GDPR and Grantmaking: What Funders Need to Know

Grantmaking involves collecting, assessing, and storing significant volumes of personal data. Application forms routinely ask for names, addresses, employment details, and financial circumstances. Many funders also collect information about beneficiaries, including health conditions, ethnicity, disability status, and safeguarding concerns, all of which qualify as special category data under the UK GDPR.

Yet the grantmaking sector has been slow to treat data protection as a core operational concern. The Association of Charitable Foundations (ACF) published its GDPR briefing for foundations in 2018, noting that "most foundation activity would be lawful" under legitimate interests but that funders still needed to document their basis for processing and put proper safeguards in place (ACF, 2018). Eight years on, many funders still manage applicant data in spreadsheets and shared inboxes with no audit trail, no access controls, and no documented retention policy.

This guide explains what the UK GDPR requires of grantmakers specifically, where the common compliance gaps are, and what practical steps funders can take to protect applicant data without making the process more burdensome than it needs to be.

Why does GDPR apply to grantmakers?

Every organisation that processes personal data must comply with the UK GDPR and the Data Protection Act 2018, regardless of size or sector. Grantmakers are no exception. Whether you are a large foundation running open funding rounds, a family trust making a handful of grants each year, or a corporate giving team distributing community funds, you are a data controller for the personal data you collect from applicants, referees, assessors, and grantees.

The scale of data involved is often larger than funders recognise. A single grant application might contain the applicant's personal details, information about their organisation's staff and trustees, details about the beneficiaries they serve (including vulnerable groups), referee contact information, and financial data. Multiply that across hundreds of applications per funding round, and the volume of personal data under a funder's control becomes substantial.

The charity sector reported 535 personal data breach incidents to the Information Commissioner's Office (ICO) in 2019/20, accounting for 4.5% of all breach reports received that year (Civil Society, 2020). In 2024/25, the ICO received 12,412 personal data breach reports across all sectors, but only 3% led to a formal investigation (ICO, 2025). The enforcement trend is towards fewer actions but significantly larger penalties: in the first half of 2025, the ICO collected seven times more in fines than it did throughout all of 2024 (URM Consulting, 2025).

Grantmakers that rely on informal systems and undocumented processes are exposed not just to regulatory risk, but to the reputational damage that comes from mishandling the data of the very organisations they exist to support.

What lawful basis should funders use?

Every piece of personal data you process must have a lawful basis under Article 6 of the UK GDPR. For grantmakers, the most relevant options are legitimate interests, consent, and contract. Choosing the right one matters because it determines your obligations around transparency, data subject rights, and withdrawal.

Legitimate interests is the most flexible basis and the one most commonly used by foundations. The ACF's GDPR briefing noted that most foundation activity, including processing applicant data to evaluate grant applications, is likely to be lawful under legitimate interests (ACF, 2018). However, you must complete a documented Legitimate Interest Assessment (LIA) for each processing activity. The ICO requires a three-part test: identify the legitimate interest, show that processing is necessary to achieve it, and balance it against the individual's rights and reasonable expectations (ICO guidance on legitimate interests).

Consent is less suitable for most grantmaking activities because it must be freely given, and there is an inherent power imbalance between funder and applicant. If an applicant feels they must consent to data processing in order to receive funding, that consent may not be valid. Consent is, however, often required for processing special category data and for certain communications.

Contract may apply where a grant agreement constitutes a contract and data processing is necessary to fulfil it, for example during the grant management and monitoring phase.

The table below summarises the most common processing activities and their typical lawful basis:

How should funders handle special category data?

Special category data requires additional protections beyond a standard lawful basis. Under Article 9 of the UK GDPR, you must identify both a lawful basis under Article 6 and a separate condition for processing under Article 9 before you can lawfully process this data (ICO, special category data guidance).

In grantmaking, special category data arises more often than many funders realise. Equality monitoring forms collect data on ethnicity, disability, religion, and sexual orientation. Applications for health-related grants may include information about beneficiaries' medical conditions. Safeguarding assessments may reveal data about children or vulnerable adults. Even photographs submitted as part of project documentation can reveal racial or ethnic origin.

