
Consent Records After GDPR: What Good Looks Like For Charities
Written by
Published
Eight years after GDPR landed, most UK charity consent records are messier than trustees realise. The fields a defensible record needs, the queries to spot the gaps, and the quarterly hygiene routine that keeps the database audit-ready.
It is eight years since GDPR took effect, and most UK charity consent records are still messier than trustees realise. The original implementation was usually done in a rush, the data has been migrated through one or two CRM upgrades, and quarterly hygiene rarely happens. The result is a database where the consent flag is present but the evidence behind it is not. This is the single most common compliance gap I find in CRM audits, and it is the easiest to close.
What an audit-ready consent record actually contains
A consent record that will stand up to ICO scrutiny needs more than a tick-box. The minimum field set:
- Legal basis (consent, legitimate interest, contract) for each processing activity.
- Consent date and time.
- Channel covered (email, SMS, postal, phone, social) with a separate flag per channel.
- Capture source: form ID, paper form reference, telephone call recording reference, or event name.
- Wording of the consent statement actually shown to the supporter at the moment of capture.
- Version of the privacy notice in effect on that date.
- Subsequent changes (withdrawal, channel update) with audit history retained.
Most CRMs support all of this natively, often via custom objects or extension packs. The work is rarely about adding fields; it is about populating them consistently.
The diagnostic queries: run these this afternoon
You can find most of the gaps in an afternoon with five queries against the supporter database. Adapt the field names to your CRM but the logic is the same.
Query 1: consents without a date
Count records where the consent flag is set but the consent date is null or set to an implausible default (e.g. 1900-01-01, the data import date). This usually catches migrated legacy records and is the most urgent gap to fix.
Query 2: consents without a capture source
Count records where the consent flag is set but the capture source field is null or set to a generic value like Unknown or Import. Without source provenance, the consent is unevidenced.
Query 3: consents without a statement wording reference
Count records where the consent flag is set but there is no reference to the actual statement the supporter agreed to. If you cannot reproduce the wording, you cannot defend the consent.
Query 4: channel inconsistencies
Count records where the supporter has a single overall consent flag but no per-channel breakdown, or where the per-channel flags contradict each other (e.g. email consent yes, but on a global do-not-contact list).
Query 5: withdrawals not propagated
Count records where a withdrawal has been logged but the contact is still in active marketing segments or has received marketing email in the last 90 days. This is the gap most likely to generate a complaint.
In a charity that has not run consent hygiene since GDPR launched, expect 20 to 50 percent of historic active records to fail one or more of these queries. That is normal; it is the starting baseline, not a panic moment.
Remediation: in priority order
Priority 1: withdrawals propagation
Fix the withdrawal-not-propagated gap first. Anyone who has asked you to stop and is still being contacted is a complaint waiting to happen and the most direct ICO risk. Tighten the workflow that updates segments on withdrawal and run a one-off cleanup pass.
Priority 2: re-consent or remove unevidenced records
For historic records with consent flag but no date or source, run a re-consent campaign. Send a clear, single-purpose email asking the supporter to confirm they want to keep hearing from you, with an unsubscribe link of equal prominence. Anyone who does not respond and does not interact within a defined window (typically 90 days) gets moved to a suppression list.
Priority 3: capture metadata going forward
Audit every consent capture form (web, paper, telephone scripts) and confirm it writes the full metadata set into the CRM. Most gaps come from custom-built donation forms or third-party event tools that send a Yes flag without the supporting context. Fix the integration once and the problem stops growing.
The quarterly hygiene routine
Once the historic records are cleaned, the ongoing job is small: a quarterly run of the five diagnostic queries, a brief report to the data protection lead, and any new gaps closed within the quarter.
- Schedule the queries to run automatically on the first day of each quarter.
- Set a four-week SLA for any new gap to be remediated.
- Include a one-page consent status summary in the trustee data protection update.
- Review consent statement wording annually against the latest ICO guidance.
Legal basis: pick deliberately, document explicitly
For fundraising email and SMS to individuals, consent under PECR is the safest default. Legitimate interest works for postal direct marketing and for corporate contacts where a documented balancing test exists. Service messages (transactional emails about a donation, an event booking, a Gift Aid update) fall outside marketing rules entirely.
Whichever basis applies, document the choice in writing in the charity records of processing activities (ROPA). The ROPA is the document the ICO will ask for if a complaint reaches them, and trustees should know it exists and is current.
The charities that come through an ICO complaint cleanly are not the ones with perfect records. They are the ones who can produce evidence: when, where, how and what the supporter agreed to. Build the record to that standard.
A short closing checklist for the data protection lead
- Run the five diagnostic queries today.
- Tag the top 20 percent of failures by impact (likely complaint risk).
- Get the propagation fix in this sprint, the re-consent campaign in the next quarter, and the capture metadata fix in the same quarter.
- Schedule the quarterly routine and a one-page trustee summary.
Consent records are unglamorous. They are also the single most evidenced compliance artefact a charity holds. Get them right and the marketing team can move faster with less risk, the ICO inbox stays empty, and the trustees can sign the annual data protection statement honestly.
Related reading: CRM Data Quality: The Monthly Routine, From Data to Dashboards in a Week and The Five-Minute CRM Health Check.
Frequently asked questions
What legal basis do most charities use for fundraising emails?
Most UK charities rely on consent (Article 6(1)(a)) for fundraising email to individuals because the Privacy and Electronic Communications Regulations (PECR) require consent for marketing email and SMS in almost all cases. Legitimate interests can apply to postal direct marketing and to corporate contacts, with documented balancing tests.
How long should consent records be kept after a donor lapses?
Charities should keep consent and basic supporter records as long as the relationship is reasonably active, then archive or delete. A common practice is to retain consent records for the duration of the supporter relationship plus seven years to meet Gift Aid and HMRC requirements, then delete unless there is a separate retention basis.
What fields should every consent record include?
At minimum: legal basis, consent date and time, consent statement wording, capture source (web form ID, paper form reference, telephone), channel covered (email, SMS, post, phone), and the version of the privacy notice in effect at the time. Without these fields a consent record will not stand up to ICO scrutiny.
What is the most common gap?
Historic records imported from legacy systems often have a consent flag but no capture source, no consent statement and no date. The ICO treats records without provenance as unevidenced consent. Run a query for consents with null capture metadata; this is usually the single biggest remediation job.
Sources
External references used in this article. Links open on the original publisher’s site.
- ICO: Guidance on consent under UK GDPRInformation Commissioner Office · Accessed 22 May 2026
- ICO: Direct marketing and PECRInformation Commissioner Office · Accessed 22 May 2026
- Fundraising Regulator: Code of Fundraising Practice - communications and consentFundraising Regulator · Accessed 22 May 2026
- CIoF: Data protection guidance for fundraisersChartered Institute of Fundraising · Accessed 22 May 2026
You might also like:

CRM strategy guide for UK charities to manage supporters who both donate and volunteer through joined-up data, communication rules, and dual-journey design.

A practical strategy method for small charity teams: set focus, choose trade-offs, and keep execution moving without long workshops or heavyweight frameworks.

A practical, repeatable process to turn scattered charity data into one decision-ready dashboard your senior team will use, without hiring a BI specialist.
