GDPR Compliance Software for UK Charities: What You Need to Know (2026)
A practical guide to GDPR compliance software for UK charities. Covers lawful basis, consent management, data retention, SARs, and what to look for in charity software.
UK charities handle some of the most sensitive personal data of any sector: health conditions, financial hardship, safeguarding concerns, immigration status, and more. Getting data protection right is not just a legal obligation — it is fundamental to the trust that beneficiaries, donors, and funders place in your organisation.
Yet many charities still manage personal data in spreadsheets, shared inboxes, and ad hoc systems that were never designed with data protection in mind. This guide explains what UK GDPR requires of charities, what features to look for in compliant software, and how the main platforms compare.
TL;DR: UK charities must comply with the UK GDPR and the Data Protection Act 2018. The right software makes compliance achievable rather than burdensome — with built-in access controls, audit trails, consent recording, and data retention policies. Spreadsheets and generic tools are a GDPR liability. Plinth offers GDPR-first design with UK/EU data hosting, role-based access, and full audit trails across Case Management, Partner CRM, and Surveys.
Who this is for: Charity managers, data protection leads, trustees, and operations teams responsible for GDPR compliance in UK charities.
Why GDPR Matters More for Charities Than Most Sectors
Charities are not exempt from data protection law. Every registered charity in England and Wales — over 171,000 as of January 2026 (Charity Commission register) — that processes personal data must comply with the UK GDPR and the Data Protection Act 2018.
The charity sector reported 535 personal data breach incidents to the Information Commissioner's Office (ICO) in 2019/20 alone, accounting for 4.5% of all breach reports received that year (Civil Society, 2020). Common causes included data emailed to wrong recipients, loss of paperwork, and failure to use BCC on group emails.
The consequences are real. The ICO fined the charity Mermaids £25,000 in 2021 after confidential data — including special category health and sexual orientation data for 550 people — was left viewable online for nearly three years due to misconfigured email group settings (Civil Society, 2021). In 2024, Central YMCA was fined £7,500 after a coordinator sent an email using CC rather than BCC, revealing the identities of 166 people on an HIV support programme. The fine would have been £300,000 before reductions under the ICO's public sector approach (Civil Society, 2024).
These are not large organisations making sophisticated errors. They are everyday mistakes made worse by systems that lack basic safeguards.
What UK GDPR Requires of Charities
The UK GDPR sets out clear obligations for any organisation processing personal data. Here is what charities need to get right.
Lawful Basis for Processing
Every piece of personal data you process must have a lawful basis. For charities, the most common are:
- Legitimate interests — processing that is necessary for your charitable purposes and proportionate to the individual's privacy rights. This is the most flexible basis but requires a documented Legitimate Interest Assessment (LIA).
- Consent — freely given, specific, informed and unambiguous. Required for most direct marketing and often for processing special category data.
- Contract — where processing is necessary to fulfil a service agreement with a beneficiary.
- Legal obligation — where processing is required by law, such as safeguarding duties.
A key change in 2026: the Data (Use and Access) Act 2025 introduced a "charitable purpose soft opt-in" for electronic marketing, which came into force on 5 February 2026. This allows charities to send email and SMS marketing to supporters who have expressed interest in or offered support for the charity's purposes, provided each message solely furthers the charity's mission and an opt-out is offered (Bates Wells, 2026). However, this does not apply retrospectively to contacts collected before the provision came into force.
Consent Management
Where consent is your lawful basis, you must be able to demonstrate when and how consent was obtained, what the person consented to, and whether they have withdrawn it. This is almost impossible to manage reliably in spreadsheets. Your software should record consent with timestamps, link it to specific processing purposes, and make withdrawal straightforward.
Data Retention
You must not keep personal data longer than necessary. Charities often struggle here because data accumulates over years of service delivery, and nobody is assigned to review it. Your software should support configurable retention schedules and flag or automatically archive data that has exceeded its retention period.
Subject Access Requests (SARs)
Individuals have the right to request a copy of all personal data you hold about them, and you must respond within one calendar month. The ICO received over 15,300 complaints in a single year about organisations failing to comply with SARs — making it the most common type of complaint (Personnel Today, 2024). If your data is scattered across spreadsheets, email threads, and filing cabinets, responding to a SAR within the legal timeframe becomes a significant operational burden.
Data Protection Impact Assessments (DPIAs)
You must conduct a DPIA before any processing that is likely to result in a high risk to individuals. For charities, this typically includes new case management systems, beneficiary databases, or any processing of special category data at scale. Your software should make it straightforward to understand what data is being processed, by whom, and for what purpose — information that feeds directly into a DPIA.
What Features Charity Software Needs for GDPR Compliance
Not all charity software is designed with data protection in mind. Here is what to look for when evaluating platforms.
Role-Based Access Controls
Not everyone in your organisation needs access to all data. Caseworkers should see their own cases. Volunteers should not see financial hardship details. Trustees should see aggregate reports, not individual records. According to the UK Government's Cyber Security Breaches Survey 2025, only 35% of charities have implemented two-factor authentication, and just 31% use any form of user monitoring (GOV.UK, 2025). Without proper access controls, every user account is a potential breach.
