Can I have specific guidance for charities? As a small charity what do I have to do to ensure we comply with the GDPR? These are just a couple of questions we have been getting from charitable organisations about the new data protection law.

Our FAQs document answers these questions and many more

Small charities

The ICO has produced a package of tools and resources to help organisations, from sole traders to medium sized organisations, comply with their legal obligations under the new law that came in on 25 May 2018.

These resources include:

Institute of Fundraising and Fundraising Regulator guidance, co-badged by the ICO

The Institute of Fundraising (IoF) and the Fundraising Regulator have released guidance on the GDPR which has been reviewed and co-badged by the Information Commissioner’s Office.

Fundraising and Regulatory Compliance Conference

The Fundraising and Regulatory Compliance Conference was aimed at helping charities and other fundraising groups comply with the law and was held at Manchester Town Hall on Tuesday 21 February.

Jointly organised by the ICO, Charity Commission and Fundraising Regulator, the conference set out the regulatory requirements and expectations for fundraising bodies and their boards under current and forthcoming data protection legislation.

Videos from the conference are available in the YouTube playlist.

Fundraising and marketing campaigns

If you're planning a marketing campaign, you'll have to comply with a number of regulations. Some of these apply to unsolicited electronic messages sent by telephone, fax, email or text, while others apply to marketing material sent by post.

Requests for personal information

Your employees and customers have rights to see their personal information. They can make a subject access request to see the personal information you hold about them.


Top five tips

Here are our top five of data protection tips for small and medium sized charities and third sector organisations:

  1. Tell people what you are doing with their data
    People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

  2. Make sure your staff are adequately trained
    New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.

  3. Use strong passwords
    There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.

  4. Encrypt all portable devices
    Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.

  5. Only keep people’s information for as long as necessary
    Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

Charity sector toolkit

In response to feedback, a toolkit has been created specifically for organisations in the charity sector – reminding staff to ‘press the mental pause button’ when handling personal data.

Please note: the materials are not ICO materials; we are providing the materials on the website for charities to download as a useful tool to promote privacy matters in their own organisation.

Findings from ICO information risk reviews at eight charities

Eight charities took part in voluntary information risk reviews carried out by members of the ICO’s audit teams. The following report details our findings and the infographic shows our recommendations.

Further reading