The most common conditions for processing special category data in a grantmaking context are:

• Explicit consent — the applicant gives specific, informed, and unambiguous consent to the processing of their sensitive data for a stated purpose. This is the clearest route but requires careful implementation.
• Substantial public interest — Schedule 1 of the Data Protection Act 2018 lists conditions including safeguarding of children and individuals at risk, equality of opportunity or treatment, and preventing or detecting unlawful acts.
• Archiving in the public interest — may apply to historical grant records held by foundations.

Practical steps for managing special category data include collecting it only when genuinely necessary, keeping it separate from general application data where possible, restricting access to staff who need it, anonymising or aggregating it for reporting purposes, and applying shorter retention periods than for standard personal data.

The ICO fined Central YMCA £7,500 in 2024 after a coordinator revealed the identities of 166 people on an HIV support programme by using CC rather than BCC on an email. The fine would have been £300,000 before reductions under the ICO's public sector approach (Civil Society, 2024). Special category data demands particular care precisely because the consequences of a breach are so severe for the individuals involved.

What should a funder's privacy notice include?

Transparency is a core principle of the UK GDPR. Applicants, assessors, referees, and grantees all have the right to know what data you collect, why you collect it, how long you keep it, who you share it with, and what rights they have over it. This information must be provided in a clear, accessible privacy notice at the point of data collection.

A grantmaker's privacy notice should cover:

• Who you are — your organisation's name, registration number, and contact details for your data protection lead or Data Protection Officer (DPO) if you have one.
• What data you collect — be specific. List the categories: personal details, organisational details, financial information, equality monitoring data, referee information, and so on.
• Your lawful basis — state which lawful basis applies to each category of processing. If you rely on legitimate interests, briefly describe the interest.
• Who you share data with — external assessors, co-funders, auditors, technology providers. Name the categories of recipients.
• Data retention periods — how long you keep application data, grant records, and monitoring information.
• Individual rights — the right to access, correct, delete, restrict processing, data portability, and object. Explain how to exercise these rights.
• International transfers — if data is processed or stored outside the UK, explain the safeguards in place.

Many funders embed their privacy notice within the application form or link to it from the application portal. The key is that applicants see it before they submit their data, not buried in terms and conditions they are unlikely to read. Tools like Plinth allow funders to configure privacy notices directly within application forms, ensuring applicants receive the notice at the point of collection.

How long should funders retain applicant data?

There is no single retention period that applies to all grant records. The UK GDPR requires you to keep personal data only for as long as necessary for the purpose for which it was collected. In practice, this means different retention periods for different types of data.

The Charities Act 2011 requires charity trustees to preserve accounting records for at least six years from the end of the financial year in which they are made (Charities Act 2011, Part 8). Grant agreements, particularly those with government or local authority funders, often require records to be kept for six years after the grant expires, and some specify longer periods.

A proportionate retention schedule for grantmakers might look like this:

The important point is to document your retention schedule, communicate it in your privacy notice, and apply it consistently. Data that accumulates indefinitely without review is a liability, not an asset. Grant management platforms like Plinth support configurable retention schedules, allowing funders to set policies per fund and receive alerts when data reaches its retention limit.

What about subject access requests?

Individuals have the right to request a copy of all personal data you hold about them, and you must respond within one calendar month. This applies to grant applicants, grantees, referees, assessors, and anyone else whose personal data you process.

For grantmakers, responding to a subject access request (SAR) can be straightforward or deeply challenging depending on how your data is organised. If application data is held in a structured grant management system with searchable records, you can retrieve the relevant data quickly. If it is scattered across spreadsheets, email threads, shared drives, and paper files, responding within the legal timeframe becomes a significant operational burden.

The UK Government's Cyber Security Breaches Survey 2025 found that 30% of charities experienced a cybersecurity breach or attack in the previous 12 months, with the average cost of a disruptive breach for charities reaching £3,240. For high-income charities, the breach rate was 64% (GOV.UK, 2025). SARs arriving in the aftermath of a breach add further operational pressure.

