Data Protection and Charities

The General Data Protection Regulation (GDPR) is a new EU regulation. It aims to give people more control over their data and places various requirements on organisations and charities in how they use personal data.

The General Data Protection Regulation

GDPR covers how you use personal data. Personal data is anything that can be used to identify a person. Examples include:

  • Name
  • Email address
  • Date of birth or age
  • Gender
  • Address
  • IP address

It also covers "sensitive" personal data, which covers information such as ethnicity, religious beliefs, finances, and medical history.


Explicit consent must be given for an individual's data to be processed and for them to be communicated with (via phone, email, text and other electronic forms). It must be 'opt in' - so pre-ticked boxes don't count, and neither does silence - and should be verifiable.

'Right to be forgotten'

As someone's personal data belongs to them, they have the right to request that an organisation removes their personal data.


Consent must also be received if an organisation intends to use automated techniques to process an individual's data to inform decision-making or predict behaviour.


The regulations put the onus on the organisation to meet the standards - including when data is used by partners and contractors.

In certain situations, the appointment of a Data Protection Officer (DPO) is compulsory.


Organisations must also follow correct procedure for any data protection breaches - such as unauthorised disclosure of personal data.

Failure to notify a breach can result in a significant fine.


Charities are not exempt, in any way, from GDPR or any other data protection laws or regulation; that includes the fines for non-compliance or breaches.

Information and Advice for Charities

A new website, dealing specifically with the introduction of the General Data Protection Regulation and how it affects charities, is now available.  It also provides a downloadable Information Pack