We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

We’ve made our member-only resources free to everyone because of the current situation. We think it’s important people have the guidance they need to run their organisations during this time.

If you want to find out more about how you can volunteer to help deal with coronavirus, see our volunteering and coronavirus page.

If you are looking for advice on coronavirus and your charity, please see our dedicated coronavirus page.

Community-made content which you can improve Case study from our community

Data protection and fundraising

This page is free to all
How to collect, store and use people's personal details.

Major data protection law reform took effect in May 2018. Find out more and how to comply with the GDPR from the Information Commissioners Office and see our links below.

How to collect, store and use people's personal details

You should assume that any fundraising appeal made directly to individuals is covered by the Data Protection Act. This includes any unsolicited contact by post, phone, email or text message. This is covered by the act because you are using donors’ personal information.

It does not matter where your list comes from – your own members, people who have made enquiries, a bought-in list etc. The best way to ensure compliance (and good practice) is to get things right from the moment you start to compile the list. Start with your data capture forms, on paper, online and from phone calls.

Keep people informed on data usage from the start

Before people give you their details, they should know that you might use their information for fundraising or marketing. A simple declaration may be enough, for example: ‘We will keep your details so we can contact you about our future activities and how you can support us’.

Make it clear who you are collecting the information for (for example, for both a charity and its trading company).

Be ‘fair’ about using data

You can only use data in ways which are ‘compatible’ with the original purpose(s) it was obtained for. Data collection must be transparent. If you have people’s details already and have not told them you might use the data for marketing or fundraising, you may need their consent. Think carefully about how best to approach people in this situation. Take advice from the Information Commissioner’s Office (ICO) as necessary.

Give people the opportunity to say no

If someone ever tells you they do not want their details used for marketing or fundraising, you must ensure they are not contacted. Don’t leave it for them to tell you. At minimum offer an opt-out tick box when you collect data. If this is not possible, tell them an easy way to opt out.

It is an offence to make a cold marketing call to a number on the telephone preference service (TPS) register unless you have specific permission from the individual. There is some doubt over whether fundraising counts as marketing for TPS purposes (it almost certainly does for data protection purposes.).

People may consider marketing or fundraising by phone, email or other electronic means more intrusive. It is best practice to get positive consent for these forms of contact (opt in). This is required for donations, but for events and merchandise sales etc, an opt out may be acceptable. Regular contact by email – even a newsletter that is not strictly marketing or fundraising – should always contain instructions on how to unsubscribe.

Share data carefully

Whenever data leaves your organisation for any reason you must take adequate security measures to prevent it getting lost or falling into the wrong hands. This means:

  • always use the most secure means of transfer available in the circumstances: for example, VPN (not email), courier or registered post (not ordinary post)
  • minimise the quantity and extent of data involved. Exclude any individuals or data items that are not required for the purpose
  • encrypt data and password protect the file or media on which the data is transferred. This reduces accessibility if it falls into the wrong hands. Security requirements vary depending on the nature and size of the data being sent. The ICO can provide advice on this.

If you buy in or swap lists you must be satisfied the people concerned have been told and have not opted out. For email lists they must always opt in. When you buy or rent a list, ask for a written warranty that appropriate consents are in place.

If you are going to share or sell data you must always tell people in advance that this will happen. Indicate the type (and, for regular transfers, the identity) of organisations you will pass the data to.

If you send data to a third party for processing (for example, an agency that will make the calls or a mailing house to send out information) you are responsible for what happens to it. You must make sure the processor has proper security and will only use the data for the purposes you have authorised.

If you share data with an organisation overseas (possibly even when you put it on a website where it is accessible overseas) you must comply with the rules for transferring data abroad.

Everyone has the right to see their personal records. You can charge up to £10 and send it within 40 days of a written request.

Every website must have a privacy statement explaining how you use personal data. Ensure it is up to date, accessible and covers all your main responsibilities.

If you take money from people by credit or debit card, make sure you are familiar with the Payment card industry data security standard.

Source: Published with permission from the Directory of Social Change.

Get more help

The Fundraising Regulator has produced GDPR and Charitable Fundraising – Guidance Briefings

Guidance on creating data protection policies in our Knowledge bank

NCVO offers training on data protection and using data – check out our latest events

The Institute of Fundraising has guidance on GDPR: The Essentials for fundraising organisations

Page last edited Apr 10, 2019

Help us to improve this page – give us feedback.