
GDPR for Charities: A Practical Guide to Handling Donor and Beneficiary Data
Written by
Published
Data protection law applies to charities the same way it applies to any organisation. What UK GDPR requires, the lawful bases you can rely on, when you can contact supporters without consent, and how to handle beneficiary data responsibly.
Data protection has a reputation among charities as a source of fear rather than a set of sensible rules. Teams worry they cannot email anyone, cannot keep records, and will be fined for a wrong step. The reality is calmer than that. UK GDPR is largely common sense written down: be clear about what data you hold and why, treat it with care, and respect the people it describes. This guide replaces the fear with a practical understanding of what the law actually asks.
What UK GDPR requires, in plain terms
UK GDPR governs how you handle personal data, meaning any information about an identifiable living person: donors, supporters, volunteers, staff and beneficiaries alike. It sets out principles that all come down to a few habits. Only collect what you need, be transparent about why, keep it accurate and secure, hold it no longer than necessary, and be able to show you are doing all of this.
That last point, accountability, is the one charities most often overlook. It is not enough to comply, you have to be able to demonstrate compliance: written policies, records of your decisions, and clear privacy information for the people whose data you hold. Compliance you cannot evidence is, from a regulator point of view, barely distinguishable from no compliance at all.
Lawful bases: the foundation of everything
You cannot process personal data just because you want to. You need a lawful basis for each purpose, chosen before you process and documented. There are six, and charities most commonly rely on three of them.
- Consent: the individual has clearly agreed. This suits electronic marketing and any sensitive processing, and it must be freely given, specific and easy to withdraw.
- Legitimate interests: you have a genuine reason to process that does not override the person rights. This can cover administration, some postal fundraising and internal analysis, but only after you have weighed the impact on the individual.
- Legal obligation: the law requires it, such as keeping Gift Aid records for HMRC or fulfilling employment duties.
The mistake to avoid is treating consent as the answer to everything. Consent is powerful but demanding, and for many routine activities legitimate interests is both lawful and more practical. Equally, do not stretch legitimate interests to cover things that really need consent, like most electronic marketing. Map each activity to the right basis rather than defaulting to one.
Consent is not the only lawful basis, and treating it as such makes charities more nervous and less compliant than they need to be. The skill is matching each activity to the right basis.
When you can contact supporters without consent
This is the question charities ask most, and the answer depends on the channel and the purpose, because two sets of rules interact: UK GDPR and PECR, the rules that specifically govern electronic marketing.
In broad terms:
- Electronic marketing to individuals, by email or text, usually needs consent. A limited soft opt-in can apply to existing supporters in narrow circumstances, but it is easy to get wrong, so treat consent as the safe default.
- Postal fundraising can often rely on legitimate interests, provided you have done the balancing exercise and offer an easy opt-out.
- Administrative contact, such as thanking a donor or administering their gift, is not marketing and generally relies on legitimate interests or the performance of your relationship with them.
Whatever basis you use, people always have the right to opt out of marketing, and you must make that easy and act on it promptly. A suppression that is not actioned is one of the fastest routes to a complaint that is upheld.
Beneficiary data deserves extra care
Charities hold data about the people they help, and this is often the most sensitive data in the organisation: information about health, financial hardship, immigration status, or other special category data that carries stronger protection under the law. The stakes if it leaks are far higher than for a supporter mailing list, yet it frequently receives less attention.
When handling beneficiary data, be especially deliberate about:
- Only collecting what you genuinely need to provide the service, not everything that might one day be useful.
- Identifying the correct lawful basis, and an additional condition where you process special category data.
- Restricting access to the staff and volunteers who actually need it.
- Being clear and honest with beneficiaries about what you hold and why, in language they can understand.
The guiding question is whether you would be comfortable explaining your handling of a beneficiary data to the beneficiary themselves. If not, that is where to focus.
The practical building blocks
Compliance is less about grand gestures and more about having a few things in place and keeping them current. The essentials for almost any charity are:
- A privacy notice that tells people, in plain language, what data you hold, why, on what basis, and what rights they have.
- A record of your processing activities and the lawful basis for each.
- A retention policy that sets how long you keep different data and when you delete it.
- A process for handling individual rights requests, including access and erasure, within the time limits.
- Basic security appropriate to the data, from access controls to a plan for what to do if there is a breach.
Getting the culture right
The charities that handle data well are not the ones with the thickest policies. They are the ones where staff and volunteers understand why it matters and treat supporter and beneficiary data as something entrusted to them rather than something they own. That means light, regular training rather than a one-off induction, someone with clear responsibility for data protection, and a culture where raising a concern is normal. Done that way, GDPR stops being a source of anxiety and becomes what it was designed to be: a way of keeping faith with the people who trust you with their information.
Related reading: Fundraising Compliance in 2026: A Guide to Regulation, Data Protection and Lawful Campaigns, Data Warehouse For Charities: When It Is Actually Worth It and The Fundraising Regulator Explained: What It Does and What It Expects From You.
Frequently asked questions
Can charities email supporters without consent?
Sometimes. For electronic marketing to individuals, the rules under PECR usually mean you need consent, though a limited soft opt-in can apply to existing supporters in narrow circumstances. For other processing, such as administering a donation or contacting a donor by post, you may rely on legitimate interests instead of consent. The right answer depends on the channel and the purpose, so map each one rather than assuming a single rule.
What lawful basis should a charity use?
It depends on the activity. Consent suits electronic marketing and sensitive processing. Legitimate interests can cover administration, some postal fundraising and internal analysis, provided you have weighed the impact on the individual. Legal obligation covers things like Gift Aid records. You must decide the basis before you process, document it, and be consistent, not pick one after the fact.
How long can a charity keep supporter data?
Only as long as you have a clear reason to. UK GDPR requires you to keep personal data no longer than necessary for the purpose you collected it, so you need a retention policy that says how long you hold different types of data and when you delete or anonymise it. Some records, such as Gift Aid declarations, have their own minimum retention periods set by HMRC.
Sources
External references used in this article. Links open on the original publisher’s site.
- ICO: Guide to the UK GDPRInformation Commissioner’s Office · Accessed 30 Jun 2026
- ICO: Guidance for charities on data protectionInformation Commissioner’s Office · Accessed 30 Jun 2026
- Fundraising Regulator: Personal information and fundraisingFundraising Regulator · Accessed 30 Jun 2026
You might also like:

A practical strategy method for small charity teams: set focus, choose trade-offs, and keep execution moving without long workshops or heavyweight frameworks.

What a trustees annual report must include, how to meet the requirements, and how to write one that supporters and funders actually read rather than file away.

A trustee-level walkthrough of UK charity VAT: business vs non-business activity, the main reliefs, irrecoverable VAT, and when a trading subsidiary is worth it.
