We have issued guidance for not-for-profit organisations, which aims to answer questions regularly raised by charities and voluntary organisations.

Helping you comply with your responsibilities to information rights in not-for-profit, charitable and voluntary organisations.

Getting ready for the GDPR

Data Protection law is changing on 25 May 2018 and organisations need to be ready for the General Data Protection Regulation (GDPR). The ICO has produced a package of tools aimed at small and micro organisations, including charities:

Institute of Fundraising and Fundraising Regulator guidance, co-badged by the ICO

The Institute of Fundraising (IoF) and the Fundraising Regulator have released guidance on the GDPR which has been reviewed and co-badged by the Information Commissioner’s Office.

Fundraising and Regulatory Compliance Conference

The Fundraising and Regulatory Compliance Conference was aimed at helping charities and other fundraising groups comply with the law and was held at Manchester Town Hall on Tuesday 21 February.

Jointly organised by the ICO, Charity Commission and Fundraising Regulator, the conference set out the regulatory requirements and expectations for fundraising bodies and their boards under current and forthcoming data protection legislation.

Videos from the conference are available in the YouTube playlist.


Our webinar offers advice to charities about direct marketing, based on our updated guidance. Direct marketing does not just refer to selling products or services to individuals – it includes the promotional and fundraising activities of charities as well.  Our direct marketing guidance explains what charities and voluntary organisations need to do to comply with electronic marketing regulations and data protection law. 

Requests for personal information

Your employees and customers have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.


Top five tips

Here are our top five of data protection tips for small and medium sized charities and third sector organisations:

  1. Tell people what you are doing with their data
    People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

  2. Make sure your staff are adequately trained
    New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.

  3. Use strong passwords
    There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.

  4. Encrypt all portable devices
    Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.

  5. Only keep people’s information for as long as necessary
    Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

Charity sector toolkit

In response to feedback, a toolkit has been created specifically for organisations in the charity sector – reminding staff to ‘press the mental pause button’ when handling personal data.

Please note: the materials are not ICO materials; we are providing the materials on the website for charities to download as a useful tool to promote privacy matters in their own organisation.

Audits, advisory visits and overview reports

See the latest reports detailing some of the good practice and areas for improvement we have seen in the charity sector.

Further reading