GDPR for Charities: What Most Organisations Get Wrong

When GDPR came into force in 2018, most charities did something about it. Privacy notices were updated. Consent forms were revised. Somebody probably sat through a webinar.

But eight years on, the reality in many organisations is that the initial flurry of activity didn't translate into lasting, embedded practices. The policies that were written haven't been reviewed. The processes that were planned weren't fully implemented. And the documentation that regulators expect you to maintain either doesn't exist or lives in a folder that nobody has opened since 2019.

Here are the most common gaps I see when reviewing charities' data practices — and what you can do about them.

No Record of Processing Activities

Under UK GDPR, most charities are required to maintain a Record of Processing Activities — a document that maps out what personal data you hold, why you hold it, where it's stored, who has access to it, and how long you keep it. It's one of the most fundamental compliance requirements, and it's the first thing the ICO will ask for if they ever come knocking.

In practice, very few small charities have one. And those that do often have a version that was created during the 2018 rush and hasn't been updated since — meaning it no longer reflects how the organisation actually operates.

Creating and maintaining a ROPA doesn't have to be complicated. But it does need to happen, and it needs to be a living document that gets updated when your systems or processes change.

No data retention schedule

GDPR requires that you don't keep personal data for longer than necessary. But "necessary" is a judgement call, and most charities haven't made it explicitly. The result is data that accumulates indefinitely — old service user records, former employee files, supporter databases going back decades.

A data retention schedule sets out how long you keep different categories of data and what happens to it when that period expires. Without one, you're almost certainly holding data you shouldn't be — which is both a compliance risk and a practical one, because the more data you hold, the more there is to protect and the bigger the impact if something goes wrong.

No incident response plan

If a staff member's laptop was stolen tomorrow, or a phishing email compromised an email account, would your team know what to do? Would they know who to contact, what to document, whether to notify the ICO, and how to communicate with affected individuals?

Most charities don't have a tested incident response plan. Some don't have one at all. This is a significant risk, because data breaches don't wait for you to figure out your process. The ICO expects you to report certain breaches within 72 hours, and that clock starts ticking whether you're prepared or not.

An incident response plan doesn't need to be a fifty-page document. It needs to be a clear, practical set of steps that your team can follow under pressure — with named responsibilities, contact details, and decision-making criteria.

Unclear lawful basis for processing

Every time your charity processes personal data, you need a lawful basis for doing so under UK GDPR. The most common ones for charities are consent, legitimate interests, contractual necessity, and legal obligation. But many charities haven't clearly documented which basis applies to which type of processing.

This matters because different lawful bases come with different obligations. If you're relying on consent, you need to be able to demonstrate that consent was freely given, specific, and informed — and people need to be able to withdraw it easily. If you're relying on legitimate interests, you should have completed a Legitimate Interests Assessment. In practice, many charities are vaguely relying on consent for everything without meeting the requirements for valid consent.

No leavers process for data access

When someone leaves your charity — whether they're a staff member, volunteer, or trustee — what happens to their access to your systems? Can they still log into your CRM? Do they still have access to shared drives? Are they still in your email system?

A surprising number of charities don't have a formal leavers process for revoking access. This means former staff may retain access to sensitive data long after they've left — sometimes without anyone realising. It's a data protection issue, a security issue, and a governance issue.

A good leavers process is a simple checklist: revoke access to each system, recover equipment, transfer ownership of documents and contacts, and confirm completion. It takes an hour to create and five minutes to follow each time someone leaves.

Privacy notices that don't match reality

Many charities updated their privacy notices in 2018 and haven't looked at them since. In the meantime, they've adopted new tools, started using new platforms, changed how they communicate with supporters, or begun sharing data with new partners. The privacy notice no longer accurately describes what the organisation actually does with personal data.

Your privacy notice is a legal document. It needs to reflect your current practices — not your practices from eight years ago. If there's a gap between what your notice says and what you actually do, that's a compliance issue.

What to do about it

None of these gaps are unusual, and none of them are unfixable. They're the natural result of GDPR implementation that happened in a rush and was never followed up with ongoing governance.

The first step is understanding where you actually stand. A Digital Governance Review assesses your data practices as part of a broader technology governance assessment, identifies the specific gaps, and gives you a prioritised plan for addressing them — including the template documents you need to get started.