UK GDPR for Charities 2026: 12-Point Checklist (DUAA Update)
UK GDPR for charities updated for the Data (Use and Access) Act 2025. Soft opt-in rules, SARs, and a 12-point annual review checklist.
UK GDPR for Charities 2026: 12-Point Checklist (DUAA Update)
A practical UK GDPR checklist for small UK charities — fully updated for the Data (Use and Access) Act 2025 changes that came into force February 2026, including the new soft opt-in for charity marketing.
Last reviewed: 29/05/2026
Written by Ivan Siyanko, Founder & CEO, CharityIQ.
TL;DR
The Data (Use and Access) Act 2025 (DUAA) received Royal Assent on 19 June 2025; charity provisions came into force on 5 February 2026. DUAA amends UK GDPR, DPA 2018, and PECR — it doesn’t replace them. Biggest charity-specific change: a soft opt-in for charity electronic marketing — but only for new contacts collected after 5 February 2026.
What changed for UK charities in 2026
For five years, charities have operated under UK GDPR, DPA 2018, and PECR 2003. The ICO is the regulator. DUAA is the first major update since Brexit — Royal Assent 19 June 2025, charity provisions live since 5 February 2026. DUAA amends the existing rules; doesn’t rewrite them. Most of UK GDPR works exactly as before. The amendments are targeted.
The new charity soft opt-in (from 5 February 2026)
Until February 2026, charities had to obtain explicit, opt-in consent for electronic marketing. DUAA introduces a soft opt-in similar to the one businesses have under PECR. All three conditions must be met:
- The communication’s sole purpose is to further the charity’s charitable purposes.
- The contact details were collected when the person expressed interest in the charity’s purposes — newsletter sign-up, event, donation.
- The person was given a chance to opt out when their details were collected, and is offered easy opt-out in every subsequent message.
Critical caveat: the soft opt-in does not apply retrospectively. Old contacts (pre-5 Feb 2026) continue under previous rules.
Other DUAA changes
SARs: “stop the clock” provision now in legislation, “reasonable fee” or refusing manifestly unfounded requests clearer. Default 1-month deadline remains. Automated decision-making: some restrictions loosened (Article 22), but special category data safeguards remain strict. Cookies: simplified consent for low-risk non-essential cookies; strictly necessary remain exempt.
The 12-point UK GDPR checklist
1. Confirm your role(s) — Controller, Processor, or Joint Controller. 2. Maintain a ROPA — most small charities can fit theirs on two pages. 3. Identify lawful basis — Article 6 sets six. For charities: contract performance, legitimate interests, consent, legal obligation. Don’t pick consent by default. 4. Have a current privacy notice — plain English, reachable from every page. 5. Confirm marketing consent — separate old (pre-Feb 2026) from new contacts. Audit your CRM. 6. Process SARs within one month — keep a SAR procedure, log, templates. 7. Have a data breach response plan — identify, assess, notify ICO if needed within 72 hours. 8. Check sub-processor contracts (Article 28 DPAs) — CRM, email, hosting, payment, analytics. 9. Apply data minimisation to beneficiary records — collect only what reporting requires. 10. Apply privacy-by-design for new tools, especially AI. ICO has dedicated AI guidance. 11. Document staff training — annual UK GDPR awareness. 12. Review annually — half-day with this checklist as the agenda.
From CharityIQ. CharityIQ stores GDPR settings centrally — privacy notice version, consent records, breach log, sub-processor list, training register. Trustees see compliance at a glance. See compliance →
Common GDPR mistakes UK charities make
1. Treating “consent” as default lawful basis. It’s not. Legitimate interests is more appropriate for most operational processing. 2. Pre-checked opt-in boxes — not valid consent. 3. Unclear privacy notice — outdated or too long. 4. Beneficiary data shared without consent — photographs, quotes, case studies need explicit consent. 5. Sub-processor lists not updated.
What to do this week
If your last formal GDPR review was over 12 months ago: 1. Audit current marketing consent records — separate old/new contacts. 2. Update your privacy notice to reference DUAA. 3. Schedule a half-day annual review.
FAQ
Q: Does DUAA mean we don’t need explicit opt-in any more? No. DUAA introduces soft opt-in alternative under specific conditions; explicit consent is still required for special category data, third-party marketing, or pre-Feb 2026 contacts. Q: Can we use soft opt-in for existing supporters? No, not retrospectively. Q: Do we need a DPO? Required for public authorities, large-scale monitoring, or large-scale special category data. Most small charities appoint a Data Protection Lead instead. Q: How does GDPR interact with safeguarding? Safeguarding obligations override; lawful basis is “legal obligation” or “vital interests”. Document each disclosure. Q: Can we still use Mailchimp? Yes — UK adequacy + Data Privacy Framework cover certified US providers. Q: Maximum fine? £17.5m or 4% global turnover. ICO enforcement against small charities is rare and remediation-focused.
GDPR compliance, built into your charity’s everyday workflow.
Start a free 14-day CharityIQ trial. Join Waitlist →
Written by Ivan Siyanko, founder of CharityIQ.
Related: Annual Return 2026 · SORP 2026 Trustee Guide · ChatGPT for Charities
Sources: DUAA 2025 — gov.uk · ICO — DUAA · ICO — UK GDPR guidance · ICO — Direct marketing under PECR