• 23 Aug 2023
• •
• 3 min read

Charities and Data Protection

Do you know why data protection law (including the UK GDPR) is relevant to charities and what charities need to do to ensure they comply with the UK GDPR?

In modern society individuals are routinely and regularly asked to provide their personal data to third parties, including to charities. Data protection law recognises the importance of protecting that data and ensuring it is used properly and fairly by organisations and use by charities is no exception.

Failure by a charity to comply with data protection law poses many risks including loss of business, loss of funding and donations, damage to a charity’s beneficiaries and reputation and potential enforcement action by the Information Commissioner’s Office (‘ICO’ – the UK data protection authority). It is crucial that trustees are aware of their duties and obligations under data protection law.

A number of high profile charities have been fined for serious breaches of data protection law, with the fines ranging significantly in value.

Are charities exempt from complying with data protection law?

Regardless of structure or whether the organisation is a charity or not-for-profit organisation, if the organisation processes personal data (which would include data about volunteers, employees and beneficiaries), data protection law will apply.

Does a charity have to register with the ICO?

This will depend on what the charity does and what personal data it collects and holds. Generally speaking, if the charity is a controller of some personal data (e.g. data relating to its employees or volunteers), it will need to register with the ICO and pay a fee. There are three tiers of fees ranging from £40 to £2,900, with most organisations paying fees of £40 or £60.  

To establish whether an organisation needs to pay a fee there is a useful self-assessment tool on the ICO website which you can find here. Charities may be exempt from paying a fee to the ICO but that does not mean they are exempt from compliance with data protection law.

There is a limited not-for-profit exemption to pay a fee, however this is a very narrow exemption and is likely to only apply to small not-for-profit organisations. The exemption applies to organisations who only process data for the purposes of:

• establishing or maintaining membership;
• providing or administering activities for its members or organisations it has regular contact with;

and:

• you only hold information about individuals whose data you need to process for the above purposes; and
• only process the personal data for the above purposes.

This is a very narrow exemption and there are a number of restrictions that apply. If you undertake any activities outside of the exemption, this would require payment of the fee. If in doubt, you should take appropriate advice.  This exemption is only in connection with paying a fee to the ICO, so even if a charity is exempt from paying a fee, they still need to comply with data protection law.

Further information

Our Data Protection Team has started publishing a Data Protection Guide for Organisations, which includes key questions and answers and articles on data protection law and compliance, which can be viewed here, with further articles being added to the Guide on a bi-monthly basis. Articles already published include:

• Does my organisation need to register with the ICO?
• Is my organisation a controller or a processor under data protection law and why is it important to know?
• Does my organisation need a Data Protection Officer?

If you have any questions, would like to be added to our Data Protection Guide or Charities mailing lists, or would like to speak with a member of our Charities team or Data Protection team, please get in touch with us.