When responding to a SAR, remember that you must also search emails, notes, assessment comments, and any other records that contain the individual's personal data, not just the application form itself. You may need to redact information about third parties before disclosing the data. And you must provide the data in a commonly used electronic format if requested.

Plinth's grant management platform stores all application data, assessment notes, communications, and grant records in a single searchable system, making SAR responses faster and more reliable. External assessors in Plinth only see the applications assigned to them, which limits the scope of any SAR and reduces the risk of over-disclosure.

What do funders need from their data processors?

When you use software, consultants, or external assessors to process personal data on your behalf, you are engaging data processors. Under Article 28 of the UK GDPR, you must have a written contract or data processing agreement (DPA) in place with each processor.

A DPA should specify what data the processor will handle, the purposes and duration of processing, the security measures they will implement, their obligations regarding sub-processors, their duty to assist with SARs and breach reporting, and what happens to the data when the contract ends.

For grant management software providers, the key questions to ask are:

• Where is data hosted? Hosting in the UK or EU keeps you within the UK GDPR adequacy framework. If data is hosted in the US or elsewhere, you need to verify that appropriate safeguards such as Standard Contractual Clauses are in place. Plinth hosts all data on Google Cloud in the EU (europe-west3, Frankfurt).
• Who can access the data? Understand whether the provider's staff can access your data, and under what circumstances. Look for role-based access controls that let you restrict access by fund, programme, or data type.
• Is there an audit trail? Every access and modification should be automatically logged. This is essential for demonstrating accountability under the UK GDPR.
• What happens when you leave? You need to be able to export your data in a usable format and confirm that the provider will delete their copies.

External assessors present a particular challenge. They are processing personal data on the funder's behalf, but many funders treat the arrangement informally. At minimum, you need a written agreement covering confidentiality, data handling, and deletion of application data once the assessment is complete. In Plinth, external assessors are given controlled access to specific applications through the platform, with all activity logged, so there is no need for applicant data to be emailed or downloaded to personal devices.

What changes did the Data (Use and Access) Act 2025 bring?

The Data (Use and Access) Act 2025 introduced several changes to the UK data protection framework, with key provisions coming into force on 5 February 2026. While the Act primarily affects direct marketing and data sharing, some provisions are relevant to grantmakers.

The most notable change is the "charitable purpose soft opt-in" for electronic marketing. This allows charities to send email and SMS marketing to supporters who have expressed interest in or offered support for the charity's purposes, provided each message solely furthers the charity's mission and an opt-out is offered (Bates Wells, 2026). Critically, this provision does not apply retrospectively to contacts collected before 5 February 2026 (Russell-Cooke, 2026).

For grantmakers, this means:

• If you also fundraise (as many community foundations do), you may be able to use the soft opt-in for communications with existing supporters, but only for contacts collected after 5 February 2026.
• Your systems need to track when and how contact details were collected, so you can distinguish between pre- and post-February 2026 contacts.
• The core UK GDPR obligations around lawful basis, transparency, data minimisation, and security remain unchanged. The Act did not weaken data protection requirements.

The Act also introduced changes to recognised legitimate interests, allowing certain processing activities to proceed without a balancing test. However, the ICO has stated it will publish further guidance on these provisions throughout 2026 (ICO, 2026).

How can funders build GDPR compliance into their grantmaking process?

Compliance is most effective when it is embedded in your processes from the start rather than retrofitted as an afterthought. Here are the practical steps every grantmaker should take.

1. Map your data. Document what personal data you collect at each stage of the grant lifecycle (application, assessment, decision, monitoring, closure), where it is stored, who has access, and how long you keep it. This data map is the foundation of your compliance programme.

2. Choose and document your lawful basis. For each processing activity, identify the appropriate lawful basis and record it. If you rely on legitimate interests, complete a Legitimate Interest Assessment.

3. Write a clear privacy notice. Provide it to applicants at the point of data collection. Keep it in plain English, and make sure it covers all the required information under Articles 13 and 14 of the UK GDPR.

