Making supporter choices clear, respectful and easy to manage.
For many people in charities, GDPR still feels like a set of rules designed to catch them out. It isn’t. At its heart, GDPR is simply about treating people fairly; telling them what you’re doing, respecting their choices, and keeping their information safe.
This module isn’t about legislation. It’s about people — and about helping your team understand how to handle supporter information in a way that builds trust instead of anxiety.
When consent is clear and permissions are up to date, everything becomes easier: communications land where they should, donors feel respected, and teams avoid guesswork. It’s not about perfection — it’s about getting the basics right, together.
Why this module matters
Permissions and consent shape almost every interaction a charity has with its supporters. When they’re handled well:
- supporters feel respected
- campaigns become more effective
- complaints fall
- your organisation stays on the right side of GDPR
- teams feel confident using data instead of worrying about it
Handled poorly, they create confusion, mistakes and risk — none of which are needed in an already stretched environment.
This module gives your team the clarity they need to act with confidence.
What we’ll cover in this module
By the end, your team will understand:
1. The difference between consent, legitimate interest and operational contact
(And why mixing them up creates unnecessary risk.)
2. How to record permissions in a clear, consistent way
No more guessing, no more “I think we can email them… right?”
3. How to manage supporter choices respectfully
Including opt-outs, channel preferences and special categories of data.
4. How this all links back to GDPR
In normal English, without legal jargon or panic.
5. What good everyday practice looks like
So that anyone — fundraiser, volunteer manager, comms lead — can feel confident updating records.
How this connects with other policies
Just like your data policy, this module links to the wider framework of how your charity works:
- your Privacy Notice (what you tell supporters)
- your Data Retention Policy (how long you keep information)
- your IT / Security Policy (who has access and how)
- your Fundraising or Communications Strategy (how you plan supporter journeys)
Permissions sit at the crossroads of all of these — so clarity here has a huge ripple effect across the organisation.
Lesson 6.1 — What Counts as Personal Data
A simple guide to what sits under GDPR (and why it matters to your charity).
Before we can talk about permissions, consent or supporter choices, we need to get clear on what actually counts as personal data. This is the foundation everything else builds on. And the good news? It’s much simpler than people think.
Personal data is anything that can identify a living person, directly or indirectly.
It includes obvious things like names and email addresses, but also information you might not immediately think of — notes, opinions, behaviours, photos, even a combination of small details.
Understanding this helps teams work with confidence. It reduces accidental risk and stops the “is this personal data?” guessing game we see in so many charities.
The basics: what personal data includes
Here are the categories in charity-friendly terms:
1. Information that directly identifies someone
- Name
- Address
- Phone
- Date of birth
- Supporter ID
If your team can point at it and say “we know exactly who this is”, it’s personal data.
**2. Information that identifies someone when combined
(“indirect personal data”)**
- Postcode + event attendance
- Job title + organisation + donation
- Social handle + email pattern
- Notes on a conversation
GDPR doesn’t care whether the data is public, private, or hidden in a spreadsheet. If a person can be recognised, it’s personal data.
3. Special category data (sensitive information)
This includes things like:
- health conditions
- ethnicity
- political opinions
- religion
- trade union membership
- sexual orientation
Charities sometimes collect this without realising — particularly service-delivery organisations. This type of data requires extra care and a clearer lawful basis.
4. Behavioural and engagement data
- Donation history
- Event attendance
- Email opens and clicks
- Website activity (when linked to a supporter)
- Social media interactions
This is still personal data — even if it feels “less personal”.
5. Notes, comments and internal opinions
A huge one for team culture.
Things like:
- “Spoke to Sarah, prefers email”
- “Donor upset about last appeal”
- “Great volunteer, loves marathons”
This is all personal data, and often the place where accidental risk lives.
Friendly reminder: write notes as if the supporter could see them — because legally, they could.
Why this matters for permissions & consent
Knowing what counts as personal data helps teams:
- understand when permissions apply
- avoid storing information in the wrong place
- treat notes and comments with respect
- feel confident about when GDPR actually matters
- avoid the myth that “GDPR stops us doing everything”
A confident team makes fewer mistakes — and communicates more effectively.
Quick clarity: what is not personal data?
Some common misconceptions:
- Anonymous survey responses (if truly anonymous)
- Aggregated reports
- Pure statistics
- Organisational / business information (“info@charity.org”)
If it can’t be tied back to a person, directly or indirectly, it’s not personal data.
Lesson 6.2 — Permissions & Consent: What They Actually Mean (and the Rules Behind Them)
A simple guide to supporter choices, lawful bases, and the different regulations that shape how charities communicate.
When teams talk about “permissions” or “consent”, they’re often talking about five different things at once — GDPR, PECR, the Fundraising Regulator, internal policies, supporter expectations… no wonder people get anxious.
