Search Our Site

We have 3,751,322 registered online learners.
1,100 new learners so far today.

Five ways your charity can prepare for GDPR

schedule 8th January 2018 by Helen McKay in Virtual College Last updated on 24th April 2018

Charity shop assistant

As of May 2018, any type of personal data held by charities will be affected by the new GDPR legislation. As such, all charities will need to rethink their current procedures and practices. The personal data in question could be anything from employee and volunteer records, donors’ personal or financial information, or simply data held on users and members. The fundraising data itself could potentially prove problematic for charities, as explicit consent will be required to retain current records. Because of this, third sector organisations might initially see a reduction in the number of donors which they have access to. However, in some cases this could lead to a better quality database going forward – the remaining data is likely to be made up of donors who are generally more engaged, therefore more willing to support the charity.

There are a variety of ways in which the third sector can prepare for this significant regulation change. Below is an overview of the five key actions you may wish to consider in preparation:

1. Data Auditing

Although a data audit is not specifically required under the GDPR, it is essential that you have a comprehensive understanding of the data your charity already holds. Audits are a great way of outlining whether or not your existing data will be compliant under the new GDPR legislation. By auditing your existing practices you will gain a clear picture of the areas you may need to look into and improve.

2. Governance & Accountability

It is essential to establish the key people or employees within your charity and their direct responsibilities around GDPR. Who will be responsible for implementing the GDPR policy? Who is required to follow those policies as part of their job? Are your trustees on board? You may need a designated Data Protection Officer, or a GDPR consultant. As part of the accountability requirement you will also need to make sure that everyone across the organisation is aware of what they need to do.

3. Staff and volunteer training

It is essential that all employees and regular volunteers have knowledge of GDPR. Depending on the individual roles within your organisation, formal training may also be required. As well as understanding GDPR, your staff will also need to be knowledgeable of how your charities specific internal processes will be effected by the forthcoming changes.

4. Lawful processing

This is one of the biggest elements of GDPR. You must now have what is known as a lawful basis for collecting and processing an individual’s data. The full details of what constitutes lawful basis can be found in official EU guidelines but, for example, includes regulation around complying with other laws – they include things like it being a necessity to comply with other laws, it being a necessity to carry out the service requested by the individual, or that you have their explicit consent. As a result, you will now need to consider whether your charity has a legal basis for collecting the information that you currently do currently requested. This will need to be established this in a policy going forward.

5. Consent

A major aspect of lawfully processing data is consent. It is critical that your charity has a comprehensive policy and procedure in place, for both gaining consent in the first place and storing a record of it afterwards. It is expected that the majority of GDPR fines will first be directed at organisations which fail to gain consent for their information processing activities, so planning ahead now in anticipation of the GDPR should be of utmost importance. It is also important to note that children are covered by the GDPR. As they cannot legally give their own consent to having their data collected or processed themselves, charities must receive consent from their parent or guardian instead. However, charities set up to protect children, such as Childline for example, can avoid having to request this consent – as they have been set up exclusively to protect and counsel children.

Virtual College has a range of free GDPR resources including a downloadable infographic and an interactive game, as well as our free overview course designed to give an introduction to GDPR and to help you gain a basic understanding. We also offer a fully comprehensive GDPR course Sign up to our free overview.

Related resources

Helen McKay Author

Author: Helen McKay

Helen is a Learning Technology Advisor who leads the charity sector strategy, championing the benefits of learning technologies across the third sector. Helen has 10 years’ experience of working with a variety of charities and enjoys volunteering for a number of local charities in her free time.

ISO 9001:2015
Crown Commercial Service Supplier
LPI Accredited Learning Technologies Provider


+44 (0)1943 605 976

Virtual College

Marsel House


West Yorkshire

LS29 8DD

Awards for footer
Gold and silver award winners at the Learning Technologies Awards 2017 - including gold for excellence in the design of learning content.


We are in the process of moving to one Virtual College website. If you want to go back to a course, or start a course, bought from our old website then you may need to login to our original learning management system. Otherwise, please proceed to our new learning management system to return to your training.


You are already logged in. Click the button below to be taken to your LMS dashboard. Alternatively, click logout to leave the system.