What Is UK GDPR for Charities? A Plain-English Guide

TL;DR: UK GDPR — brought into UK law by the Data Protection Act 2018 — applies to every charity that processes personal data, regardless of size. It is built around seven principles, six lawful bases for processing, and specific rules for sensitive data. Charitable status provides no exemption. The Information Commissioner's Office (ICO) is the UK regulator and publishes detailed guidance written specifically for the voluntary sector.

What Is UK GDPR and How Does It Apply to Charities?

UK GDPR is the version of the General Data Protection Regulation that applies in the United Kingdom following the country's departure from the European Union. It was retained and adapted in UK law primarily through the Data Protection Act 2018 (DPA 2018), which acts alongside it to form the complete UK data protection framework. The two instruments work together: UK GDPR sets the overarching framework, while the DPA 2018 supplements it with UK-specific provisions — including additional conditions for processing special category data and criminal offence data, set out in Schedule 1.

For charities, UK GDPR applies whenever the organisation processes personal data about any living individual — which in practice means almost everything a charity does. Donor records, beneficiary case notes, volunteer details, employee files, grant applicant information, and mailing lists are all personal data. Processing includes collecting, storing, accessing, sharing, and deleting that data. There is no exemption from UK GDPR for charities, small organisations, or non-commercial bodies. However, certain processing activities carried out by charities — such as maintaining membership records or processing data exclusively for members' activities — may qualify for exemptions from paying the ICO's data protection fee, which is a separate administrative requirement.

Charities must pay the data protection fee and register with the ICO unless an exemption applies. As of May 2024, more than 1.18 million organisations had completed the ICO's registration process — a 160% increase since the original GDPR came into force in 2018, reflecting how broadly data protection obligations now reach across the economy (PublicTechnology, 2024).

The Seven Principles of UK GDPR

Article 5 of UK GDPR establishes seven data protection principles. Every charity's data handling must be consistent with all of them.

1. Lawfulness, fairness and transparency — Personal data must be processed on a valid legal basis, in a way individuals would expect, and with clear privacy information provided to them.
2. Purpose limitation — Data collected for one purpose must not be used for a different, incompatible purpose without a new legal basis.
3. Data minimisation — Only collect and hold the data that is actually necessary for the stated purpose.
4. Accuracy — Personal data must be kept accurate and up to date. Inaccurate data should be corrected or deleted promptly.
5. Storage limitation — Data should not be held for longer than necessary. Retention periods should be defined and enforced.
6. Integrity and confidentiality — Data must be protected against unauthorised access, loss, or damage through appropriate technical and organisational security measures.
7. Accountability — The organisation is responsible for demonstrating compliance with all six other principles. This means maintaining records, policies, training logs, and documentation.

The accountability principle is particularly significant for charities because it requires proactive evidence of compliance — not merely passive avoidance of breaches.

Lawful Bases for Processing: What Charities Need to Know

Before processing any personal data, a charity must identify a lawful basis under Article 6 of UK GDPR. There are six available bases, and charities most commonly rely on four of them.

Consent is freely given, specific, informed, and unambiguous agreement to processing. For charities, consent is the appropriate basis for most direct marketing communications — for instance, sending fundraising emails to supporters who have actively opted in. Consent must be as easy to withdraw as to give, and records of consent must be maintained. Consent is not the most appropriate basis for processing that is necessary to deliver services, because individuals should not feel they have to agree as a condition of receiving support.

Legitimate interests is the most flexible lawful basis and is frequently the most appropriate for charities processing data as part of their day-to-day operations — for example, maintaining records of service users, conducting outreach to former beneficiaries, or sharing data with partner organisations for service delivery purposes. To rely on legitimate interests, the charity must carry out a three-part Legitimate Interests Assessment (LIA): establishing that there is a genuine legitimate interest, that the processing is necessary for that purpose, and that the individual's interests and rights do not override the charity's interest. The LIA must be documented before processing begins. The Chartered Institute of Fundraising and the Fundraising Regulator have both published sector-specific guidance on applying legitimate interests in a charity context (ICO, Legitimate Interests).

Contract applies where processing is necessary to perform a contract with the individual — for example, an employment contract with a staff member, or an agreement with a volunteer.

Legal obligation applies where processing is required by law — for example, maintaining payroll records, complying with safeguarding duties, or responding to a statutory referral.

Vital interests and public task are less commonly used in the charity sector, though vital interests can be relevant in safeguarding emergencies where someone's life is at risk.

Important development as of February 2026: The Data Use and Access Act 2025 introduced a charitable "soft opt-in" for electronic marketing, in force from 5 February 2026. This allows charities to send marketing emails to individuals whose data was collected when they supported or expressed interest in the charity's purposes — unless those individuals object. This creates a new route for re-engagement communications that sits alongside (and does not replace) consent-based marketing (Bates Wells, 2026).

According to the UK government's Cyber Security Breaches Survey 2025, 30% of charities experienced a cyber security breach or attack in the preceding 12 months, with phishing accounting for 86% of attacks among those affected (DSIT / Home Office, 2025). The integrity and confidentiality principle requires charities to protect personal data against exactly these threats.

