Skip to main content

Five data protection risks every charity CEO should have on their radar

Sponsored content from Hope & May

For many charity leaders, data protection still sits in the category of operational compliance. Important, yes – but often viewed as something owned by IT, fundraising, or governance teams rather than the CEO’s office.

However, data protection is fundamentally a leadership issue. It affects public trust, organisational resilience, supporter confidence, safeguarding, fundraising, partnerships, and reputation. And increasingly, when things go wrong, scrutiny lands on leadership and oversight.

The challenge is that data risks rarely arrive dramatically. More often, they build quietly over time through outdated processes, inherited systems, stretched teams, and assumptions that no one has revisited for years. With that in mind, below are five data protection risks every charity CEO should have firmly on their radar.

1. Legacy supporter databases that no one fully understands

Many charities are sitting on years – sometimes decades – of supporter data accumulated across multiple systems, campaigns, websites, events, and fundraising platforms. In some cases, nobody fully understands:

  • what data is held
  • where it originated
  • whether consent records still exist
  • who has access to it
  • or whether the organisation still has a lawful reason to retain it

This is particularly common following CRM migrations, mergers, website rebuilds, or changes in fundraising teams.

The risk is not simply regulatory. Legacy databases can create operational confusion, undermine supporter trust, and expose charities during Subject Access Requests or data breaches.

For CEOs, the key question is not “Are we GDPR compliant?”, but rather: “Do we actually understand the data estate our organisation is responsible for?”

2. Supplier and processor complacency

As any other businesses, charities rely heavily on third-party suppliers, such as CRM providers, email marketing platforms, and volunteer management tools.

Yet one of the most common issues we encounter is an assumption that: “If we use a well-known provider, the risk sits with them.”

However, under UK GDPR, charities remain accountable for the personal data they control, even when external suppliers process that data on their behalf.

The issue is rarely that charities choose “bad” suppliers. More often, supplier relationships simply become static over time, as contracts are not revisited and due diligence becomes historic

For CEOs, supplier assurance should form part of wider organisational risk management and governance conversations.

3. Over-reliance on “we’ve always done it this way”

Some of the biggest data protection risks in charities stem from habit. Processes introduced years ago gradually become embedded in organisational culture.

The difficulty is that the regulatory environment, technology landscape, and public expectations around data have changed significantly over the last decade – while many operational practices have not.

For CEOs, one of the most valuable things you can encourage is curiosity. The willingness for teams to occasionally step back and ask: why do we do it this way? Is this still appropriate?

That mindset alone can prevent a significant number of avoidable risks.

4. Lack of incident readiness

Many charities have policies in place for data breaches. Far fewer are genuinely prepared to respond calmly and effectively when an incident occurs, such as emails sent to the wrong recipient, lost devices, accidental disclosures, inappropriate access permissions, and cyber-attacks

The issue is what happens next:

  • confusion over reporting responsibilities
  • delayed escalation
  • uncertainty around severity
  • inconsistent decision-making
  • lack of leadership visibility

CEOs do not need to manage incidents personally, but they do need confidence that responsibilities are clear, escalation processes work, and everyone understand their roles.

5. Treating data protection purely as compliance

Perhaps the biggest risk of all is viewing data protection as little more than a regulatory obligation. The charities that manage data well tend to have something in common: they understand that good data protection is fundamentally about trust.

Supporters trust charities with personal information. Beneficiaries trust organisations with sensitive and sometimes deeply vulnerable data. Staff trust employers to handle information responsibly.

Strong data practices reinforce that trust. Poor practices erode it – often quietly at first, but sometimes very publicly.

For charity leaders, the goal should go beyond avoiding fines or “passing” compliance checks. It should be building an organisational culture where responsible data handling is understood as part of ethical leadership and good governance.

At Hope & May, we work with charities across the sector to help build practical, proportionate approaches to data protection and governance – supporting organisations to move beyond fear-driven compliance towards greater confidence, clarity, and resilience. If you have any concerns about your charity’s data protection, or would like to discuss how we can help strengthen your organisation’s approach, we’d be delighted to hear from you. Contact the Hope & May team at info@hope-may.com.

Share

Not an ACEVO member?

If you have any queries please email info@acevo.org.uk
or call 020 7014 4600.