GDPR Compliance for Charities: What You Need to Know and Do

Think GDPR is just for the big players? Think again.

 

Every charity, community group, and voluntary organisation that collects or stores personal data must comply with the General Data Protection Regulation (GDPR). That includes everything from donor names and email addresses to sensitive service user information. 

GDPR Compliance for charities - Cranborne Tech

Unfortunately, many non-profits assume GDPR is either too complex, too expensive, or simply not relevant to them. But the truth is, data protection is now a key part of how you're judged—by the public, by funders, and by the regulators. 


At Cranborne Technologies, we help charities get compliant in ways that are realistic, affordable, and easy to maintain. Because data security isn’t just about avoiding fines. It’s about protecting your reputation—and the people you serve. 


Why GDPR Matters More Than Ever 

Data is a powerful asset. But if mishandled, it becomes a liability. 


Whether you’re running a local advice service or a national housing trust, chances are your charity handles personal information daily: donor lists, referral forms, medical records, volunteer details. 


That makes you a data controller under GDPR and gives you a legal duty to protect that information from loss, misuse, or unauthorised access. 

Still not convinced? Here’s what’s at stake: 

  • Fines – The Information Commissioner’s Office (ICO) can issue penalties for non-compliance, even if you're a small organisation. 
  • Reputation – A data breach can seriously harm the trust you've built with donors, service users, and partners. 
  • Regulatory standing – Data protection is increasingly part of funding criteria and service audits. Poor practices could limit your opportunities. 


What GDPR Requires from Charities 

At its core, GDPR is about accountability, transparency, and responsible data use. Here are the basics you need to get right: 


1. Know what you collect and why 

You must document what personal data you hold, where it’s stored, how it’s used, and your legal basis for using it (e.g., consent, contract, legitimate interest). 


2. Obtain proper consent 

Gone are the days of pre-ticked boxes. You must ensure individuals knowingly opt in to communications and have a clear way to opt out. 


3. Store data securely 

Whether it’s on a local PC, a cloud system, or a paper file, you must safeguard data against theft, loss, or unauthorised access. 


4. Limit access 

Only staff or volunteers who need specific data should have access to it. Access control is a basic but powerful safeguard. 


5. Be ready for Subject Access Requests 

Any individual can ask what data you hold on them and request that it be corrected or deleted. You need a plan for how to respond. 


Where Charities Often Struggle 

You’re not alone. Many non-profits face similar challenges: 

  • Using spreadsheets or USBs to manage donor lists 
  • Storing sensitive files in unsecured email accounts 
  • Sharing passwords among team members 
  • Not knowing who has access to what 
  • Using outdated devices or software that lacks basic protections 


These aren’t just IT issues they’re organisational risks. Without proper systems and oversight, even well-intentioned teams can breach GDPR rules. 


How Cranborne Supports You 

At Cranborne, we specialise in helping UK charities and non-profits build practical, sustainable data protection strategies. Here’s what we do: 


✔ Data audits 

We map out what data you hold, where it’s stored, who has access, and where the vulnerabilities are. This forms the foundation of your GDPR compliance plan. 


✔ Secure cloud storage 

We move your sensitive documents to secure, encrypted platforms like Microsoft 365 and SharePoint removing the risk from USBs, desktops, or email chains. 


✔ Email encryption & access control 

We configure your systems so that only authorised users can access sensitive information, and all email communications are encrypted. 


✔ Backup & recovery 

We help you build a simple, reliable recovery plan—so that if something goes wrong, your data isn’t gone forever. 


✔ Training & ongoing support 

We can also deliver awareness sessions for your team, helping them understand the importance of GDPR and their role in keeping data safe. 


Why It’s Worth Doing 

Yes, GDPR can seem daunting. But getting it right shows funders, partners, and service users that you take trust seriously. It builds confidence, demonstrates professionalism, and helps you stand out in a competitive funding landscape. 


With the right tools in place, data protection becomes something that works quietly in the background—keeping your organisation safe while your team focuses on what matters: delivering impact. 


What You Can Do Next 

If you’re unsure where to start, begin with a data audit. Find out what personal information you’re holding, why you’re holding it, and whether your current systems are secure. 



From there, you can make targeted improvements that reduce risk and improve confidence. 

