Alex is Sprintlaw’s co-founder and principal lawyer. Alex previously worked at a top-tier firm as a lawyer specialising in technology and media contracts, and founded a digital agency which he sold in 2015.
- Overview
Practical Steps And Common Mistakes
- Step 1: Map your real data flows
- Step 2: Separate audiences where needed
- Step 3: Match your lawful bases to each activity
- Step 4: Explain sensitive data carefully
- Step 5: Be honest about third parties and transfers
- Step 6: Use realistic retention wording
- Step 7: Put the notice where people will actually see it
- Common mistakes charities make
- Documents that should align with your notice
- Key Takeaways
If your charity collects donor details, volunteer applications, event registrations or beneficiary information, a clear privacy notice is not optional.
Many UK charities make the same mistakes: copying a generic website policy that does not match what they actually do, forgetting to explain the legal basis for using personal data, or using one short notice for very different audiences such as staff, supporters and service users.
Those gaps matter. A privacy notice is one of the main ways your charity explains how it handles personal information under UK data protection law. If it is vague, inaccurate or buried in the wrong place, you risk complaints, confusion and regulator attention, especially where you handle sensitive data or rely on fundraising communications.
This guide explains what a privacy notice for charities in the UK should include, when you need different notices, where charities often get caught out, and the practical steps to sort out before you collect more data, launch a campaign or ask people to sign up.
Overview
A privacy notice tells people what personal data your charity collects, why you use it, who you share it with, how long you keep it, and what rights they have. For UK charities, the right wording depends on your actual activities, not just your status as a charity.
A good notice should match the real journey of your donors, volunteers, employees, trustees, beneficiaries and website users. It should also reflect any higher risk processing, such as safeguarding records, health information or targeted fundraising.
- Identify each group of people whose data you collect, such as donors, volunteers, staff, beneficiaries and website visitors
- List the personal data you collect from each group, including data gathered directly and indirectly
- Explain the purpose for each use of personal data in plain English
- State the lawful basis you rely on under UK GDPR for each main use
- Say whether you collect special category data, criminal offence data or children's data
- Set out who you share data with, including service providers, fundraising platforms, payment processors and regulators where relevant
- Explain any international data transfers and the safeguards used
- Include realistic retention periods or clear retention criteria
- Describe individuals' rights and how they can raise a concern
- Make sure the notice is easy to find at the point data is collected
What Privacy Notice Charities Means For UK Businesses
For a charity in the UK, a privacy notice is your transparency statement under UK GDPR and the Data Protection Act 2018. It is the document that tells people, clearly and upfront, what happens to their information when they interact with your organisation.
Charities are often small or mission led, but the legal expectations are the same. If you are a registered charity, a charitable company, a CIO, a social enterprise with charitable activities, or a not for profit that handles personal data, you still need to explain your processing properly.
Why charities need a tailored privacy notice
Many charities process more personal data than they first realise. A simple fundraising page can involve names, contact details, payment information, Gift Aid records, event attendance, email preferences and analytics data.
Some charities also process highly sensitive information. That might include health data for support services, disability information for accessibility adjustments, DBS related information for safeguarding roles, or children's data for youth programmes.
That is why a generic notice usually falls short. The notice needs to reflect your real operations, your business structure, the tools you use, and the categories of people you deal with.
What the law expects you to tell people
Under UK GDPR, people should be told certain core information when you collect their personal data. In plain English, your charity should normally cover:
- Your charity's name and contact details
- The contact details of your data protection lead or data protection officer, if you have one
- What personal data you collect
- Why you use it
- The lawful basis for using it
- Your legitimate interests, if you rely on that basis
- Who receives the data
- Whether data is transferred outside the UK, and what safeguards apply
- How long you keep the data, or how you decide retention periods
- The rights available to the individual, such as access, correction and objection
- The right to complain to the Information Commissioner's Office
- Whether providing the data is a legal or contractual requirement, where relevant
- Whether you use automated decision making or profiling, if you do
You do not have to present this in legal jargon. In fact, charities usually do better when the wording is simple and tied to real situations, such as processing a volunteer application, administering Gift Aid, contacting supporters about an appeal, or managing referrals into a service.
One charity, several privacy notices
Most charities should not rely on a single one size fits all notice. Different audiences often need different information and different levels of detail.
For example, your public website privacy notice may explain cookies, contact form data and newsletter sign ups. A separate donor notice may cover fundraising databases, Gift Aid and communication preferences. A volunteer or staff notice will often need extra detail about recruitment, references, right to work checks, emergency contacts and internal HR records.
Beneficiary notices often need the most care. They may need to explain sensitive personal data, safeguarding, referrals from third parties, and the limits of confidentiality.
