GDPR for Small Charities

This basic guide for small charities sets out what your charity needs to know about the General Data Protection Regulation (GDPR) 2018.


What is GDPR?

The General Data Protection Regulation, or GDPR, came into effect across the European Union in 2018. In the UK it was implemented through the Data Protection Act 2018 (DPA 2018), subsequently amended following the UK’s withdrawal from the EU. The current rules come together under the label of the UK GDPR. 

Charities, community groups and voluntary associations that operate inside the UK must comply with the DPA 2018. 

The EU GDPR may still apply to you if you operate in the European Economic Area (EEA), offer goods or services to individuals in the EEA, or monitor the behaviour of individuals in the EEA. 


Why does the UK GDPR matter? 

Any organisation in the UK that processes people’s personal data and/or special category data needs to know about the UK GDPR. This includes charities, voluntary organisations and community groups. 

Processing includes collecting, recording, storing, retrieving, analysing, using and deleting data.  

Your organisation may hold something as simple as a list of people who you send email updates to about your activities, or much more complex data on people who use your services, attend your events, make donations to you, volunteer with you and so on. If you have members of staff you will also have HR and payroll data.  

Charities, voluntary organisations and community groups are required to register as data controllers with the Information Commissioner’s Office (ICO). The ICO is the independent supervisory body regarding the UK’s data protection legislation. 

Personal data means information about a particular living individual. This might be someone who is a supporter or donor, someone who uses your organisation’s services, members of staff or volunteers (including trustees. Personal does not mean private.

Information which is public knowledge or is about someone’s professional life can be personal data. If you could still identify someone from the details, or by combining it with other information, it will still count as personal data. 

Special category data is personal data that needs more protection because it is sensitive. This includes data about a person’s racial or ethnic origin; political opinions; religious or philosophical beliefs; trade union membership; genetic data; biometric data (where used for identification purposes); health; sex life; and sexual orientation. 

There is additional legislation and guidance which covers the personal data of offenders or suspected offenders in the context of criminal activity, allegations, investigations, and proceedings. 

People trust organisations to keep their personal data safe and secure, and to only use it in line with the permission that has been given to that organisation.  

Being careless with personal data or using it inappropriately can be damaging to the person whose data is mishandled. In the most serious cases it could put them in danger of harm from others or expose them to being a victim of crime (either in person or digitally). 

As well as the risk to the individuals whose data you hold, failing to follow the UK GDPR can put your organisation at risk from: 

  • Reputational damage 
  • Operational damage – time and money spent on putting things right 
  • Financial damage – the ICO can issue a financial penalty for breaches of the UK GDPR. Penalties are intended to be effective, proportionate and dissuasive, and will be decided on a case by case basis. Regardless of the amount, this will take funds away from your core purpose. 


Who needs to know about the UK GDPR? 

Everyone in your organisation who comes into contact with personal data needs to understand the basics of data protection. People with more responsibilities for data need more knowledge on the law, how to keep data safe and secure, and what to do (and when) in the event of a data breach. 


Additional resources 

Information Commissioner's Office (ICO)

ICO's Data protection self-assessment toolkit

Make a complaint to ICO


CAF: Make sure your charity remains compliant (downloadable checklist)


Small Charity Guide to improving cyber security by NCSC


Have you seen our other CFG Guides for Small Charities? Head to Series 1 which includes guides on charity finance for trustees, banking and records management.