Data Protection Policy Guide and Template

By /

A One-Page Plain English Guide for Charity Data Teams

Data protection isn’t a document. It’s how your organisation earns trust.

Every charity handles personal data – from donor records to beneficiary case notes. But many policies are either copied from generic corporate templates or written in dense legal language that no one actually reads.

This starter template gives you a structured, board-ready Data Protection Policy designed specifically for UK charities.

Clear. Practical. Defensible.

What This Template Includes

This resource provides:

  • A structured Data Protection Policy aligned to UK GDPR
  • Clear governance and accountability sections
  • Lawful basis guidance
  • Data subject rights framework
  • Security and breach reporting structure
  • A charity-specific one-page plain English team guide

It is designed to sit alongside:

  • Your Privacy Notice
  • Your Data Retention Policy
  • Your Data Breach Procedure

Why This Policy Matters

For charities, data protection isn’t just regulatory.

It affects:

  • Beneficiary dignity and safety
  • Supporter trust
  • Fundraising integrity
  • Organisational reputation
  • Trustee accountability

Weak policies create confusion.
Confusion creates inconsistency.
Inconsistency creates risk.

This template gives you structure without unnecessary complexity.

What is data protection really about?

Data protection is about respecting people. It means being clear, careful, and fair when handling information about real humans – especially in a charity setting where trust matters.

What counts as personal data?

If it can identify someone, it’s personal data. In charities, this often includes:

  • Supporter and donor records
  • Beneficiary and case‑work information
  • Monitoring, evaluation, and impact data
  • Staff, volunteer, and trustee details

Some of this data is sensitive and needs extra care.

Charity‑specific nuances to watch out for

1. Beneficiary data is high‑risk

Free‑text notes, case histories, and informal records can easily include sensitive data.

Tip: Write notes as if the person could read them one day.

2. Fundraising and service delivery aren’t interchangeable

Just because data exists doesn’t mean it can be reused for a new purpose.

Tip: New purpose = pause and check.

3. Small teams mean blurred boundaries

Access can feel informal, but data protection still applies.

Tip: Only access data you genuinely need for your role.

4. Partners and platforms still count

Suppliers, CRMs, and consultants often process data on your behalf.

Tip: If data leaves the organisation, there should be a clear agreement.

Everyday good practice

  • Lock screens and protect passwords
  • Use approved systems only
  • Avoid emailing personal data unless secure and authorised
  • Report mistakes early – learning matters more than blame

If you’re unsure

Ask. Early questions prevent bigger problems later.

Data Retention Policy – Starter Template

Copy and use this starter template as a foundation – adapt it to fit your charity’s needs and context

Want a downloadable version?

Download .docx Version
Download .pdf Version

Data Protection Policy – Starter Template (Charity)

Organisation Name: [Insert Charity Name]
Version: 1.0
Approved by: [Board / Trustees]
Date Approved: [DD/MM/YYYY]
Next Review Date: [DD/MM/YYYY]

Section A: Overview

1. Purpose of this Policy

This Data Protection Policy explains how [Organisation Name] handles personal data and complies with UK data protection law. It sets out our responsibilities as a Data Controller and the rights of individuals whose data we process.

We recognise that trust is fundamental to our work as a charity. How we handle personal data directly affects our beneficiaries, supporters, staff, volunteers, and partners.

2. Scope

This policy applies to:

  • All staff, trustees, volunteers, contractors, and consultants
  • All personal data processed by the organisation
  • All systems, platforms, tools, and formats (digital and paper)

Compliance with this policy is mandatory.

3. Key Definitions

  • Personal Data: Information relating to an identifiable living individual.
  • Special Category Data: Personal data revealing health, ethnicity, religious beliefs, or other sensitive characteristics.
  • Data Subject: The individual to whom personal data relates.
  • Processing: Any operation performed on personal data, including collection, storage, use, sharing, or deletion.
  • Data Controller: [Organisation Name].

Section B: Data Protection Principles

We process personal data in line with the UK GDPR principles. Personal data must be:

  1. Processed lawfully, fairly, and transparently
  2. Collected for specified, explicit, and legitimate purposes
  3. Adequate, relevant, and limited to what is necessary
  4. Accurate and kept up to date
  5. Kept for no longer than necessary
  6. Processed securely
  7. Handled in line with individuals’ rights

Lawful Bases for Processing

We only process personal data where at least one lawful basis applies:

  • Consent
  • Contractual necessity
  • Legal obligation
  • Legitimate interests
  • Vital interests
  • Public task

The lawful basis used must be documented.

Section C: Data Subject Rights

Individuals have the right to:

  • Be informed about how their data is used
  • Access their personal data (Subject Access Requests)
  • Rectify inaccurate or incomplete data
  • Request erasure of data
  • Restrict processing
  • Object to processing
  • Request data portability
  • Challenge automated decision-making and profiling

Requests must be handled within statutory timescales.

Section D: Organisational Responsibilities

Governance and Accountability

  • Overall accountability for data protection sits with the Board and Senior Management Team.
  • A named Data Protection Lead or Officer is responsible for oversight, advice, and incident management.

Training and Awareness

All staff and volunteers must:

  • Understand their data protection responsibilities
  • Complete appropriate training
  • Handle personal data in line with this policy

Section E: Data Security

We use appropriate technical and organisational measures to protect personal data, including:

  • Role-based access controls
  • Secure storage and transfer methods
  • Strong password practices and device security
  • Regular review of access and permissions

Section F: Data Sharing and Transfers

Personal data is only shared where:

  • There is a clear lawful basis
  • Appropriate safeguards and agreements are in place
  • Transfers outside the UK have adequate protection

Section G: Data Breaches

All personal data breaches or suspected breaches must be reported immediately to the Data Protection Lead.

Where required, breaches will be reported to the Information Commissioner’s Office within 72 hours and to affected individuals without undue delay.

Section H: Review and Maintenance

This policy is reviewed regularly and updated to reflect changes in legislation, guidance, or organisational practice.

Scroll to Top