Let’s strip it back.
At its core, permissions are simply about respecting supporter choices and using data in a fair, transparent way. The legislation and codes that surround this aren’t there to stop good fundraising. They’re there to help organisations build trust.
This lesson explains the different rules that touch charity communications, what they actually mean, and how they fit together.
The Foundations: What’s the Difference Between GDPR and PECR?
GDPR (General Data Protection Regulation)
GDPR sets the principles for handling personal data.
It answers questions like:
- Are we using data fairly?
- Are we being transparent?
- Are we keeping it safe and accurate?
- Do supporters have clear rights over their information?
It governs how you process personal data — whatever the channel.
GDPR = how we treat data.
PECR (Privacy & Electronic Communications Regulations)
PECR controls how you communicate with people via:
- SMS
- phone (for some types of calls)
- cookies / tracking technology
PECR is about channels, not content.
PECR = how we contact people using electronic channels.
It’s possible to be GDPR-compliant but PECR-non-compliant, and vice versa — this is where confusion often begins.
Other Rules Charities Need to Know (Fundraising & Governance)
1. The Fundraising Regulator’s Code of Fundraising Practice
This governs:
- ethical fundraising
- transparency
- supporter care
- avoiding undue pressure
- respectful communication
It matters because it shapes the tone and approach to how you contact supporters — not just whether you’re legally allowed to.
2. The Charity Commission (UK) — Trustee Responsibilities
Trustees must ensure:
- personal data is used legally and ethically
- fundraising is carried out responsibly
- financial stewardship is sound
This ties permissions and consent back to governance.
3. PCI-DSS (Payment Card Industry Data Security Standard)
If your charity takes card payments, PCI-DSS applies.
It’s not just about secure checkout pages — it includes:
- no storing card details in spreadsheets
- no taking card details by email
- strict handling rules for telephone donations
This protects both supporters and organisations.
4. Data Protection Act 2018
This is the UK’s legal framework that sits alongside GDPR.
You don’t need to memorise it — just know that it reinforces GDPR principles.
5. Your Own Internal Policies
These often include:
- Privacy Notice (what you tell supporters)
- Data Retention Policy
- IT / Information Security Policy
- Safeguarding / Service-user Confidentiality
- Acceptable Use & Digital Communications
A strong permissions framework should align with all of these.
How Permissions Actually Work in a Charity
There are three everyday categories your team needs to understand:
1. Operational Contact
These are messages required to deliver a service or transaction.
Examples:
- Gift Aid queries
- Event logistics
- Volunteer rota updates
- Donation receipts
No consent required. No opt-in.
This is the charity fulfilling its role.
But — teams mustn’t stretch the definition.“Since you donated last week, here’s our newsletter” does not count as operational.
2. Consent (Opt-In)
Supporters clearly and actively say yes to specific types of communication.
Consent must be:
- freely given
- specific
- informed
- recorded
- easy to withdraw
Under PECR, consent is required for:
- email marketing
- SMS marketing
Under GDPR, consent is only one lawful basis — but for digital marketing it’s the safest default.
3. Legitimate Interest (LI)
This is where much confusion comes from, but it can be genuinely useful when handled well.
LI is appropriate when:
- the charity’s interest is reasonable
- the impact on the supporter is minimal
- the supporter would expect the communication
- you conduct a balancing test
- you offer a clear opt-out
Most commonly used for:
- postal fundraising
- contacting donors who have an existing relationship
- stewardship where someone hasn’t actively opted out
Channel rule:
- LI cannot be used for email or SMS fundraising under PECR.
- LI can apply to postal fundraising and some phone calls.
What about Soft Opt-In? (current proposals + future legislation)
Soft opt-in (sometimes called “pre-existing relationship rule”) is expected to be expanded in upcoming UK legislation.
The principle: If someone bought, donated, or engaged recently and gave their details, you may contact them about similar campaigns as long as they can easily opt out.
Currently applies to:
- Some email contact from commercial organisations
- Charities in limited circumstances (varies by legal interpretation)
Expected future:
- A clearer, charity-friendly version
- Likely allowing warm supporters to hear from you if they haven’t opted out
But until legislation changes, don’t rely on soft opt-in for charity email fundraising unless your legal team explicitly says so.
Where teams often get stuck
- “We have consent for post, so we can email them too, right?”
- “They donated last year — does that mean we have legitimate interest?”
- “They opted out of SMS, so can we call them?”
- “We have event data but no opt-in — can we use it for fundraising?”
These questions are normal. A clear permissions framework helps everyone make the right call.
