Data Protection for Charities and not-for-profits (NFPs)

The UK and the EU GDPR has had a major impact on many charities and NFP organisations.

Those relying on charitable donations for funding must ensure their marketing databases are GDPR compliant and utilised according to the requirements of the Privacy and Electronic Communications Regulations (PECR), that records of consent and retention policies are maintained without dramatically reducing their marketing reach. Many NFPs and charities, particularly those supporting medical research, or disadvantaged communities and groups often process significant volumes of sensitive and special category personal data. This data usually comes from their beneficiaries and stakeholders, as well as marketing data from individuals who donate and the wider stakeholder community.

Staff in this sector must understand their individual responsibilities for ensuring data is protected, which can be a difficult task for organisations who rely on an inexperienced or volunteer workforce.

The data protection experts at The DPO Centre can help your NFP or charitable organisation achieve and maintain compliance with both the GDPR and PECR, and help you better organise your data protection procedures and policies.

This page explains what the new legislation means for charities and no-for-profit organisations and the key areas they need to consider when managing and protecting personal data.

Alternatively click one of the options below to speak to us


Email Call


Like all other organisations, charities and not-for-profit organisations must:

Be transparent in the way they process personal data and accountable for doing so
Be able to detect, manage, report and respond to data breaches including, if necessary, liaising with the Information Commissioner’s Office (ICO)
Understand the data they have, where it is stored and who has access to it
Implement robust processes and procedures to protect personal data
Allow donors, staff, beneficiaries, customers, suppliers, all people receiving charitable support to:

  • Access the data stored on them
  • Ensure the data is correct and modify it as necessary
  • Have the data deleted (unless needed for legitimate reasons

Appoint a designated data protection officer if they:

  • Are a public body
  • Process data on a large scale



We offer a range of services designed to address your organisation’s data protection concerns. Our consultancy services, outsourced DPOs, GDPR Representatives, Caldicott Guardians for medical organisations, staff training and awareness sessions, and a data protection advice line, will ensure your organisation has everything you need to appropriately and compliantly process and protect your personal data.

Outsourced Data Protection Officers

Our outsourced DPO service places one of our highly experienced DPOs into your organisation, working alongside your team either remotely or on-site. Outsourced DPOs provide your organisation with advice and guidance, helping you maintain your compliance framework. Having one of our DPOs in your team means they can assist with your data protection practices.

Read more


GDPR Representative

Some NFPs and charities collect information from donors from around the world. If your charity processes personal data on EU or UK residents, but you have no physical presence in these territories, your organisation may need to appoint a UK or EU Representative. Our representation service offers the expertise your charity needs to construct your Records of Processing Activities, and provides you with the necessary contact details.


Data Protection Consultancy

NFP and charitable organisations have particular needs when it comes to data protection. They often have large databases containing the information of donors, partners and other stakeholders that must remain secure. NFPs are also likely to process sensitive data about staff and volunteers or the people the organisation serves. By engaging our consultancy services, your organisation will improve its transparency, reduce data protection risk, and increase levels of engagement from your target audience. 

Read more



Data Protection Training

Your NFP or charity may rely on a large network of volunteers to keep things running. Those volunteers, as well as your staff members, should understand the basics of data protection and how they can help reduce risk within their role. The DPO Centre offers data protection and awareness training that not only educates your volunteers and staff about data protection law, but also guides them through their job-specific responsibilities. Taking our training courses also demonstrates to data protection authorities that your organisation makes the necessary effort to remain compliant.

Read more



Data Security and Protection Toolkit (DSPT)

If your NFP or charitable organisation operates in the medical sector or works with NHS patients under an NHS contract, you must complete the Data Security and Protection Toolkit (DSPT) mandated by the UK National Health Service (NHS). Completing the DSPT can be complicated if you don’t have a thorough understanding of data protection and compliance, so The DPO Centre can help your organisation complete this annual assessment. We can also identify gaps in data security you may have and offer support with their mitigation.

Read more

Data Protection Advice Line

As part of our outsourced DPO and GDPR Representative services, we offer non-profits and charities a data protection Advice Line service. The Advice Line is staffed by our large team of experienced DPOs who are ready to answer your pressing questions or offer more immediate support to your everyday data protection issues. We can also offer your organisation access to our helpline as a standalone service to provide reactive support and guidance when required.

Read more


Charities and not-for-profit organisations must protect personal data in a wide range of their operations.  Some major considerations include:

Marketing and fund raising

  • Managing consent of individuals receiving direct marketing materials
  • Impact of Personal Electronic Communications Regulation (PECR) and ePrivacy
  • Data retention
  • Data base management and data minimisation

Staff and Volunteers

  • Training staff and volunteers to understand their protection responsibilities
  • Embedding a culture of data protection often across multiple sites staffed by part-time, voluntary and permanent staff
  • Avoiding the creation of multiple local copies of data on different platforms

Managing sensitive information

  • Data Protection Impact Assessments
  • Information on people receiving charitable support including medical and other sensitive personal details
  • DBS checks

Governance and the role of trustees

  • Understanding responsibilities
  • Having robust reporting systems

Managing data across multiple sites

  • Minimising data held in multiple formats and locations
  • Avoiding duplicated data
  • Disposal and retentions
  • Managing legacy and non-standard systems


  • Email systems
  • Staff payroll, pension and HR records
  • Visitors’ book, access and CCTV

Data Security

  • Maintaining network and server security
  • Data encryption

Policies and agreements

  • Privacy, retention, cookie and data protection policies
  • Staff handbooks
  • Data sharing agreements
  • Data processing agreements


Our large pool of experienced DPOs has a deep knowledge of data protection compliance, and expertise working in the NFP and charity sectors. We can, therefore, deliver far greater value to your organisation than what is available from an independent contractor or smaller data protection team. We have worked with a wide range of platforms, tools, vendors, and software, so we can provide cost-effective and informed guidance to your organisation.

Highly cost effective
thumbs up
Experience and shared best practice gained from working with over 900 clients
Designated Data Protection Officer working on site with your team
Pre-existing model documentation tested and validated across varied industry sectors
Pragmatic, straightforward, solution-driven advice
UK and Pan-European expertise

Enquire Today

Fill in your details below and we’ll get back to you as soon as possible

Alternatively click one of the options below to speak to us


Email Call



David Roberts

NSPCC’s Director of Corporate Service

“By working on-site and being seen as part of the team, the DPO Centre’s DPO really understands the complex data protection issues the NSPCC faces.

Being able to draw upon the combined knowledge of the wider DPO Centre team gives us an added level of confidence and means we can rely on their advice and support whenever we need it.”