Does UK GDPR apply differently to charities?

No. UK GDPR applies to charities on the same terms as commercial organisations. There is no charity exemption. The Information Commissioner's Office treats charity processing under the same lawful-bases framework. However charities can usually rely on legitimate interests (Article 6(1)(f)) for fundraising to existing supporters, which gives more flexibility than the strict consent route, but the three-part legitimate interests assessment must still be carried out and documented.

Can a UK charity rely on legitimate interests for fundraising emails?

For non-electronic fundraising (postal mail, phone calls to non-TPS numbers) yes, legitimate interests can be the UK GDPR lawful basis. For electronic marketing (email, SMS, automated calls) PECR Regulation 22 imposes a separate consent or soft opt-in requirement on top of UK GDPR. The soft opt-in is harder to satisfy for charities because the original contact must have been during a sale or sale negotiation. Donations are not always treated as sales, so the soft opt-in may not apply. The Information Commissioner's published charity-specific guidance addresses this in detail.

Do charity volunteers count as employees under UK GDPR?

Volunteers are data subjects whose data the charity processes for the purpose of managing their volunteering. The lawful basis is usually a mix of contractual performance (the volunteer agreement) and legitimate interests (operational records, safeguarding). DBS checks and other safeguarding records may involve special category data under Article 9 and need a Schedule 1 DPA 2018 condition. The same Article 13 transparency obligations apply: volunteers need a privacy notice explaining what is collected about them and why.

What did the ICO charity sector report find?

The ICO has published several charity-sector reports identifying common failings: wealth screening of supporters without informing them, sharing donor data between charities under reciprocal arrangements without proper transparency, telephone fundraising to TPS-registered numbers, and inadequate consent capture on online donation forms. The 2017 enforcement action against eleven charities including the RSPCA, Cancer Research UK and Oxfam established that sector-wide practices in fundraising data sharing breached data protection law. The framework has tightened further since.

GDPR & Privacy

UK GDPR for Charities: Fundraising, Volunteers, Donor Data

Steven | TrustYourWebsite · 15 May 2026 · Last updated: May 2026

UK charities process more personal data per income pound than almost any other sector. A small registered charity typically handles supporter records, gift-aid declarations, fundraising consent, volunteer information, beneficiary records and trustee disclosures, all under UK GDPR, the Data Protection Act 2018, PECR and the Fundraising Regulator's Code of Fundraising Practice. This guide covers what the ICO and the Fundraising Regulator actually expect from UK charity websites and back-office systems in 2026.

For a technical scan of your charity site against UK GDPR and PECR, run a free check at /uk/en/scan.

Is your charity website handling donor data correctly?

Our scanner checks privacy policy, consent, cookies and donor-form security on your site.

I understand this is a technical scan, not legal advice, and I accept the Terms.

Scan for:

The regulatory stack

Charities sit under more regulators than most organisations of comparable size. Each adds obligations that have website implications.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Regulator or framework</th> <th className="border border-slate-300 px-3 py-2 font-semibold">What it covers</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Website implication</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">ICO (UK GDPR plus DPA 2018)</td> <td className="border border-slate-300 px-3 py-2">All personal-data processing</td> <td className="border border-slate-300 px-3 py-2">Privacy notice, lawful basis, retention, breach notification.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">ICO (PECR Reg 6 and Reg 22)</td> <td className="border border-slate-300 px-3 py-2">Cookies plus electronic marketing</td> <td className="border border-slate-300 px-3 py-2">Cookie banner, fundraising email consent.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Fundraising Regulator (Code of Fundraising Practice)</td> <td className="border border-slate-300 px-3 py-2">Self-regulation across all fundraising</td> <td className="border border-slate-300 px-3 py-2">Consent language, vulnerability handling, complaints route.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Charity Commission (England and Wales)</td> <td className="border border-slate-300 px-3 py-2">Trustee duties, serious-incident reporting</td> <td className="border border-slate-300 px-3 py-2">A reportable data breach is also a serious incident.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">OSCR (Scotland) and CCNI (Northern Ireland)</td> <td className="border border-slate-300 px-3 py-2">Equivalent jurisdiction-specific oversight</td> <td className="border border-slate-300 px-3 py-2">Same serious-incident framework.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">HMRC (Gift Aid)</td> <td className="border border-slate-300 px-3 py-2">Gift Aid declarations and audit trail</td> <td className="border border-slate-300 px-3 py-2">Six-year retention of declarations under the Taxes Management Act 1970.</td> </tr> </tbody> </table> </div>

Lawful bases that actually fit charity processing

Charities most often rely on three lawful bases under UK GDPR Article 6: contractual performance for service provision to beneficiaries, legitimate interests for fundraising and supporter engagement and consent where required by PECR for electronic marketing.

The ICO's own charity sector guidance accepts legitimate interests as the appropriate basis for many fundraising activities to existing supporters provided the three-part legitimate interests assessment is carried out properly. See legitimate interests for UK marketing for the LIA framework.