Privacy notice versus consent
A privacy notice is not the same thing as consent. Charities often mix these up, especially in fundraising and email marketing.
The notice explains what you do with data. Consent, where it is needed, is a specific permission for a particular use, such as sending certain electronic marketing messages. You may process some data on other lawful bases, such as contract, legal obligation, legitimate interests or, for special category data, an additional condition under data protection law.
This is where founders and trustees often get caught. They assume that adding a privacy notice to a form solves every data protection issue. It does not. You still need the right lawful basis, compliant marketing practice and internal records to support what the notice says.
When This Issue Comes Up
The need for a proper privacy notice usually becomes urgent when your charity starts collecting more data, using new systems, or dealing with more sensitive activities. The earlier you sort it out, the easier it is to avoid rewriting forms, fixing staff processes or explaining inconsistencies later.
When you launch or formalise the charity
If you are setting up a charitable company or CIO, privacy should sit alongside your registration, business structure, contracts and internal policies. Even at an early stage, you may collect trustee details, volunteer expressions of interest, donation information and mailing list sign ups.
Before you spend money on setup, map what personal data you expect to collect and where it will go. That makes it much easier to draft notices that reflect reality.
When you start fundraising
Fundraising is one of the most common triggers. Donation pages, recurring giving, event sponsorship, auctions, raffles, community campaigns and corporate partnerships all involve personal data.
Your privacy notice should explain points such as:
- How donor details are collected
- Whether you use fundraising platforms or payment providers
- How you administer Gift Aid declarations
- How supporters can manage communication preferences
- Whether you profile supporters or analyse giving history
If your charity sends marketing emails or texts, the wording around communications needs extra care. A donor privacy notice should not leave people guessing whether they are signing up to updates, appeals, event invitations or all of the above.
When you recruit volunteers, staff or trustees
Recruitment creates a separate stream of personal data, often before a formal contract is signed. Application forms, CVs, references, interview notes and DBS related checks all raise privacy questions.
Your charity should be ready to tell applicants what data you collect, why you need it, who sees it, and how long unsuccessful application records will be kept. If you later employ staff, your employment contracts and staff privacy notice should align.
When you support beneficiaries or service users
This is often the highest risk area. Charities working in health, housing, education, domestic abuse, disability support, community care, religion, youth work or crisis response may collect sensitive or confidential information.
In these settings, a short website notice will rarely be enough. People need to understand not only what is collected, but also whether the charity receives information from referrers, shares data with local authorities or healthcare providers, keeps safeguarding records, or must disclose information in limited circumstances.
When you use third party platforms and digital tools
Most charities use external tools for mailing lists, CRM systems, online forms, donation processing, volunteer scheduling and cloud storage. Each tool can affect what your privacy notice should say.
If a platform stores data overseas or uses sub processors, you need to understand that before you publish your notice. The legal document has to match the operational setup and any data processing terms in place.
When you collect children's data
If your charity works with schools, youth clubs, family services or junior membership schemes, children's privacy information needs special thought. The language should be easier to understand, and your internal processes around consent, safeguarding and communications should be clear.
The same applies where parents or guardians provide information on a child's behalf. Your notice should make it clear whose data you are collecting and for what purpose.
Practical Steps And Common Mistakes
The best privacy notice for a UK charity starts with a data map, not a template. If you do not know what information you collect, why you use it and where it goes, the final document will be inaccurate from day one.
Step 1: Map your real data flows
List each point where your charity collects personal data. Include online forms, paper forms, email inboxes, event sign ups, telephone enquiries, donation pages, application packs and referral forms.
Then identify for each activity:
- Whose data you collect
- What categories of data are involved
- Why you collect it
- What lawful basis applies
- Who can access it internally
- Which third parties receive it
- How long you keep it
This step often reveals hidden gaps. For example, a charity may have a polished website notice but no explanation for volunteer recruitment records or beneficiary intake forms.
Step 2: Separate audiences where needed
Write different notices where people need materially different information. A donor does not need the same detail as an employee, and a beneficiary may need much more context than a casual website visitor.
Separate notices can still use consistent wording and structure. The key is that each notice should be relevant at the moment the person gives you their information.
Step 3: Match your lawful bases to each activity
Your privacy notice should accurately state the lawful basis for each type of processing. This is not just a drafting exercise. You need to decide what basis genuinely applies before you publish anything.
Common examples for charities include:
- Contract, for processing linked to a service, booking or employment relationship
- Legal obligation, for records you must keep under law
- Legitimate interests, for certain operational, administrative or relationship management activities
- Consent, where you genuinely rely on permission, especially in some marketing contexts
- Special category conditions, where you process health, racial or ethnic origin, religious belief or other sensitive data
If you rely on legitimate interests, say what those interests are in practical terms. Do not simply copy the phrase without explanation.