Special Category Data, Retention, and ICO Guidance

Special Category Data

Some categories of personal data carry a higher level of sensitivity and require both a standard lawful basis under Article 6 and an additional condition under Article 9 of UK GDPR, or Schedule 1 of the DPA 2018. Special category data includes:

• health and medical information
• racial or ethnic origin
• religious or philosophical beliefs
• sexual orientation or sex life
• political opinions
• trade union membership
• genetic and biometric data
• mental health information

Charities working with vulnerable groups — homeless people, people in recovery, refugees, victims of domestic abuse — will almost certainly process special category data as a matter of course. The DPA 2018 Schedule 1 conditions most commonly relevant to charities are:

• Explicit consent (Article 9(2)(a)) — a higher standard than ordinary consent, requiring a clear statement of agreement to the specific processing.
• Safeguarding of children and individuals at risk (Schedule 1, paragraph 18) — permits processing without consent where it is necessary to protect a child or adult at risk and consent cannot reasonably be obtained.
• Not-for-profit bodies (Article 9(2)(d)) — permits processing by not-for-profit organisations in the course of their legitimate activities, with appropriate safeguards, where the processing relates to members or former members, or to persons with regular contact with the organisation. This applies only where data is not shared outside the organisation without consent.

Where relying on a Schedule 1 condition other than explicit consent, charities must maintain an Appropriate Policy Document — a written document setting out the conditions relied upon, how compliance with the principles is maintained, and the retention and deletion policy for that category of data.

For charities using case management systems to record beneficiary information, it is important that the system supports appropriate access controls, audit logging, and retention management — particularly where special category data is involved.

Data Retention

The storage limitation principle requires charities to define and enforce retention periods for all personal data. There is no single prescribed retention period under UK GDPR — it depends on the purpose of processing, applicable legal obligations, and sector norms. Charities should maintain a retention schedule that sets out, for each category of data, how long it will be kept and why.

Common reference points for charity retention include:

• Employment records: Typically 6 years after employment ends, to cover potential employment tribunal claims.
• Financial and grant records: Typically 7 years, reflecting HMRC requirements and audit obligations.
• Beneficiary and service user records: Depends on the nature of the service; statutory guidance for children's services requires records to be retained until the individual's 25th birthday, or 26th if they were 17 at the end of a referral — whichever is later.
• Fundraising records: Donor consent records should be kept for the duration of reliance on consent plus a reasonable period thereafter.

Data that has passed its retention period should be securely deleted or anonymised. Anonymised data — where re-identification is not reasonably possible — falls outside the scope of UK GDPR entirely.

ICO Guidance for Charities

The ICO publishes free, practical guidance on all aspects of UK GDPR, including sections written with smaller organisations and voluntary sector bodies in mind. Key resources include:

• The ICO's Guide to UK GDPR — the primary reference for all data protection obligations.
• The ICO's Accountability Framework — a self-assessment tool for reviewing and documenting compliance.
• Guidance on exemptions for not-for-profit organisations regarding registration fees.

The ICO takes a proportionate approach to enforcement for charities, recognising that many operate with limited resources. However, proportionality does not mean immunity. Eleven UK charities — including Oxfam, Cancer Research UK, the Royal British Legion, and the NSPCC — have been fined for breaching data protection rules, with penalties totalling £138,000 for sending unsolicited marketing communications without valid consent (TFN). The ICO deliberately kept individual fines between £6,000 and £18,000 in those cases, taking into account that larger penalties would ultimately harm the donors those charities served — but the reputational impact of an enforcement action is significant regardless of the financial penalty.

The maximum penalty for a serious UK GDPR infringement is £17.5 million or 4% of global annual turnover, whichever is higher (ICO).

Frequently Asked Questions

Does a small charity need to comply with UK GDPR?

Yes. The size of an organisation does not determine whether UK GDPR applies — if a charity processes personal data about living individuals, the law applies. Very small charities whose processing activities are minimal (for example, a members-only organisation that holds only members' contact details and does not share them) may qualify for an exemption from paying the ICO fee, but they are still bound by the data protection principles and must be able to demonstrate compliance. The ICO's accountability framework and its free guidance resources are designed to be accessible to small organisations.

What is the difference between consent and legitimate interests for charities?

Both are lawful bases under Article 6, but they are appropriate in different circumstances. Consent is the right basis for direct marketing and any processing where you want to give individuals a clear and genuine choice. It requires an active opt-in and must be easy to withdraw. Legitimate interests is appropriate for processing that individuals would reasonably expect and that is necessary for the charity's purposes — for example, keeping records of people the charity has supported, or sharing information with a partner organisation to coordinate care. Legitimate interests requires a documented assessment and gives individuals a right to object, but does not require an active opt-in at the outset.

What counts as special category data in a charity context?

In a charity context, special category data most commonly arises in the form of health and mental health information (for charities supporting people with health conditions or disabilities), ethnicity and religion (for charities working with specific communities), and information about criminal offences or safeguarding histories. If your organisation collects any of these categories — even incidentally through case notes or referral forms — you must identify an appropriate Article 9 condition or DPA 2018 Schedule 1 condition for processing it, and maintain an Appropriate Policy Document if relying on a Schedule 1 condition other than explicit consent.

How long should charities keep personal data?

There is no single answer — retention periods depend on the type of data and the purpose it was collected for. Every charity should maintain a written retention schedule. As a starting point: employment records are typically kept for 6 years after the end of employment; financial records for 7 years; and children's records until the child reaches at least age 25 (or 26 if they were 17 at the end of a referral). Data that has reached the end of its retention period must be securely deleted or anonymised. Holding data indefinitely is a breach of the storage limitation principle.

Recommended Next Pages

• GDPR Software for Charities — How digital tools support UK GDPR compliance in practice.

• What Is a Subject Access Request? — Your obligations when an individual asks to see their data.

• What Is Safeguarding? — The legal framework for safeguarding vulnerable people in charity settings.

• Information Sharing in Safeguarding — When and how charities can share personal data for safeguarding purposes.

Published by the Plinth Team. Last updated 21 February 2026.