In this week’s Frequently Asked Friday, we’re looking at a question that comes up time and again for trustees and charity leaders - do policies like data protection really need regular review? It can be tempting to file them away once written, but policies aren’t meant to gather dust. As Helen Oparinde, Sector Growth Coordinator, explains, keeping them up to date is essential for staying compliant with fundraising regulation, new data laws, and the expectations of the people you support.
Question
We have an organisational data protection policy in place. Do we need to review it from time to time?
Answer
Yes. It’s good practice to review your policies every year.
There are two main reasons for this:
- To check whether any laws or regulations have changed
- To see how well the policy has worked in real life
A simple way to make sure reviews don’t get forgotten is to add them as a standing item on your trustee board agenda. That way, policies can be refreshed regularly and stay useful.
How data protection relates to fundraising
Many charities use personal data to improve their fundraising communications and keep supporter records. The Data Protection Act, which came into effect in May 2018, gives individuals more control over their personal information.
As we mentioned in our recent blog on Fundraising Regulator Registration, the Code of Fundraising Practice also sets rules around how you use personal data.
In simple terms:
- 'Processing data' means anything you do with personal data -collecting, storing, or using it
- Personal data is any information about a living person that identifies them directly or indirectly. This could be keeping records or sending marketing materials
- Fundraisers must have a legal reason to use personal data. There are six legal bases, and at least one must apply whenever you process data
- Section 3 of the Code explains the rights people have over their personal data, and Section 9 covers standards for marketing your fundraising campaigns
Don’t forget the Fundraising Preference Service (FPS)
The Fundraising Preference Service (FPS) is a free tool that lets people stop direct marketing from charities by mail, email, text, or phone.
If someone makes an FPS request, your charity must act quickly, within 21 days, to remove them from your marketing lists. The FPS sends notifications to the contact email listed for your charity on the Charity Commission website. Keeping these details up to date is essential.
Failing to respond to FPS requests is a breach of the Code of Fundraising Practice. Non-compliance could be reported to the Charity Commission or the Information Commissioner’s Office.
What’s new with the Data (Use and Access) Act 2025 (DUAA)
The Data (Use and Access) Act 2025 became law on Thursday 19 June 2025. Key changes for charities include:
- Allowing some electronic mail marketing without explicit consent in certain cases
- Requiring a data protection complaints procedure
- Introducing a new lawful basis called 'recognised legitimate interests'
Most of the new rules will start two to six months after Royal Assent, though some could take up to 12 months.
The so-called 'soft opt-in' for charities hasn’t started yet, but now is a good time to prepare. You could:
- Review your email marketing processes and check that you accurately record people’s preferences
- Carry out a legitimate interests assessment to see if soft opt-in would suit your charity
Next steps for your trustees
At your next trustee board meeting, consider reviewing your data protection policy, or creating one if you don’t already have it. Staying ahead ensures you’re legally compliant and protecting your supporters’ data.
Need advice? Our Request for Support service can help you understand what policies you need and when to review them.
Want to improve your trustee meetings? Book onto one of NCVS’s training courses designed to give you the skills needed for running a successful organisation, free as part of our 150th anniversary celebrations.
