it’s allowed to hold it, and how long it keeps it. Most charities can’t answer those questions on paper — not because they’re doing anything wrong, but because nobody ever wrote it down. The good news: writing it down is most of the work.
A data asset register
List every category of personal data you hold — donor records, Gift Aid declarations, beneficiary case files, the mailing list — and for each, where it lives, who can access it, and whether any of it is “special category” data needing extra care. This register is the foundation of your privacy policy and the first thing anyone will ask to see.
A lawful basis for each use
For every way you use personal data, record the legal reason under UK GDPR. Sending a Gift Aid receipt is a legal obligation; a fundraising email needs consent; processing a donation is contract. You don’t need a lawyer to fill this in — you need to have thought about it once and written it down.
A retention schedule
Decide how long you keep each record type and what happens at the end. Gift Aid and financial records generally need six years; marketing consent lasts until it’s withdrawn; beneficiary files follow your safeguarding policy. Then actually delete things when their time is up — holding data “just in case” is itself a risk.
A place to log data requests
If a donor asks for a copy of their data, you have one month to respond. A simple log of who asked, what for, and when it’s due keeps you inside the deadline. Our companion GDPR for UK charities guide goes deeper on the legal detail.
Where good systems make this easy
Most of this pain is really a data problem in disguise. When donor records are scattered across spreadsheets, you can’t say who can access them, you can’t honour a deletion request cleanly, and you can’t prove consent. When the same records live in one charity management system, access is controlled, retention can be automated, and a data request is a search instead of an archaeology dig. Getting off spreadsheets — covered in our migration guide — is often the quiet cure for a compliance headache.
Start with the template, not the theory
Compliance feels overwhelming because it’s usually approached as a subject to study rather than a form to fill. Reverse that. Download the Trustee & Compliance Pack below — the board report template and the GDPR data-audit workbook — fill in what you already know, and the gaps that remain become your to-do list. It’s a practical starting point rather than legal advice, so check current ICO and Charity Commission guidance for your circumstances. When you want the systems that make governance automatic, talk to our team.
Trustee & Compliance Pack
A ready-to-fill board report plus a GDPR data-audit workbook — the governance paperwork trustees and the ICO expect. Free to download and use — no account, no email required.
- Two-page quarterly board report template (Word)
- Data asset register — what personal data you hold and who can see it
- Lawful basis record and retention schedule
- Subject access request (SAR) log with the one-month deadline


