Contact us

Why Every Business Should Consider a Dark Web Monitoring Assessment

October 6, 2025
It sounds a bit like something out of ‘Halloween’, but the Dark Web is a real threat to business. How safe is yours? Most business leaders are aware of the need for firewalls, antivirus software, and secure backups. But what often goes unnoticed is one of the most dangerous threats lurking out of sight: the dark web. For cybercriminals, it’s a marketplace; but for businesses, it’s a serious risk. What is the dark web? The dark web is a hidden part of the internet where stolen data is traded, including email addresses, login credentials, financial information, and personal details. Once your company’s information appears there, it’s often too late; attackers already have what they need to strike. That’s why Cranborne, in partnership with Kaseya, offers dark web monitoring assessments. These assessments are a proactive way to discover whether your business is already exposed and to take steps to protect yourself. Whatever industry you’re in, the benefits are clear. 1. Find Out What’s Already Out There The first advantage of a dark web assessment is visibility. You can’t protect what you can’t see. Many businesses are shocked to learn that staff email addresses, old logins, or even sensitive company data are already circulating online without their knowledge. By scanning the dark web for compromised credentials linked to your business, an assessment provides clarity. It shows you what attackers may already know and arms you with the insight to act. 2. Protect Your Staff and Customers A single stolen password can unlock far more than an inbox. Attackers often reuse credentials across multiple systems, meaning that if an employee used the same password for email and payroll software, both could be at risk. Discovering these vulnerabilities early means you can enforce strong password resets, introduce multifactor authentication, and prevent further spread. In all industries where personal and financial information is at stake, this protection is essential for safeguarding customer trust. 3. Support Compliance and Governance Regulations like GDPR require businesses to protect personal data and respond quickly to breaches. Neglecting this responsibility may harm your professional reputation and could lead to substantial financial penalties. A dark web monitoring assessment supports compliance by proving you are actively monitoring risks beyond your immediate systems. It shows regulators, partners, and clients that your organisation takes data protection seriously and is investing in best practice. 4. Reduce the Risk of a Larger Attack Cybercriminals rarely strike without preparation. According to Kaseya’s security insights, attackers often spend weeks probing and preparing before deploying ransomware or phishing campaigns. Early warning makes all the difference. A dark web assessment provides that warning. By identifying leaked credentials before attackers use them, you can lock down systems, change passwords, and strengthen security — potentially stopping a full-scale attack before it begins. 5. Empower Your People Staff remain the first line of defence, and they need to understand how attackers operate. Dark web assessments help here, too. Showing your team real examples of leaked company data makes cybersecurity feel real and personal. It’s no longer an abstract “what if”; it’s proof that threats exist and must be taken seriously. With the right training and awareness, your staff become empowered to act securely. 6. Cost-Effective Risk Reduction Some leaders assume dark web monitoring is only necessary for banks, hospitals, or large corporations. Small and medium-sized businesses are frequent targets since attackers assume their defences are weaker. Compared to the cost of downtime, lost data, or reputational damage, an assessment is a low-cost, high-impact way to reduce risk. It’s proactive insurance that helps keep your business resilient. Why Now? Cybersecurity threats are increasing in volume and sophistication, and remote work has opened new doors for attackers. As the Kaseya checklist highlights, securing your organisation requires a multi-layered approach: patching, backups, strong authentication, employee training — and yes, monitoring the dark web. Whatever business you're in, a dark web monitoring assessment is a practical step you can take today to strengthen your security tomorrow. Take the Next Step with Cranborne Cranborne, working with Kaseya, offers a straightforward assessment to show you exactly what data linked to your business has already surfaced on the dark web. Quick – fast results with minimal disruption. Clear – easy-to-understand reporting on what’s been found. Actionable – guidance on the next steps to secure your business. The truth is simple: it’s not a matter of if your data will appear on the dark web, but when . The question is whether you’ll find out before the attackers use it. An assessment gives you the insight you need to act now and the confidence that your business is one step ahead. Ready to know what’s out there? Contact us today to book your dark web monitoring assessment and take the first step toward stronger, smarter cybersecurity.