Special category data under Article 9 turns up regularly in charity work. Beneficiary records often include health data, religious or political beliefs (relevant for advocacy charities) and information about vulnerable people. Each special-category category needs a Schedule 1 DPA 2018 condition. Schedule 1 paragraph 6 (consent of the data subject) and paragraph 18 (safeguarding) cover most charity scenarios.

Fundraising emails and PECR Regulation 22

The single largest source of ICO action against charities is electronic marketing under PECR. The 2017 enforcement action against eleven major charities established the framework that still applies.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Fundraising channel and audience</th> <th className="border border-slate-300 px-3 py-2 font-semibold">UK GDPR basis</th> <th className="border border-slate-300 px-3 py-2 font-semibold">PECR consent required?</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Soft opt-in available?</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Postal appeal to past donors</td> <td className="border border-slate-300 px-3 py-2">Legitimate interests (with LIA)</td> <td className="border border-slate-300 px-3 py-2">No</td> <td className="border border-slate-300 px-3 py-2">N/A. PECR Reg 22 does not bite on postal mail.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Email to existing donors</td> <td className="border border-slate-300 px-3 py-2">Consent or legitimate interests</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong>, unless soft opt-in applies</td> <td className="border border-slate-300 px-3 py-2">Only if the original donation was treated as a sale-style transaction.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Email to bought or rented list</td> <td className="border border-slate-300 px-3 py-2">Consent required</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">No.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">SMS to past donors</td> <td className="border border-slate-300 px-3 py-2">Consent</td> <td className="border border-slate-300 px-3 py-2"><strong>Yes</strong></td> <td className="border border-slate-300 px-3 py-2">Soft opt-in possible but rarely fits the donation context.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Phone call to TPS-registered number</td> <td className="border border-slate-300 px-3 py-2">N/A (prohibited)</td> <td className="border border-slate-300 px-3 py-2"><strong>Prohibited under Reg 21</strong></td> <td className="border border-slate-300 px-3 py-2">No. Hard prohibition for unsolicited calls.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Phone call to non-TPS number</td> <td className="border border-slate-300 px-3 py-2">Legitimate interests for existing supporters</td> <td className="border border-slate-300 px-3 py-2">No, but Code of Fundraising Practice rules apply</td> <td className="border border-slate-300 px-3 py-2">N/A.</td> </tr> </tbody> </table> </div>

The ICO has been explicit that charities cannot use a "we are a charity" rationale to lower the consent bar. The 2017 monetary penalty notices against the RSPCA (£25,000), the British Heart Foundation (£18,000) and others established that wealth screening, donor data sharing without notice and matching to publicly available registers all required prior transparency.

Wealth screening and supporter profiling

Wealth screening is the practice of cross-referencing donor records against public registers (Companies House, the Sunday Times Rich List, electoral roll data) to identify high-net-worth supporters. Several major charities did this routinely until the ICO's 2017 action established that it required prior transparency to the donor.

If a charity wants to continue wealth screening or similar profiling, the privacy notice must disclose:

The practice itself in plain language, the data sources used (named where possible), how the analysis is used (typically: prioritising solicitations or major-gift contact), the right to object to the processing and the lawful basis claimed (typically legitimate interests with a documented LIA).

Without this disclosure, wealth screening breaches UK GDPR Article 13 transparency requirements. The ICO has signalled it will continue to enforce on this issue.

Online donation forms

A donation form on a charity website is a UK GDPR Article 13 trigger point. Every field on the form represents personal data the charity is about to process. The form must be paired with:

A short notice at the point of collection identifying the charity, the purpose of the data, the lawful basis and a link to the full privacy notice. A separate, clearly labelled marketing opt-in checkbox. The wording "yes please send me updates about your work" is preferable to bundled consent. A separate Gift Aid declaration if the donor wishes to give Gift Aid. The HMRC declaration is itself a personal-data processing event and has its own retention rules.

The most common failing pattern: a "by clicking donate you agree to our privacy policy and to receive updates from us" line. The ICO treats this as bundled consent and not valid for marketing under PECR.

Volunteers, trustees and safeguarding

Volunteer data flows through several stages: recruitment, onboarding, DBS or PVG checks (where relevant), operational records, training records and exit records. Each stage has implications.

DBS, Disclosure Scotland or Access NI checks generate special category data under Article 9 and a criminal-records overlay under Article 10. Charities can process this data only with the relevant Schedule 1 DPA 2018 condition. Schedule 1 paragraph 18 (safeguarding of children and individuals at risk) is the usual route. The charity must have a documented appropriate-policy document for this processing.

Trustees are subject to separate transparency obligations under the Charities Act 2011: name and certain details are public on the Charity Commission register. Trustees are still data subjects and the charity must provide them with Article 13 information about how their data is used.

Retention specific to charities

Charity retention is shaped by HMRC, the Fundraising Regulator and the Charities Act in addition to UK GDPR.