4. Implement access controls. Not everyone in your organisation needs access to all applicant data. Use role-based permissions to restrict access to what each person needs for their role. Plinth provides three levels of organisational access (Admin, User, and Restricted User), plus controlled access for external assessors who only see the applications assigned to them.

5. Set retention policies. Define how long you keep each type of data, communicate it, and enforce it. Review your data holdings at least annually. The Charities Act 2011 requires a minimum of six years for accounting records, but other data should be deleted or anonymised sooner.

6. Prepare for subject access requests. Have a documented process for receiving, validating, and responding to SARs within one calendar month. Know where all personal data is held and who is responsible for coordinating the response.

7. Plan for breaches. You must report certain breaches to the ICO within 72 hours. Document what constitutes a reportable breach, who to notify, and how to contain and remediate the incident. The ICO fined Birthlink £18,000 in 2025 for the destruction of adoption records, noting the breach was "particularly avoidable" (ICO, 2025).

8. Train your team. Staff and assessors who handle applicant data need to understand their obligations. The ICO has repeatedly cited insufficient training as a factor in enforcement actions against charities.

FAQs

Do grant applicants need to consent to data processing?

Not necessarily. Consent is one lawful basis among several. Most grantmakers can rely on legitimate interests for processing application data, provided they complete a Legitimate Interest Assessment. Consent may be required for specific activities such as collecting equality monitoring data or processing special category information about beneficiaries.

Can funders share applicant data with co-funders or partner organisations?

Yes, but only if your privacy notice informs applicants that you may share their data, you have a lawful basis for the sharing, and you have appropriate data sharing agreements in place. If sharing was not disclosed at the point of collection, you may need to obtain consent.

How long should we keep unsuccessful applications?

There is no legal minimum for unsuccessful applications. A retention period of 12 to 24 months after the funding decision is generally proportionate, allowing time for complaints, feedback, and context if the applicant reapplies. After that period, the data should be securely deleted or anonymised.

Do we need to pay the ICO data protection fee?

Most organisations that process personal data, including grantmakers, must pay an annual data protection fee to the ICO. Charities pay the Tier 1 fee of 52 pounds per year regardless of size or turnover, following an increase from 40 pounds in February 2025 (ICO, data protection fee guidance).

What should we do if an external assessor loses or leaks applicant data?

You must assess whether the breach is likely to result in a risk to the rights and freedoms of the individuals concerned. If it is, you must report the breach to the ICO within 72 hours. You should also notify the affected individuals if the risk is high. Review your agreement with the assessor and take steps to prevent recurrence, such as ensuring assessors access data through a controlled platform rather than receiving it by email.

Do we need a Data Protection Officer?

Under the UK GDPR, you must appoint a DPO if you are a public authority or body, your core activities involve large-scale systematic monitoring of individuals, or your core activities involve large-scale processing of special category data. Many grantmakers will not meet these thresholds, but appointing a data protection lead (even if not formally a DPO) is good practice.

Can we use applicant data for research or sector analysis?

Yes, if the processing is compatible with your original lawful basis and your privacy notice informed applicants that their data might be used for this purpose. Wherever possible, use anonymised or aggregated data for research. If you want to use identifiable data for a purpose not covered by your original notice, you will need to obtain consent or identify a new lawful basis.

Does the UK GDPR apply to funders based outside the UK who fund UK organisations?

If you process the personal data of individuals in the UK, the UK GDPR applies regardless of where your organisation is based. International funders making grants to UK organisations and collecting personal data from UK-based applicants must comply with UK data protection law.

Recommended next pages

• Audit Trails in Grant Software — Why digital records matter for accountability and assurance across the grant lifecycle
• Data Security in AI-Powered Grant Systems — Encryption, access controls, and trust measures for funders using AI
• Reducing the Burden on Grant Applicants — How to streamline applications while maintaining data quality and compliance
• Managing Conflict of Interest in Grants — Governance controls that support both fairness and data protection
• GDPR Compliance Software for UK Charities — Broader guide to GDPR compliance tools for the charity sector

Last updated: February 2026