Charities sit on exactly the data criminals want — donor payment details, beneficiary records, often sensitive personal information — and are frequently under-resourced on security. A data breach doesn't just risk a fine; for an organisation whose entire currency is trust, it can be existential. The basics are manageable, and getting them right protects your reputation, your funding and the people you serve.

Yes, GDPR applies — and there's a fee

Charities and CICs must comply with UK data protection law like any organisation, and most need to pay the data protection fee to the ICO and register (a modest annual fee — check the current amount; charities may qualify for a reduced rate). Holding donor and beneficiary data on computers means the rules apply to you.

The principles for the sector

  • Lawful basis — you need a reason to hold each type of data (delivering your services, a donor relationship, legal obligations).
  • Privacy notice — tell donors and beneficiaries what you collect and why.
  • Data minimisation — collect only what you need, keep it only as long as you need it. Old spreadsheets of lapsed donors are a liability, not an asset.
  • Rights — people can ask what you hold and ask you to delete it.
  • Special category data — health, beliefs and similar sensitive data (which many charities hold about beneficiaries) carry extra protection and care.

Fundraising has extra rules

Marketing and fundraising communications are governed by PECR as well as GDPR — broadly, you need appropriate consent to email or text individuals, and must honour opt-outs. Use a proper email platform that manages consent and unsubscribes. The Fundraising Regulator's code adds sector-specific expectations worth knowing.

Cyber security: the basics that stop most attacks

Charities are heavily targeted by fraud and phishing — often through finance and donation processes:

  • Two-factor authentication everywhere — banking, email, your donation platform, your CRM.
  • Verify payment-detail changes by phone — "our bank details have changed" emails are a classic charity scam (mandate fraud). Confirm on a known number before paying.
  • Dual authorisation on payments — two people approve, protecting both funds and trustees (see our banking guidance).
  • Strong unique passwords, backups, and staff/volunteer awareness — most breaches start with a person, not a hacker.
Funders increasingly ask Some grant-makers now ask about data protection and cyber security, and Cyber Essentials certification can be a requirement for certain government or larger funding. Getting your house in order isn't just risk management — it's increasingly a funding qualifier.

If a breach happens

A serious personal-data breach may need reporting to the ICO within 72 hours — and, depending on severity, to the people affected. Knowing that in advance turns panic into process. And a breach involving donor data may also warrant telling the Charity Commission as a serious incident.

How we help

We keep your financial controls tight — dual authorisation, clean records, fraud-resistant processes — and point you to the ICO registration and the security basics that protect donor trust. Strong governance and strong data protection are two sides of the same coin, and both are part of doing this properly. Get started.