Cyber Supply Chain Resilience: Lessons from the Jaguar Land Rover Attack

October 6, 2025
When news broke earlier this year that Jaguar Land Rover (JLR) had been forced to halt production at multiple UK plants due to a cyberattack on one of its suppliers, it sent shockwaves through the business community. The attack didn’t directly target JLR itself, but rather a critical part of its supply chain, yet the consequences were immediate, costly, and highly visible. For organisations of every size, from global manufacturers to SMEs and charities, the lesson is clear: your cyber resilience is only as strong as the weakest link in your supply chain. What Happened at Jaguar Land Rover? The disruption at JLR stemmed from an attack on a third-party supplier that produced key electronic modules used across its vehicle range. When the supplier’s systems were compromised, they were unable to deliver components on schedule. JLR had no choice but to suspend production temporarily, sending thousands of workers home and losing millions in revenue each day. Customers faced delays, dealers had shortages, and brand reputation took a hit. This incident illustrates a truth many businesses are only just recognising: a cyberattack anywhere in your extended ecosystem can hit your bottom line just as hard as an attack on your own network. Why Are Supply Chain Attacks Increasing? Several factors make supply chain attacks attractive to cybercriminals: One breach, many victims: Compromising a supplier often provides access or leverage over multiple downstream organisations. Trust relationships: Businesses tend to grant suppliers higher levels of access or integration, making lateral movement easier once a breach occurs. Weaker security controls: Not every supplier has the same level of cyber maturity. Attackers deliberately target smaller or less well-resourced firms in the chain. Ransom leverage: Attackers know disruption to the supply chain can be so damaging that businesses may feel compelled to pay quickly to restore operations. Research from the UK’s National Cyber Security Centre (NCSC) shows that supply chain compromise is now one of the fastest-growing attack vectors. The JLR case won’t be the last high-profile example. The Real Risks for UK Businesses While a global car manufacturer makes the headlines, SMEs, care homes, housing trusts and non-profits are just as vulnerable. Consider the following risks: Operational disruption – inability to deliver services or products due to supplier outage. Data leakage – if a supplier holds or processes your customer data, a breach could expose you to regulatory fines. Financial loss – downtime, remediation, and reputational damage all carry a cost. Regulatory compliance – frameworks like GDPR and the Cyber Security & Resilience Bill place responsibility on you for the security of your data, even when processed by third parties. Ignoring these risks is no longer an option. How to Build Cyber Supply Chain Resilience? So, what practical steps can organisations take? Here are some best practices Cranborne recommends to our clients: 1. Map Your Supply Chain Start by identifying all your key suppliers, contractors, and service providers. Understand what systems or data they touch and how critical they are to your operations. Many businesses are surprised at just how many third-party relationships they depend on. 2. Assess Supplier Security Not all suppliers are equal. Carry out due diligence on their cyber posture. Do they have Cyber Essentials or ISO 27001 certification? Do they conduct regular penetration tests? Build these checks into your procurement process. 3. Contractual Safeguards Where possible, include security requirements in supplier contracts. Define expectations around data handling, breach notification, and compliance. Make sure there are consequences for non-compliance. 4. Continuous Monitoring Cyber risk is not a one-time exercise. Implement processes to regularly review supplier risk, update assessments, and track any incidents. Automated risk-scoring tools can help. 5. Incident Response Planning Assume that at some point, a supplier will suffer a breach. The key is to minimise impact. Have clear playbooks for how you will respond if a critical partner goes offline. Test those plans regularly. 6. Diversify Where Possible Avoid single points of failure. If one supplier provides a mission-critical service, explore whether an alternative source or backup arrangement is feasible.  7. Educate Your Team Procurement, finance, and operations teams all play a role in managing supplier risk. Make sure they understand what to look for and how to escalate concerns. Turning Risk into Opportunity Customers, investors, and regulators are all placing increasing emphasis on resilience and good governance. Demonstrating that you manage your supply chain risks effectively can strengthen your reputation, build trust, and open new opportunities. For SMEs in particular, achieving Cyber Essentials Plus certification and working with partners like Cranborne can also make you more attractive to larger customers who want assurance that their downstream supply chains are protected. How Cranborne Supports Cyber Essentials At Cranborne, we guide organisations through the Cyber Essentials and Cyber Essentials Plus certification process from start to finish. Our team helps you assess your current controls, identify gaps, and implement the technical and policy measures needed to meet the standard. Final Thoughts The Jaguar Land Rover incident is a wake-up call for all UK organisations. Even the biggest brands can be brought to a standstill by an attack outside their direct control. By taking proactive steps now, from mapping suppliers to embedding cyber requirements in contracts, businesses of every size can build greater resilience and reduce their exposure. At Cranborne, we work with organisations across healthcare, financial services, retail and non-profit sectors to strengthen their cyber resilience, including supply chain risk management. If you’d like to explore how we can support your organisation, get in touch with our team today.