What Small Charities Need to Know About Data Governance

Quickbooks Pro Advisor Gold Logo
  • UK data breaches cost companies approximately £3.2m (research from IBM Security)
  • Charities are fined an average of £530 for data breaches
  • Over a quarter of charities fell victim to cyber-attacks last year
  • The reputational damage caused by data breaches can be catastrophic

Now that we’ve highlighted everyone’s worst fears regarding data and how we protect it and dredged up the feeling of panic in every charity manager’s stomach, the question is…how do we tackle this?

What do small charities need to know and implement to ensure that this feeling of panic stays at bay, we remain compliant with data governance regulations, we protect our charity reputation, AND we still gather the right information and data to help us grow and build our charity?

We caught up with Deborah Topping of DTInfoGov in our ChariTea and Biscuits session to discuss data governance and what small charities really need to know.

Data Governance, roles, and responsibilities

Data governance relates to everything to do with the data you collect and what you do with it once you have it.

When we look at specific roles in more detail:

The data controller (person or organisation) is responsible for deciding what information to collect, how it will be used, how long it will be stored, and whether or not the data can be shared with others.

In comparison, a data processor is a team/individual/organisation who you work with and outsource your data to, for them to carry out a specific task. In these instances, it is the controller’s responsibility to tell the processor what they need them to do, with a contract or an agreement that outlines what information will be shared and why. There should be clear instructions that the information will only be processed for these purposes and no other.

For charity managers (data controllers) this means it is essential that you have a deep understanding about the data you have and need.

To help we can break data insight down in three ways:

1. What data and information are you collecting/do you store? What information do you need to be able to carry out the services you want to provide effectively? How can you safely collect this information? How long are you planning to keep this information? How are you going to manage it?

2. Why do you have this data/why do you need it? Is it to increase the reach of your services? Boost your fundraising efforts? Keep Trustees/Volunteers in the loop, etc?

3. Where is information and data held? Online? Paper-based forms. Is it collected on gift aid forms? Contact us information? Referral forms, etc? How are you then processing the information you receive and moving this data to your systems?

It is the answers to these questions that are crucial for you to analyse the level of data risk you have and put in place protocols to manage this.

Areas of data governance to pay particular attention to


Email management is HUGE, especially when you think about how many emails you send and receive in a day and who is copied in on these emails….from trustees to staff, volunteers, and even donors.

However, emails contain a lot of data and, in some cases, sensitive information which is not intended for everyone.

Our advice when it comes to emails and good data governance is:

  • Check to see if everyone needs to be copied in on the emails, i.e., do you need to reply to all?
  • Does the entire chain of email conversations need to be sent every time you reply?
  • Keep your mailboxes easy to manage.
  • Be mindful that not everyone has a charity email account, and some trustees, and especially volunteers, will use their personal email addresses. In these instances BCC email should be used to protect personal information and confidentiality.
  • Delete emails you no longer need.

Working with volunteers

Volunteers do a lot to support charities, and, in some cases, we simply couldn’t function without them. However, you are still responsible for ensuring they follow data regulations and procedures.

Good practices for managing volunteers and data can include:

  • Not taking an industry-based approach but having regular and general conversations about data collection, use, storage, etc. 
  • If volunteers are collecting personal information, this is collected quietly and responsibly, following your charity’s guidelines for data collection.
  • Record all conversations with volunteers reporting that you have spoken to teams about data security and personal information.

Sensitive Documents

If you are working on a sensitive document and need to send it to someone outside of the charity, password-protect it, and make sure to send the password separately via email, text, or pass it over a phone call.

All paper-based documents should be held in locked cabinets or offices and shredded when no longer required.


With the number of cyber-attacks on businesses increasing, you must have the right software, firewall systems, and backup plans in place.

Work closely with your software provider and ask where they store your data. Is it offsite? Secure? Safe? There is no silly question when it comes to digital and protecting your data.


Regarding marketing and mailing lists, all charities must be mindful of legislation in this area, as people now have to opt in to receive marketing communications and mailings.

For charities, this means if someone donates to your charity, you are allowed to reply with a thank you message, but that is all. You are not permitted to include any marketing information or ask them to sign up for your newsletters because this is not what they agreed to when they sent you the donation. (You can, however, include your website address or email details in the header/footer of the thank you letter).

However, when your volunteers are collecting data or chatting about your charity, the donor has ticked the form or box on your website to say they’re happy to be contacted, etc., you are, in these instances, free to add them to your mailing list.

All communications must also have the option to unsubscribe or opt out of receiving future marketing/mailings, and this must be managed responsibly.

Have a process for data management in place

The biggest piece of advice we give to charities to ensure good data governance is to have a robust process for managing data in place.

This means knowing what data you have, what data you collect, how you collect this, how data is transferred to your systems, how it is stored, and how it is used both by yourself and third parties.

You also need to put procedures in place for what happens when there is an incident or data breach. How are you going to deal with it? Does it need to be reported to the ICO? 

Useful Sites

Data governance can be scary and feel like a minefield, but it shouldn’t, and if we stop avoiding data governance and the practices and procedures we need to put in place, the feeling of dread and panic will soon subside.

There is a lot of useful information on data governance, guides, and self-assessment online at:

You can also find more expert advice and help from Deborah Topping at https://www.dtinformationgovernance.co.uk. In addition, we have numerous resources online and if you follow us on social media, we are always providing links to helpful websites and information guides to support charities further – make sure to follow us on Twitter, LinkedIn, and Facebook

Recent Posts