<div className="my-6 overflow-x-auto"> <table className="w-full border-collapse text-sm"> <thead> <tr className="bg-slate-100 text-left"> <th className="border border-slate-300 px-3 py-2 font-semibold">Record</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Typical retention</th> <th className="border border-slate-300 px-3 py-2 font-semibold">Justification</th> </tr> </thead> <tbody> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Gift Aid declarations</td> <td className="border border-slate-300 px-3 py-2">6 years from latest donation</td> <td className="border border-slate-300 px-3 py-2">HMRC audit period under Taxes Management Act 1970.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Supporter and donor records</td> <td className="border border-slate-300 px-3 py-2">Active plus 2-3 years dormancy</td> <td className="border border-slate-300 px-3 py-2">Re-engagement window. Beyond this, anonymise or delete.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Marketing consent records</td> <td className="border border-slate-300 px-3 py-2">2 years after unsubscribe</td> <td className="border border-slate-300 px-3 py-2">Evidence of lawful basis for past sends.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Volunteer records</td> <td className="border border-slate-300 px-3 py-2">7 years after departure</td> <td className="border border-slate-300 px-3 py-2">Reference window plus safeguarding history retention.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">DBS check results</td> <td className="border border-slate-300 px-3 py-2">6 months from completion</td> <td className="border border-slate-300 px-3 py-2">DBS Code of Practice. Keep only the certificate number, not the certificate itself.</td> </tr> <tr className="bg-slate-50"> <td className="border border-slate-300 px-3 py-2 font-semibold">Beneficiary records</td> <td className="border border-slate-300 px-3 py-2">Service-specific (typically 3-7 years)</td> <td className="border border-slate-300 px-3 py-2">Justified by service requirements and statutory frameworks.</td> </tr> <tr> <td className="border border-slate-300 px-3 py-2 font-semibold">Complaints records</td> <td className="border border-slate-300 px-3 py-2">3 years after resolution</td> <td className="border border-slate-300 px-3 py-2">Fundraising Regulator complaints framework.</td> </tr> </tbody> </table> </div>

A charity website typically loads fundraising platforms (JustGiving, Enthuse, Stripe, GoCardless), social embeds, analytics and sometimes a chat widget. Each has cookie implications. The PECR Regulation 6 prior-consent requirement applies to all non-essential cookies. The basics are the same as any other UK website (see PECR cookie rules in the UK for the framework), but charity sites should pay specific attention to fundraising-platform embeds. Many of these set tracking cookies before the visitor has even interacted with the donation form. That breaches PECR.

The Fundraising Regulator overlay

The Fundraising Regulator is a self-regulatory body for the UK fundraising sector. Its Code of Fundraising Practice imposes additional obligations beyond UK GDPR, including specific rules on contacting vulnerable people, doorstep fundraising and consent capture wording. Compliance with the Code is required for charities that use the regulator's Fundraising Promise mark and is accepted by the ICO as a relevant factor when assessing data-protection compliance.

The Code requires charities to provide a clear opt-out for all marketing channels, to honour Fundraising Preference Service (FPS) requests within 28 days and to suppress contact details from FPS lists across all channels not just the one through which the request was made.

Practical compliance checklist for UK charities

Review the privacy notice for completeness against UK GDPR Article 13. Confirm it identifies the charity, the lawful basis for each processing purpose, retention periods, the right to object and the ICO contact route.

Review online donation forms for separate marketing opt-in. Bundled "by donating you agree" wording fails PECR.

Confirm Gift Aid declarations are retained for 6 years from the latest donation and the storage is documented.

Document any wealth screening or supporter profiling activity. If it is happening, the privacy notice must say so.

Check the cookie banner against the booking-engine and fundraising-platform subsystems. Reject all should genuinely block tracking.

Maintain a separate appropriate-policy document for special category data processing (DBS checks, safeguarding records, sensitive beneficiary data).

Confirm volunteer privacy information is provided at recruitment. The privacy notice for volunteers can be separate from the public privacy notice.

Set a 28-day Fundraising Preference Service suppression process if you are a registered fundraising organisation.

For the broader UK GDPR position, see GDPR compliance for UK businesses and the privacy policy requirements guide.

This is technical analysis, not legal advice. Charity-sector data protection issues are highly fact-specific. Consult a solicitor or DPO with charity-sector experience for guidance specific to your organisation.

Check your website now

Scan your website for GDPR & Privacy issues and 30+ other checks.

Start free check

Website Guides

GDPR compliance for UK businesses: website checklist 2026

GDPR compliance for UK businesses in 2026: nine website obligations under UK GDPR and PECR. Privacy notice, cookie consent, ICO fee, Companies House details.

Legitimate Interests for Marketing: The UK GDPR Balancing Test

Legitimate interests under UK GDPR Article 6(1)(f). How UK businesses pass the three-part LIA test for marketing and when PECR consent rules still apply.

UK website privacy notice requirements after DUAA (2026)

The 14 mandatory elements of a UK GDPR privacy notice. DUAA 2025 changes, new complaint mechanism, recognised legitimate interests and ICO checklist for SMEs.