GDPR for community groups

Every charity processing personal data must follow the six principles in UK GDPR Article 5:

1. Lawfulness, fairness and transparency. A lawful basis for each use; clear privacy notice
2. Purpose limitation. Collected for specified purposes; not used for incompatible new purposes
3. Data minimisation.Don't collect more than you need
4. Accuracy. Keep records up to date; correct errors when found
5. Storage limitation.Don't hold longer than necessary
6. Integrity and confidentiality. Reasonable security: passwords, access controls, encryption where appropriate

UK GDPR Article 6 lists six lawful bases. Most small-charity processing falls under one of these three:

• Consent. Required for direct-marketing emails and texts (Privacy and Electronic Communications Regulations 2003, PECR). Must be specific, informed, freely given and unambiguous; pre-ticked boxes are not consent.
• Legitimate interests.The charity has a legitimate reason that isn't overridden by the individual's rights. Use for member administration, fraud prevention, internal record-keeping. Requires a documented Legitimate Interests Assessment (LIA).
• Legal obligation. Where processing is required by law — gift aid records for HMRC, accounting records under Charities Act 2011, DBS records.

Three further bases (vital interests, public task, contract) apply occasionally. For special category data (health, religion, ethnicity, sexual orientation, etc.) you need a lawful basis and a separate Article 9 condition — typically explicit consent or substantial public interest.

Most data controllers (including charities) must pay an annual fee to the Information Commissioner's Office (ICO).

• Tier 1 — £40/year for most small charities (and the standard small organisation tier). Registered charities qualify for the Tier 1 fee even if they would otherwise fall into Tier 2 or 3 on size criteria.
• Exemptionmay apply for very small not-for-profit organisations whose processing is limited to membership administration and record-keeping — check the ICO's self-assessment tool.
• Failure to pay is enforceable; the ICO has issued fines against small organisations for non-payment.

Individuals have eight UK GDPR rights. The ones most likely to come up at a small charity:

• Right of access (DSAR). Anyone can ask for a copy of the personal data you hold about them. Respond within one calendar month; no fee for most requests. The Data (Use and Access) Act 2025 codified the “reasonable and proportionate searches” position — you don't have to turn the office upside down for a trivial request.
• Right to rectification. Correct inaccurate data within one month.
• Right to erasure (“right to be forgotten”). Limited circumstances (no longer needed, withdrawn consent, unlawful processing). Records you must keep for legal reasons (gift aid, accounting) can be retained.
• Right to object to processing, especially direct marketing — absolute right for marketing, must stop immediately.

Personal data breaches that pose a risk to individuals must be reported to the ICO within 72 hours of becoming aware. Breaches likely to result in high riskto individuals must also be reported to the individuals themselves “without undue delay.”

What counts as a breach: lost laptop, accidental email of a members' list to the wrong recipient, server compromise, theft of donor records. Most small-charity breaches are human error and most don't cross the “risk to individuals” threshold — but errors involving sensitive categories, large data sets, or potential for harm should be reported.

1. Register and pay the ICO fee (£40 Tier 1 for most charities)
2. Document what personal data you hold, the source, the purpose, the lawful basis, the retention period
3. Publish a privacy notice on your website and have a printed version available
4. Identify a data protection lead — usually the treasurer or secretary at small-charity scale (DPO role only mandatory for public authorities and large-scale monitoring)
5. Review consent records for direct marketing — replace pre-ticked or stale consents
6. From February 2026: update data-capture forms to support the new charitable-purpose soft opt-in
7. Have a breach response procedure — who is told, who decides on ICO notification, who notifies individuals
8. Train trustees and staff briefly — most small-charity breaches are human error

• Compliance hub →

  All compliance guides on one page.

• Safeguarding for small charities →

  Sits alongside GDPR — safeguarding records are special-category personal data.

• Community group governance basics →

  The wider governance framework GDPR fits within.

• UK General Data Protection Regulation; Data Protection Act 2018
• Data (Use and Access) Act 2025 — Royal Assent 19 June 2025; charitable-purpose soft opt-in commences 5 February 2026
• Privacy and Electronic Communications Regulations 2003 (PECR)
• ICO charity guidance and data-protection fee self-assessment
• ICO breach reporting guidance — 72-hour deadline
• ICO updated DUAA guidance (published 28 April 2026)