Audit Trails
You need to know who accessed what data, when, and what changes they made. This is essential for demonstrating accountability under GDPR, investigating potential breaches, and responding to SARs. An audit trail should be automatic and tamper-proof — not a manual log that relies on staff remembering to record their actions.
Consent Recording and Management
Your system should capture consent at the point of collection, link it to specific processing purposes, and make it easy to update or withdraw. It should also distinguish between different types of consent (marketing, data sharing with partners, use of images) and track each independently.
Data Retention Policies
Built-in retention schedules that can be configured per data type and per programme. When a retention period expires, the system should flag the data for review or automatically anonymise it, depending on your policy.
SAR Handling and Data Export
When a SAR arrives, you need to be able to search across all data held about an individual and export it in a structured, commonly used format within the legal timeframe. The Charity Digital Skills Report 2025 found that the top barriers to digital progress for charities remain squeezed finances (67%), lack of capacity (62%), and insufficient investment in infrastructure (63%) (Charity Digital Skills Report, 2025). Systems that make SARs straightforward reduce the operational cost of compliance.
Data Deletion and Anonymisation
GDPR gives individuals the right to erasure in certain circumstances. Your software should support targeted deletion of individual records without corrupting related data, and offer anonymisation where you need to retain aggregate data for reporting purposes.
UK/EU Data Hosting
Where your data is physically stored matters. Hosting in the UK or EU keeps you within the UK GDPR adequacy framework without the need for additional international transfer safeguards. If your provider hosts data in the US or elsewhere, you need to verify that appropriate safeguards (such as Standard Contractual Clauses) are in place.
How Different Platforms Handle GDPR
Not all charity software approaches data protection with the same rigour. Here is how the main options compare.
| Feature | Plinth | Charitylog | Lamplight | Salesforce NPSP | Spreadsheets |
|---|---|---|---|---|---|
| Role-based access controls | Yes, granular | Yes | Yes | Yes (configurable) | No |
| Full audit trails | Yes, automatic | Limited | Limited | Yes (configurable) | No |
| Consent recording | Yes, per purpose | Basic | Basic | Yes (with setup) | Manual only |
| Data retention automation | Yes | Limited | Limited | Yes (with setup) | No |
| SAR data export | Yes | Partial | Partial | Yes (with setup) | Manual only |
| Data deletion/anonymisation | Yes | Partial | Partial | Yes (with setup) | Manual, error-prone |
| UK/EU data hosting | Yes (EU) | Yes (UK) | Yes (UK) | Configurable (US default) | Varies |
| DPIA support | Data mapping built in | Limited | Limited | Requires consultancy | No |
Source: Platform documentation and feature pages reviewed February 2026.
Plinth
Plinth was built with GDPR compliance as a foundational design principle, not an afterthought. All data is hosted on Google Cloud in the EU (europe-west3, Frankfurt). Role-based access controls are granular — you can restrict access by programme, case, or data type. Every data access and modification is automatically logged in an immutable audit trail. Consent is recorded per purpose with full timestamps, and data retention schedules can be configured per programme. Case Management includes built-in SAR support with data export and targeted deletion. Partner CRM tracks consent and communication preferences per contact. Surveys collect responses with appropriate data handling and retention.
Charitylog
Charitylog is a well-established UK case management system used by many advice and community organisations. It offers role-based access and UK hosting. However, its audit trail capabilities are more limited than purpose-built GDPR-first platforms, and features like automated data retention and comprehensive SAR export require manual workarounds.
Lamplight
Lamplight is popular among smaller charities for its flexibility and UK hosting. It provides user-level access controls and basic consent tracking. Like Charitylog, its GDPR-specific features are functional but not deeply integrated — retention policies and SAR handling tend to require manual processes.
Salesforce Nonprofit Success Pack
Salesforce offers extensive configurability, including field-level security, audit logging, and data retention rules. However, achieving GDPR compliance on Salesforce typically requires significant configuration, often with the help of a consultancy partner. Data hosting defaults to the US unless explicitly configured otherwise, and the platform's complexity means that misconfiguration is a real risk for small teams without dedicated Salesforce administrators.
Spreadsheets
Spreadsheets — whether Excel files on shared drives or Google Sheets — are the most common data management tool in the charity sector, and they are a serious GDPR liability. They offer no access controls beyond file-level sharing, no audit trails, no consent management, no automated retention, and no reliable way to respond to a SAR. The UK Government's Cyber Security Breaches Survey 2025 found that 30% of charities experienced a cybersecurity breach or attack in the previous 12 months (GOV.UK, 2025). Spreadsheets containing personal data that are emailed between staff, stored on personal devices, or shared with broad access permissions are a breach waiting to happen.
Common GDPR Mistakes Charities Make
Even well-intentioned charities regularly make data protection errors. Here are the most frequent.
1. No documented lawful basis. Many charities process data because they always have, without ever identifying or recording which lawful basis applies. If the ICO investigates, "we need the data to do our work" is not a sufficient answer.
