Charity GDPR FAQ: Data Protection Questions Answered for UK Charities
GDPR applies to charities in the same way it applies to commercial organisations — and generates specific questions around donor consent, beneficiary data processing, volunteer information, and the interaction between charitable purpose and data protection principles. This FAQ addresses the most common GDPR questions from UK charities.
Healthcare charities, domestic abuse organisations, and mental health providers handle the most GDPR-sensitive data in the voluntary sector — warranting the highest levels of protection and governance.
Charity GDPR Frequently Asked Questions
Frequently Asked Questions
Do we need consent to process beneficiary data?
Not necessarily. Consent is just one of six lawful bases under GDPR — and often not the most appropriate for beneficiary data. For charities providing health or social care services, Article 9(2)(h) (processing necessary for health and social care) is often the most appropriate basis for clinical or social care records. For other beneficiary services, substantial public interest (Article 9(2)(g) for special category data) may apply. Consent is appropriate where individuals have genuine choice — but in many beneficiary relationships, refusing consent would mean not receiving the service, which undermines the validity of the consent. Take advice on the appropriate basis for your specific service and data.
Can we send fundraising emails to past donors?
For email marketing, you need either explicit consent or the PECR soft opt-in. The soft opt-in applies where: the person is an existing donor; the marketing is for similar charitable purposes to the original donation; and the person was given the opportunity to opt out when their details were collected and in every subsequent communication. If neither of these applies, you need fresh consent before emailing. The ICO has fined charities for ignoring donor opt-outs or assuming consent from old data — your consent and preference records must be current and honoured.
What should we do within 72 hours of discovering a data breach?
Within 72 hours of becoming aware of a breach likely to result in risk to individuals, notify the ICO using their online breach reporting tool (ico.org.uk/report-a-breach). Provide the information you have — you can update the report as investigation progresses. Simultaneously: identify and notify affected individuals if high risk to them; report to the Charity Commission if it is a serious incident; document the breach in your internal breach register; and begin investigation of the scope and cause. The 72-hour clock starts when you become aware, not when you have full information.
How long can we keep donor data?
UK GDPR requires data to be kept no longer than necessary for the purpose for which it was collected — the storage limitation principle. For donor data, this means you should have a documented data retention policy that sets out how long different categories of donor data are kept and why. Typical retention periods: active donor records — while the person is an active supporter; inactive donor records — often 7 years from last donation (aligning with financial record requirements); GiftAid records — 7 years from the end of the tax year in which the donation was made (HMRC requirement); fundraising communications preferences — indefinitely (to honour opt-outs). Implement automated deletion or review processes to ensure retention periods are actually applied, not just documented.
Kyanite Blue specialises in cybersecurity for iGaming operators. MGA-licensed operators across Malta trust our stack.
Get in touchReady to secure your iGaming operation?
MGA-licensed operators across Malta trust Kyanite Blue.