Charities sit on exactly the data criminals want — donor payment details, beneficiary records, often sensitive personal information — and are frequently under-resourced on security. A data breach doesn't just risk a fine; for an organisation whose entire currency is trust, it can be existential. The basics are manageable, and getting them right protects your reputation, your funding and the people you serve.
Yes, GDPR applies — and there's a fee
Charities and CICs must comply with UK data protection law like any organisation, and most need to pay the data protection fee to the ICO and register (a modest annual fee — check the current amount; charities may qualify for a reduced rate). Holding donor and beneficiary data on computers means the rules apply to you.
The principles for the sector
- Lawful basis — you need a reason to hold each type of data (delivering your services, a donor relationship, legal obligations).
- Privacy notice — tell donors and beneficiaries what you collect and why.
- Data minimisation — collect only what you need, keep it only as long as you need it. Old spreadsheets of lapsed donors are a liability, not an asset.
- Rights — people can ask what you hold and ask you to delete it.
- Special category data — health, beliefs and similar sensitive data (which many charities hold about beneficiaries) carry extra protection and care.
Fundraising has extra rules
Marketing and fundraising communications are governed by PECR as well as GDPR — broadly, you need appropriate consent to email or text individuals, and must honour opt-outs. Use a proper email platform that manages consent and unsubscribes. The Fundraising Regulator's code adds sector-specific expectations worth knowing.
Cyber security: the basics that stop most attacks
Charities are heavily targeted by fraud and phishing — often through finance and donation processes:
- Two-factor authentication everywhere — banking, email, your donation platform, your CRM.
- Verify payment-detail changes by phone — "our bank details have changed" emails are a classic charity scam (mandate fraud). Confirm on a known number before paying.
- Dual authorisation on payments — two people approve, protecting both funds and trustees (see our banking guidance).
- Strong unique passwords, backups, and staff/volunteer awareness — most breaches start with a person, not a hacker.
If a breach happens
A serious personal-data breach may need reporting to the ICO within 72 hours — and, depending on severity, to the people affected. Knowing that in advance turns panic into process. And a breach involving donor data may also warrant telling the Charity Commission as a serious incident.
How we help
We keep your financial controls tight — dual authorisation, clean records, fraud-resistant processes — and point you to the ICO registration and the security basics that protect donor trust. Strong governance and strong data protection are two sides of the same coin, and both are part of doing this properly. Get started.







