Skip to content
Definitive guide12 min read

Trustee reporting & charity compliance made simple

A practical guide for UK charities on clear board reports, GDPR data audits, lawful basis and retention — the governance paperwork trustees and the ICO expect.

Governance is the part of running a charity that everyone agrees matters and nobody has time for. Trustees ask for a clear picture at each meeting and rarely get one. Someone knows the charity should have a record of what data it holds and why — but there’s no template, so it never gets written. Then a funder asks, or the ICO gets in touch, and a quiet task becomes an urgent one.

This guide won’t turn you into a compliance officer. It gives you the two things most small charities are missing: a board report trustees can actually use, and a plain-English way to get your data protection house in order.

Why good reporting protects everyone

A trustee is personally accountable for the charity, but can only govern what they can see. When the quarterly report is a different shape every time — sometimes a spreadsheet, sometimes a verbal update, sometimes nothing — trustees can’t spot a trend, a risk or a good decision waiting to be made. A consistent, two-page report isn’t bureaucracy; it’s the instrument trustees steer by, and the record that protects them if a decision is ever questioned.

The trick is restraint. Trustees read what is short. A report that fits on two pages and always covers the same headings — income, impact, finance, risk, decisions needed — will be read and acted on. A twelve-page pack will be skimmed in the car park.

What belongs in a board report

Keep it to six things: a headline summary a trustee could repeat afterwards; fundraising and income against the same period last year; programme impact told with one number and one story; the finance position and reserves; risk and compliance (Charity Commission filings, data protection, safeguarding); and — the part most reports forget — a clear list of the decisions you actually need trustees to make today. End with what’s coming next quarter.

Our Trustee & Compliance Pack includes a ready-to-fill version of exactly this, so you’re editing a template rather than inventing a format every three months.

The data protection job nobody starts

Under UK GDPR, your charity has to know what personal data it holds, why it’s allowed to hold it, and how long it keeps it. Most charities can’t answer those questions on paper — not because they’re doing anything wrong, but because nobody ever wrote it down. The good news: writing it down is most of the work.

A data asset register

List every category of personal data you hold — donor records, Gift Aid declarations, beneficiary case files, the mailing list — and for each, where it lives, who can access it, and whether any of it is “special category” data needing extra care. This register is the foundation of your privacy policy and the first thing anyone will ask to see.

A lawful basis for each use

For every way you use personal data, record the legal reason under UK GDPR. Sending a Gift Aid receipt is a legal obligation; a fundraising email needs consent; processing a donation is contract. You don’t need a lawyer to fill this in — you need to have thought about it once and written it down.

A retention schedule

Decide how long you keep each record type and what happens at the end. Gift Aid and financial records generally need six years; marketing consent lasts until it’s withdrawn; beneficiary files follow your safeguarding policy. Then actually delete things when their time is up — holding data “just in case” is itself a risk.

A place to log data requests

If a donor asks for a copy of their data, you have one month to respond. A simple log of who asked, what for, and when it’s due keeps you inside the deadline. Our companion GDPR for UK charities guide goes deeper on the legal detail.

Where good systems make this easy

Most of this pain is really a data problem in disguise. When donor records are scattered across spreadsheets, you can’t say who can access them, you can’t honour a deletion request cleanly, and you can’t prove consent. When the same records live in one charity management system, access is controlled, retention can be automated, and a data request is a search instead of an archaeology dig. Getting off spreadsheets — covered in our migration guide — is often the quiet cure for a compliance headache.

Start with the template, not the theory

Compliance feels overwhelming because it’s usually approached as a subject to study rather than a form to fill. Reverse that. Download the Trustee & Compliance Pack below — the board report template and the GDPR data-audit workbook — fill in what you already know, and the gaps that remain become your to-do list. It’s a practical starting point rather than legal advice, so check current ICO and Charity Commission guidance for your circumstances. When you want the systems that make governance automatic, talk to our team.

Free toolkit

Trustee & Compliance Pack

A ready-to-fill board report plus a GDPR data-audit workbook — the governance paperwork trustees and the ICO expect. Free to download and use — no account, no email required.

  • Two-page quarterly board report template (Word)
  • Data asset register — what personal data you hold and who can see it
  • Lawful basis record and retention schedule
  • Subject access request (SAR) log with the one-month deadline

postmark · today

Have a project?
Drop us a postcard.

Tell us a little about what you're working on. We reply within one working day — no sales script on the other end.

to · the studio

Techno Serve Solutions

Birmingham · UK

Company No. 08655298

TS

CALM · 1ST CLASS

stamped

what happens next

  1. 01We reply within one working day.
  2. 02A 20-min intro call to learn the brief.
  3. 03A clear, fixed-price proposal in 5 days.
In good company

A quiet roster of 80+ teams.

Charities, mosques and non-profits — most longer than three years.

See the full roster →
Edhi Foundation UK
Alwahab Foundation
Care & Relief Foundation
Banbury Madni Masjid
Al-Baraka Welfare Trust
Hope Foundation
iHelp Global
Human Aid Foundation
Masjid-e-Hussain
Mufti Abdul Wahab
Ayitah Charity
Zobia Trust
Alauddin Siddique Trust
Blackburn UK Trust
Muslim Rose Welfare
Birmingham Quran Academy
As-Suffa Relief
Al Hira
Edhi Foundation UK
Alwahab Foundation
Care & Relief Foundation
Banbury Madni Masjid
Al-Baraka Welfare Trust
Hope Foundation
iHelp Global
Human Aid Foundation
Masjid-e-Hussain
Mufti Abdul Wahab
Ayitah Charity
Zobia Trust
Alauddin Siddique Trust
Blackburn UK Trust
Muslim Rose Welfare
Birmingham Quran Academy
As-Suffa Relief
Al Hira
Al Hira
As-Suffa Relief
Birmingham Quran Academy
Muslim Rose Welfare
Blackburn UK Trust
Alauddin Siddique Trust
Zobia Trust
Ayitah Charity
Mufti Abdul Wahab
Masjid-e-Hussain
Human Aid Foundation
iHelp Global
Hope Foundation
Al-Baraka Welfare Trust
Banbury Madni Masjid
Care & Relief Foundation
Alwahab Foundation
Edhi Foundation UK
Al Hira
As-Suffa Relief
Birmingham Quran Academy
Muslim Rose Welfare
Blackburn UK Trust
Alauddin Siddique Trust
Zobia Trust
Ayitah Charity
Mufti Abdul Wahab
Masjid-e-Hussain
Human Aid Foundation
iHelp Global
Hope Foundation
Al-Baraka Welfare Trust
Banbury Madni Masjid
Care & Relief Foundation
Alwahab Foundation
Edhi Foundation UK
Downloading now

Your toolkit is on its way.

Check your downloads folder. If you'd like a hand putting it to work — migrating your data, setting up Gift Aid, or anything else — leave your details and we'll reach out. Totally optional; the file is yours either way.