A One-Page Plain English Guide for Charity Teams
Good data isn’t just about what you collect. It’s about knowing what to keep and what to let go.
Many charities unintentionally hold personal data for years longer than they need to. Not because they’re careless, but because no one has stopped to define clear retention principles.
This starter template gives you a practical, board-ready Data Retention Policy designed specifically for UK charities.
It balances:
- Legal and audit requirements
- Stewardship and relationship realities
- Risk reduction and data minimisation
- Operational common sense
It is written to be usable – not just technically correct.
What This Template Includes
This resource provides:
- A fully structured Data Retention Policy
- Suggested retention periods for common charity supporter types
- Guidance on beneficiary, safeguarding, and operational data
- Clear roles and responsibilities
- A practical destruction and review framework
- A one-page plain English guide for teams
It’s designed to work alongside your Data Protection Policy and Privacy Notice.
Why Retention Matters More Than You Think
Poor retention practices create risk in three ways:
- Regulatory Risk – Holding data longer than necessary breaches the storage limitation principle.
- Operational Risk – Outdated records distort reporting and decision-making.
- Reputational Risk – Supporters rarely expect you to still hold their data years after engagement has ended.
Equally, deleting data too early can create audit, safeguarding, or financial problems.
This template helps you strike the right balance.
The Golden Rule
We keep personal data only for as long as there is a clear, justified reason to do so.
Retention is based on purpose, not habit.
What starts the clock?
In most cases, retention periods run from the last meaningful interaction, such as:
- The last donation
- The last two-way contact
- The end of a volunteering role
- The closure of a case or service
Different supporters = different retention needs
Treating all supporters the same creates risk.
Individual and Regular Givers
Usually retained for financial and audit purposes.
When that purpose ends, records should be reviewed.
Ask: Are we actively engaging this person, or just storing history?
Major Donors
Longer, relationship-based stewardship cycles.
Ask: Is the relationship still active?
Legacy Supporters
Long timelines, low contact frequency.
Ask: Do we have a clear, documented reason to retain this record?
Campaigners and Advocates
Engagement relevance declines quickly.
Ask: Would this person reasonably expect us to still hold their data?
Beneficiary and Service-User Data
Often the most sensitive category.
Retention should reflect safeguarding, legal and service needs.
Ask: Has anyone reviewed this recently?
When data reaches its limit
When personal data is no longer required:
- Delete it securely, or
- Anonymise it for reporting and learning
“Just in case” is not a lawful retention reason.
Everyday Good Habits
- Don’t create data you wouldn’t be comfortable justifying
- Flag outdated records
- Use approved systems – not personal folders
- Treat retention as part of ongoing data hygiene
If you’re unsure, ask.
Retention decisions shouldn’t sit on one person’s shoulders. Good retention protects:
- The people behind the data
- The organisation
- You
Data Retention Policy – Starter Template
Copy and use this starter template as a foundation – adapt it to fit your charity’s needs and context
Want a downloadable version? Grab the .docx template here
Data Retention Policy – Starter Template (Charity)
Organisation Name: [Insert Charity Name]
Version: 1.0
Approved by: [Board / Trustees]
Date Approved: [DD/MM/YYYY]
Next Review Date: [DD/MM/YYYY]
1. Purpose
This Data Retention Policy sets out how long [Organisation Name] retains personal data and the principles that guide the review, archiving, anonymisation, and deletion of that data.
The policy ensures that personal data is:
- Not kept longer than necessary
- Retained only for clear and lawful purposes
- Managed in line with data protection legislation and best practice
2. Scope
This policy applies to:
- All personal data held by the organisation
- All staff, trustees, volunteers, contractors, and suppliers
- All formats, including digital systems, spreadsheets, email, backups, and paper records
3. Principles
We retain personal data in line with the following principles:
- Retention periods are linked to purpose, not convenience
- Different types of supporters require different retention approaches
- Data is reviewed regularly and not left to accumulate indefinitely
- Where possible, data is anonymised rather than retained in identifiable form
- Destruction of data is secure and auditable
4. Roles and Responsibilities
- Board / Trustees: Oversight and approval of this policy
- Senior Management: Ensure the policy is implemented and resourced
- Data Protection Lead: Owns retention schedules and oversees deletion
- All Staff and Volunteers: Follow retention guidance and flag data that may no longer be required
5. Retention Periods – Supporter Data (Best Practice Guidance)
Retention periods begin from the last meaningful interaction unless otherwise stated.
Supporter Types and Suggested Retention Periods
| Supporter Type | Examples | Suggested Retention Period | Rationale |
| One-off / Individual Givers | Single donations, event gifts | 6 years after last donation | HMRC and financial audit requirements |
| Regular Givers | Direct Debits, recurring donations | 6 years after final payment | Financial records + reasonable supporter relationship |
| Major Donors | High-value gifts, relationship-managed donors | 6–7 years after last meaningful engagement | Longer stewardship cycle and audit needs |
| Legacy Pledgers (Known) | Individuals who have notified the charity of a legacy intention | Until legacy realised or 6 years after last contact | Long-term relationship with low contact frequency |
| Legacy Prospects (Unconfirmed) | Inferred or researched prospects | 2–3 years from last engagement | Higher risk; purpose must remain clear |
| Community Fundraisers | Challenge events, peer-to-peer fundraising | 3–6 years after last activity | Stewardship balanced with relevance |
| Campaigners / Advocates | Petition sign-ups, activism | 2–3 years after last interaction | Engagement relevance declines quickly |
| Volunteers | Active volunteers | Duration of volunteering + 3 years | Safeguarding and duty of care |
| Inactive Supporters | No engagement across any channel | 2 years then anonymise | Data minimisation and risk reduction |
6. Other Common Charity Data Types
| Data Type | Suggested Retention Period |
| Gift Aid Declarations | 6 years after last claim |
| Financial Transaction Records | 6–7 years |
| Beneficiary Case Records | As defined by safeguarding / service needs (often 6–7 years after last contact) |
| Complaints Records | 6 years |
| Marketing Preferences & Consent Logs | As long as consent is relied upon + audit period |
| Training Records | Duration of role + 3 years |
7. Review and Archiving
- Data must be reviewed periodically to confirm it is still required
- Where operational need has ended, data should be anonymised where possible
- Archived data must remain secure and access-controlled
8. Destruction and Disposal
When retention periods expire:
- Digital records are securely deleted
- Paper records are shredded or confidentially destroyed
- Destruction activities are logged where appropriate
9. Exceptions
In some circumstances, data may be retained longer than stated, including:
- Legal claims or disputes
- Safeguarding investigations
- Contractual obligations
Any exceptions must be documented and approved by the Data Protection Lead.
10. Review of this Policy
This policy is reviewed at least annually and updated to reflect changes in legislation, guidance, or organisational practice.