A simple table your team can use
| Contact Channel | Consent | Legitimate Interest | Operational Contact |
|---|---|---|---|
| ✔ Required | ✖ Not allowed | ✔ Delivery only | |
| SMS | ✔ Required | ✖ Not allowed | ✔ Delivery only |
| Phone | Often ✔ Required (TPS rules) | ✔ In limited cases | ✔ |
| Post | Optional | ✔ Common lawful basis | ✔ |
| In-person | Not required | ✔ | ✔ |
Lesson 6.3 — The 8 Data Protection Principles (In Real Language)
A simple, human explanation of the rules that sit behind good data practice.
The 8 Data Protection Principles are the foundation of GDPR. They’re not meant to scare anyone or make simple tasks feel risky. Their purpose is to guide organisations — including charities — to use data fairly, safely and respectfully.
Think of these principles as a set of good habits rather than a list of punishments. When your team applies them, supporter trust grows, fundraising improves, and the organisation becomes less vulnerable to mistakes.
Let’s walk through each principle in plain English, with examples that make sense in a busy charity.
1. Lawfulness, Fairness & Transparency
Explanation: You must have a lawful reason to process data, be open about what you’re doing, and treat people fairly.
In practice:
- Tell supporters why you’re collecting their details.
- Don’t hide anything in the small print.
- Only contact people in ways they have agreed to (or expect).
Example: If someone signs up for an event, it’s fair to send event updates — but not to automatically add them to your appeal mailing list.
2. Purpose Limitation
Explanation: Use data only for the reason you collected it — and don’t quietly repurpose it later.
In practice:
- If someone gives you their details for a raffle, you can’t add them to general fundraising emails unless they opted in.
- Service-user information should never be used for marketing.
Example: A volunteer’s emergency contact details can’t be used for anything except emergencies.
3. Data Minimisation
Explanation: Only collect what you need — and no more.
In practice:
- Ask: “Do we genuinely need this field?”
- Remove unused fields from forms.
- Stop collecting information “just in case”.
Example: You don’t need someone’s date of birth if all you require is age verification for an event.
4. Accuracy
Explanation: Keep data up to date and correct where possible.
In practice:
- Update supporter preferences promptly.
- Correct misspellings.
- Remove duplicates.
- Capture changes of address after returned mail.
Example: If Finance updates a donor’s surname manually, Fundraising shouldn’t continue using the old one in letters.
5. Storage Limitation (Retention)
Explanation: Don’t keep data longer than necessary — but don’t delete it too soon either.
In practice:
- Follow your retention schedule.
- Archive old data safely.
- Delete records with no ongoing purpose.
Example: Donation records must be kept for HMRC requirements — but old campaign spreadsheets saved on desktops should be removed.
6. Integrity & Confidentiality (Security)
Explanation: Protect data from loss, unauthorised access, or misuse.
In practice:
- Use strong passwords.
- Don’t share logins.
- Store files in the right systems.
- Avoid email attachments containing personal data.
- Use MFA where possible.
Example: A spreadsheet of Gift Aid donors must not sit on someone’s laptop desktop.
7. Accountability
Explanation: Be able to show how you comply — not just assume that you do.
In practice:
- Keep policies up to date.
- Document key decisions.
- Train staff regularly.
- Maintain a record of processing activities (lite version for small charities is fine).
Example: If a supporter complains about receiving an email, you should be able to show where their consent came from.
8. Rights of the Individual
Explanation: People have rights over their data: access, correction, deletion, restriction, objection, portability.
In practice:
- Respond quickly to data requests.
- Update records when asked.
- Make opting out easy.
- Never make people jump through hoops to stop receiving communications.
Example: If someone asks what data you hold about them, you must provide it in clear, understandable form.
How these principles help your team
When staff understand these eight ideas, everything becomes clearer:
- teams make better decisions
- supporter trust improves
- data quality increases
- fundraising becomes smoother
- compliance becomes a natural by-product, not a fear
These principles are not hoops to jump through — they’re tools to help your organisation work better.
Lesson 6.4 — Practical Action: Consent Statements & Real-World Scenarios
Helping your team make confident, ethical decisions about supporter contact.
Consent, permissions and lawful bases can feel abstract until you put them into real examples. This final lesson makes things practical: what to say, how to record it, and how to interpret supporter choices in a way that respects their preferences without getting tangled in fear or legal jargon.
PART A — Three Strong Consent Statements
Below are three examples you can use or adapt. Each one includes why it works, how to interpret it, and what to record.
1. Clear, Single-Purpose Consent
Statement:
“Yes, please email me updates about the charity’s work and how I can support it.”
✔ Why this works
- It’s specific: email only
- It’s purpose-led: updates + support opportunities
- Uses plain English
- Supports both stewardship and appeals
✔ How it should be interpreted
- You can email newsletters, impact stories, fundraising asks, event invitations
- You cannot send SMS or phone calls based on this consent
- You cannot assume postal consent — consent is channel-specific
✔ What to record in your CRM
- Email consent: Yes
- Purpose: Charity updates + ways to support
- Date and method of opt-in
- Source (e.g., website form, event form, telephone)
2. Granular, Multi-Channel Consent
Statement:
“I would like to hear from the charity by:
☑ Email
☐ Phone
☑ Post
☐ SMS
You can send me updates, stories, and ways I can support.”
