What the Charity Digital Code of Practice Means for Small Charities

If you work in the charity sector, you've probably heard of the Charity Digital Code of Practice — or at least seen it mentioned in a funding application or governance report. But if you're like most people I speak to, you're not entirely sure what it is, whether it applies to you, or what you're supposed to do about it.

Here's the short version: the Code of Practice is the sector's own benchmark for how charities should approach technology and data. It was developed by the charity sector, for the charity sector. And while it's not a legal requirement, it's increasingly what funders, regulators, and trustees are looking at when they want to understand whether an organisation is handling digital well.

What the Code actually is

The Charity Digital Code of Practice is a framework built around seven principles. Each one covers a different aspect of how an organisation uses technology, manages data, and handles digital risk. It's not a technical checklist — it's a governance framework. It asks questions about leadership, culture, and strategy alongside the more obvious ones about cybersecurity and data protection.

That's what makes it useful. It doesn't just ask "do you have antivirus software?" It asks "does your board understand your technology risks?" and "are your digital services designed around the people you support?" These are the questions that actually determine whether your technology is working for your organisation or against it.

The 7 principles in plain English

1. Leadership

Does your board and senior team actually engage with technology decisions? Or does digital sit in a blind spot — something that's assumed to be "handled" without anyone at leadership level really understanding it? This principle asks whether there's a named person responsible for digital at a senior level, and whether technology decisions are informed by evidence rather than guesswork.

2. Users

Are your digital services built around the people you support, or around internal convenience? This covers how you gather feedback, whether your tools are accessible, and whether the people who use your services have a say in how they're designed. For many charities, the honest answer is that systems were chosen based on what was available or affordable, not what users needed.

3. Culture

How does your team feel about technology? Is there enthusiasm, resistance, or just resignation? This principle looks at whether staff feel supported to try new things, whether there's a blame culture around mistakes, and whether the organisation genuinely learns from what works and what doesn't.

4. Strategy

Is technology embedded in your organisational plans, or is it an afterthought? This asks whether you have a digital roadmap, whether spending on technology is planned and justified, and whether your technology choices are connected to your strategic goals. For many charities, the answer is that technology decisions happen reactively — when something breaks or a grant makes something possible — rather than as part of a deliberate plan.

5. Skills

Does your team have the confidence and capability to use the tools you've given them? This covers training, support, and whether anyone has assessed whether staff actually have the skills they need. It also looks at key person dependencies — what happens when the one person who understands your database goes on holiday or leaves.

6. Managing Risk and Ethics

This is where data protection, cybersecurity, and responsible technology use sit. It covers your policies, your incident response readiness, your access controls, and whether you're meeting your obligations under UK GDPR and the Data Protection Act 2018. It also asks about ethical considerations — are you using technology responsibly, and have you thought about the implications of the tools you've chosen?

7. Adaptability

How well does your organisation respond to change? Do you review your technology regularly? Do you learn from incidents? Are your systems resilient when something unexpected happens? This principle recognises that the technology landscape changes constantly, and organisations that can't adapt get left behind — or exposed.

Why this matters now

The Charity Commission and major funders are paying increasing attention to digital governance. High-profile data breaches in the charity sector have made this a board-level issue. The ICO is actively enforcing data protection requirements. And grant applications increasingly ask about your digital maturity and data practices.

None of this means you need to panic. But it does mean that understanding where you stand against an established benchmark is increasingly valuable — both for your own risk management and for demonstrating good governance to external stakeholders.

What to do with this

The Code of Practice is designed to be self-assessed, and you can certainly work through it on your own. But in my experience, most small charities struggle with two things: being honest about their own blind spots, and knowing what "good" actually looks like for an organisation of their size.

That's where an independent Digital Governance Review comes in. It gives you a scored assessment against all seven principles, with specific findings and prioritised recommendations — all in plain English, and all tailored to your organisation's size and context.