2. Over-collecting data. Collecting information "just in case" violates the data minimisation principle. Only collect what you need for a specific, documented purpose. Review your intake forms and remove fields that are not actively used.
3. Ignoring retention. Data accumulated over 10 or 15 years of service delivery is a ticking liability. If you cannot justify why you still hold someone's records from 2012, you should not be holding them.
4. Using personal email and devices. Staff using personal email accounts or phones to communicate with beneficiaries creates data that sits entirely outside your organisation's control — and outside any GDPR compliance measures you have in place.
5. Inadequate staff training. The ICO has repeatedly cited insufficient training as a factor in enforcement actions against charities. The Mermaids fine specifically noted that the charity's approach to data protection training in the wake of GDPR was "lacking" (Slaughter and May, 2021). In the first half of 2025, the ICO issued just six fines totalling approximately £5.6 million — double the entire £2.7 million collected across 18 fines throughout all of 2024 — with two-thirds issued for UK GDPR breaches (URM Consulting, 2025). The trend is clear: fewer actions, but significantly larger penalties.
6. No breach response plan. You must report certain breaches to the ICO within 72 hours. Without a documented plan, staff may not know what constitutes a reportable breach or who to notify.
The 2026 Regulatory Landscape
Two developments make GDPR compliance software more important for charities in 2026 than ever before.
First, the Data (Use and Access) Act 2025 has introduced changes to the UK GDPR and the Privacy and Electronic Communications Regulations, with provisions being phased in between June 2025 and June 2026. The charitable purpose soft opt-in is a welcome development for fundraising teams, but it also creates new compliance requirements — charities must ensure their systems can track the provenance of supporter data to distinguish between contacts collected before and after 5 February 2026 (Russell-Cooke, 2026).
Second, the ICO's enforcement approach has shifted towards fewer but more substantial penalties. The maximum fine under UK GDPR remains up to £17.5 million or 4% of global annual turnover, and the ICO has signalled that it will continue to take action against organisations — including charities — that fail to implement basic data protection measures.
For charities handling special category data — which includes most social care, advice, and health-related services — the compliance bar is higher still. You need explicit consent or an appropriate policy document, additional security measures, and documented justification for every processing activity.
FAQs
Does my charity need to pay the ICO data protection fee?
Most charities that process personal data must pay an annual data protection fee to the ICO. The fee depends on your size and turnover: Tier 1 (micro organisations with fewer than 10 staff and turnover under £632,000) pay £40 per year. Charities and small occupational pension schemes receive a £5 discount. Failure to pay is itself a breach that can result in enforcement action.
Can we use legitimate interests instead of consent for everything?
No. Legitimate interests is a flexible lawful basis, but it requires a documented Legitimate Interest Assessment (LIA) for each processing activity, and it cannot be used for all types of processing. In particular, direct electronic marketing (email and SMS) to new contacts still requires consent unless the new charitable purpose soft opt-in applies. Processing special category data — such as health, ethnicity, or sexual orientation — generally requires explicit consent or another specific condition under Article 9 of the UK GDPR.
How long should we keep beneficiary data?
There is no single answer. Your retention period should be based on the purpose for which the data was collected, any legal or regulatory requirements (such as safeguarding records, which may need to be kept for longer), and any legitimate need for the data after the service relationship ends. Document your retention periods in a retention schedule and apply them consistently. Your software should support this with automated reminders or archiving.
What happens if we receive a subject access request and our data is in spreadsheets?
You are still legally required to respond within one calendar month, regardless of how your data is stored. In practice, this means manually searching every spreadsheet, email account, and document store where the individual's data might be held — a time-consuming and error-prone process. This is one of the strongest practical arguments for moving to a purpose-built system with searchable records and data export capabilities.
Do volunteers need to comply with GDPR too?
Yes. Volunteers who process personal data on behalf of your charity are subject to the same data protection requirements as paid staff. You must provide appropriate training, limit their access to only the data they need, and ensure that any personal data they handle is processed in accordance with your policies. This is another area where role-based access controls in your software are essential.
Is cloud-based software more GDPR-compliant than on-premise?
Not inherently. What matters is where the data is hosted, how it is secured, and whether the provider has appropriate technical and organisational measures in place. Cloud-based platforms from reputable providers typically offer stronger security (encryption, access controls, backup, monitoring) than on-premise setups managed by small IT teams. The key is to review your provider's data processing agreement, security certifications, and data hosting location.
Recommended Next Steps
If you are reviewing your charity's GDPR compliance or evaluating software options, these resources go deeper on specific topics:
- Case Management Software for Charities — How Plinth handles case data with built-in access controls and audit trails
- Partner CRM for Charities — Managing contact data, consent, and communication preferences
- Surveys for Charities — Collecting data with appropriate GDPR safeguards
- GDPR and Grantmaking — Data protection requirements specific to funders
- CRM for Charities — Broader comparison of charity CRM platforms
- Data Security in AI Grant Systems — How AI features interact with data protection requirements
Last updated: February 2026
Need GDPR-compliant software for your charity? Book a demo or contact our team to see how Plinth handles data protection.