✔ Why this works
- It lets supporters choose their channels
- It’s transparent
- It reduces risk of complaints
- It meets both GDPR and PECR requirements
✔ How it should be interpreted
- Only contact the supporter through the channels they have ticked
- If a channel is unticked, treat it as no
- This does not affect operational contact
✔ What to record
- One consent line per channel
- Date, source, and wording of the opt-in
- Any opt-outs (because they override previous permissions)
3. Supporter-Led, Values-Based Consent
Statement:
“I’d love to stay connected. Please keep me updated about the difference my support makes, new opportunities to get involved, and ways I can help in the future.
You can contact me by: Email / Post.”
✔ Why this works
- Centred on impact and relationship
- Encourages engagement without pressure
- Clear channels
- Reinforces charity values
✔ How it should be interpreted
- Provides room for both stewardship and appeal content
- Does NOT permit phone or SMS unless explicitly selected
- Safe for long-term nurturing
✔ What to record
- Consent wording (for audit trail)
- Channels allowed
- Type of content expected
PART B — Legitimate Interest (LI) and Soft Opt-In
A clear, calm explanation your team can rely on.
Legitimate Interest (Current Legislation)
Charities can use LI only when all three conditions are met:
- The charity’s interest is reasonable
- The supporter would expect the contact
- The supporter is not harmed or disadvantaged
✔ Channels where LI can apply
- Post (common)
- Some telephone calls (non-TPS numbers)
- In-person contact
- Operational contact alongside a transaction
✖ Channels where LI cannot be used
- Email marketing
- SMS marketing
If a channel is regulated by PECR, consent is the safest lawful basis.
Soft Opt-In (Future Legislation Direction)
Soft opt-in is expected to become more charity-friendly soon, but currently remains limited.
The principle:
If a person has recently donated, bought something, or engaged meaningfully, you may contact them about similar communications if they haven’t opted out.
Currently:
- Applies mostly to commercial organisations
- Charities must be cautious and seek legal clarity
- Never rely on soft opt-in for broad email fundraising campaigns until legislation changes
Expected future direction:
- Warmer, more flexible rules for charities
- Likely to allow stewardship + appeals to recent donors who haven’t opted out
For now: treat soft opt-in as a supplementary tool, not a foundation.
PART C — Real-World Scenarios
Use these to challenge thinking in your team. Each one includes an answer + explanation.
Scenario 1 — The Event Donor
A supporter signs up for a 10k run and gives you their email to receive event details.
They do not tick the marketing box.
Can you email them fundraising appeals?
❌ No.
They only gave their email for operational contact. You can send event logistics but not marketing.
Scenario 2 — The Returning Donor
A donor gave 18 months ago and hasn’t opted out. You have postal address but no email consent.
Can you include them in a postal appeal?
✔ Yes, under Legitimate Interest, assuming:
- they donated in the past
- the contact is respectful and expected
- you offer a clear opt-out
Scenario 3 — The Gift Aid Conversation
A supporter donates online, opts out of email, but leaves a phone number.
Can you call them about clarifying their Gift Aid declaration?
✔ Yes — operational contact.
You are fulfilling a legal/financial process.
Can you call them about joining a regular giving scheme?
❌ No — that is marketing.
Scenario 4 — Consent But Wrong Channel
A supporter consents to “send me updates by post”, but you only have an email address.
Can you email them?
❌ No.
Permissions are channel-specific.
You can write a letter if you collect their address — but you cannot interpret “post” as “email”.
Scenario 5 — Stewardship vs Marketing
A donor opts out of email marketing but you want to send a thank-you story after their recent gift.
Can you email the stewardship message?
✔ Yes — if it is clearly stewardship.
A thank-you with no call to action is not marketing.
But if you add a “while you’re here, would you consider setting up a DD?”
❌ Now it becomes marketing and is not permitted.
Scenario 6 — The Long-Ago Donor
Someone donated 7 years ago and hasn’t interacted since.
Can you send them postal fundraising appeals under LI?
⚠️ Possibly, but risky.
Expectation may be low after so long. Better to treat them as lapsed and seek fresh consent where possible.
Wrap-Up: What Teams Should Remember
- Consent is opt-in, channel-specific, and must be recorded.
- Legitimate interest is useful but narrow — and never covers email/SMS.
- Soft opt-in is coming, but not here yet.
- Supporters should not be surprised by your contact.
- Stewardship ≠ marketing.
- When unsure: choose the most respectful option.
A confident team makes better decisions.