For all your legal challenges...

We're here to help

News and Events

Charity Chat April 2018 - GDPR and all that

View profile for David Porter
  • Posted
  • Author

After a break, David Porter has resumed his Charity Chat to help make Trustees, Directors, Governors and Committee Members (the Trustees) aware of their obligations and the processes that have to be followed to run a charity correctly. The references I make are to the Charities Act 2011 (the Act) unless stated to the contrary. If there are matters you wish to raise please let me know.

General Data Protection Regulations

From 25th May 2018 all charities which process third party information will need to have a Data Protection Policy/Privacy Notice bespoke for their charity. It is essential that the Trustees have considered the contents of the Policy.


The rationale has been admirably demonstrated by the problems faced by Facebook. However the remedy may be satisfactory for those charites and organisations that have the administrative ability to deal with the matter but for smaller charites the Regulations can seem daunting and Draconian.


The Policy needs to be bespoke and to cover generally:-

  • Details of the information you collect.
  • How that is to be stored either manually or electronically or both.
  • Who the information will be shared with; for example staff and volunteers to enable them to provide the activities of the Charity.
  • How long the information will be retained for and why.
  • Where there are breaches the relevant party will be informed within 72 days. Where the breach is substantial the Information Commissioner's Office will also be advised.


Beneficiaries and users of the Charity’s activities need to opt-in to the terms of the Policy and to the use of email addresses. A tick box indicating that they should opt-out will no longer be acceptable. Such consents can be included in the application forms seeking the Charity’s assistance. Application forms will need to be amended.

Where there are existing beneficiaries (as there will be) they will need to be approached to confirm that their email contact can be used.  They can be contact by email and they should receive details of the Data Protection Policy/Privacy Notice and a request as to how they wish to receive information which could be by email, post, mobile phone, telephone or post. They should be asked to indicate which and reply by email accordingly. If a reply is not received consenting to the use of their email addresses it will not be possible to retain the email address or use it in the future.