Saturday, 20 April 2024
Saturday, 20 April 2024

Protecting Sensitive Data: A Reminder of UK Data Protection Laws for Charities

Data held by charities is often sensitive and confidential, some of it relating to vulnerable people whose protection is their duty, so we thought it was a good time to remind you about UK data protection laws. 

Charities are not exempt from the law

All organisations and companies, whether third sector or not, are obliged by law to collect, use, share and store data in a compliant way. They can face serious consequences if data is misused, stolen or disclosed incorrectly. 

Here are some recent examples of fines implemented on UK charities by the Information Commissioner’s Office (ICO):

  • An HIV charity was fined £10,000 after they sent out an email containing personal information to over 100 people without using the blind carbon copy (bcc) function
  • Eleven charities were fined a total of £138,000 for serious breaches of data protection law. Activities including incorrectly targeting donors for additional funds and some traded personal details with other charities
  • A transgender charity was fined £25,000 for failing to keep the personal data of its users secure following a data breach relating to an internal email group

As well as leading to financial loss through fines, data breaches can seriously harm a charity’s reputation. Supporters may be lost as they no longer feel confident their data is stored securely. They may also be angry that money they’ve donated to support a good cause has been wasted covering a fine. 

The fundamentals of data protection

Both staff and volunteers have obligations for keeping personal data private and secure, and charities need to ensure they implement clear policies for everyone to follow. 

The UK’s data protection laws changed after Brexit and now consist of two frameworks. Both are important to reference when implementing your charity’s data protection compliance to ensure everyone is acting in a legal and responsible manner:

  • UK-GDPR which replaces the EU’s GDPR
  • Data Protection Act 2018 the UK has continued to add to the Data Protection Act, including further exemptions and future proposed changes 

Anyone in your charity who has access to personal data should undertake training to make them aware of their responsibilities and the possible repercussions for not keeping the data safe. 

Where do threats come from?

The most common threats are from human action or human inaction:

  • Accidental or over disclosure
  • Lack of awareness or surroundings
  • Not following policies and procedures
  • A deliberate or illegal act

How much importance does your charity place on data protection?

Our research has found that smaller charities don’t always offer data protection guidance to staff and volunteers who are unaware of how personal data can be compromised by, for example, giving information about a patient or service user to someone without properly verifying who they are.  

Data protection is one of the topics covered in CharityGo’s online library of expert-written, ready-made courses. Powered by TrainingToolz, subscriptions start at just £25 plus VAT for up to 500 training sessions per month and new clients can benefit from added extras if they sign up before 31 March 2023.

For more information and to book a no-obligation discovery call, visit 


Join our FREE mailing list and receive our Weekly Digest bulletin and other updates direct to your inbox.

Related News

Skip to content