Step 4: Explain sensitive data carefully
If your charity handles special category data, your notice should say so clearly and explain why. People should not have to infer from context that you are recording health information, safeguarding concerns or accessibility needs.
Where appropriate, spell out the consequences of not providing certain information. For example, if your charity cannot safely deliver a service without key health details, say that in clear language.
Step 5: Be honest about third parties and transfers
Charities often understate how many external providers handle personal data on their behalf. Donation platforms, cloud tools, payroll software, event systems and survey providers all matter.
Your notice does not need to read like a supplier register, but it should give people a fair understanding of the categories of recipients. If data goes outside the UK, explain that and summarise the safeguards used.
Step 6: Use realistic retention wording
One of the most common mistakes is saying you keep data only for as long as necessary, without explaining what that means. Retention wording should be specific enough to be useful.
For example, you may keep donor records for a defined period after the last interaction, volunteer applications for a shorter period if unsuccessful, and safeguarding records in line with a more specialised data retention schedule. The notice should reflect those distinctions.
Step 7: Put the notice where people will actually see it
A privacy notice buried in a website footer is not enough for every situation. People should be able to access the relevant notice when data is collected.
That may mean placing a short privacy statement and signpost on:
- Donation forms
- Volunteer application forms
- Event registration pages
- Paper intake forms
- Staff recruitment materials
- Email sign up forms
Layered notices often work well. A short summary at the point of collection can direct people to a fuller notice, as long as the core information is still easy to access.
Common mistakes charities make
Most privacy notice problems are not caused by bad intentions. They usually come from copying wording without checking whether it matches actual practice.
- Using one generic notice for donors, volunteers, staff and beneficiaries
- Listing consent as the lawful basis for everything
- Failing to mention sensitive data or safeguarding records
- Ignoring third party fundraising or CRM platforms
- Leaving out retention periods
- Giving rights information that is incomplete or inaccurate
- Publishing a notice that conflicts with internal policies or contracts
- Forgetting to review the notice after new campaigns, services or systems are introduced
Another common issue is writing the notice too defensively. A privacy notice should not read like a warning label. It should help supporters, applicants and service users understand what to expect and who to contact.
Documents that should align with your notice
Your privacy notice should sit consistently with other documents and processes. If these are out of step, the notice can quickly become misleading.
- Data protection policy
- Staff and volunteer handbooks
- Fundraising procedures
- Employment contracts
- Volunteer agreements
- Website terms, privacy policy and cookie information
- Supplier contracts with data processing terms
- Safeguarding and record keeping procedures
This is especially relevant before you sign a new software contract or outsource donor management. The supplier arrangement may change what you need to tell individuals.
FAQs
Do all UK charities need a privacy notice?
If your charity collects or uses personal data, you will usually need a privacy notice or notices. That includes small charities and community organisations, not just large national bodies.
Can a charity use one privacy notice for everyone?
Sometimes a single notice works for a very simple organisation, but many charities need separate notices for different groups. Donors, staff, volunteers and beneficiaries often need different explanations.
Does a privacy notice cover fundraising emails and texts?
It helps explain how communications data is used, but it does not replace the need to follow marketing rules. You still need the right legal basis and compliant consent or soft opt in analysis where relevant.
What if our charity handles health or safeguarding information?
Your notice should clearly explain that you process sensitive data, why you need it, and any key sharing or confidentiality limits. You should also make sure your internal policies and lawful basis analysis support that wording.
How often should we review our privacy notice?
Review it whenever your charity changes how it collects or uses data, adds a new platform, starts a new service, or launches a new fundraising activity. Even without major changes, a periodic review is sensible.
Key Takeaways
- A privacy notice is a core transparency document for UK charities under data protection law
- Your notice should reflect what your charity actually does, not a generic template
- Many charities need separate notices for donors, volunteers, staff, beneficiaries and website users
- You should clearly explain personal data collected, purposes, lawful bases, sharing, retention, rights and any overseas transfers
- Sensitive data, children's data, safeguarding records and fundraising communications need extra care
- The notice should be available at the point of collection, not hidden away after the fact
- Your privacy notice should align with internal policies, contracts, recruitment documents and third party supplier arrangements
If your business is dealing with privacy notice charities and wants help with privacy notices, fundraising communications, data protection policies, and supplier data processing terms, you can reach us on 08081347754 or team@sprintlaw.co.uk for a free, no-obligations chat.







