Accidental or deliberate data breaches can cost a charity money, reputation and public trust. Inadequate data hygiene and suppression carry the same risks, with the added danger of making a difficult situation worse for a supporter or their family. It's absolutely essential then to ensure that any staff handling personal data are not only up to date and familiar with regulations and best practice, but understand your organisation’s processes.

Eight years into GDPR, most charities have processes in place to tick the compliance boxes, including data protection training for new staff. But this should be more than a one-off exercise at induction, and there also needs to be buy-in as to why GDPR is important. People forget, laws evolve, practices shift and sometimes it can be tempting to cut corners without understanding the impact. Regular refresher training helps minimise human error, and ensures everyone’s up to date with changes. Crucially too, it helps to build a culture where staff understand the need for data protection, feel confident raising questions or concerns, and the supporter is kept at the heart of everything a charity does.

Updating everyone who handles personal data

So, what should you do? The ICO is clear: data protection is everyone’s responsibility. This means all staff should receive at least a basic level of training at induction, tailored to their role and responsibilities, and this should be refreshed annually.

Core topics to cover for basic training include:

• What counts as personal data

• Secure data handling and storage

• The principles of data protection

• Compliance with relevant regulations

• Processes for handling breaches and subject access requests

• Escalation routes for queries or incidents

• Plus, any other data-related non-negotiables your organisation may have in place

Supporting frontline staff

A step that’s frequently overlooked, yet one of the most important for protecting consumer and supporter trust, is training for staff who interact directly with the public. They need to be primed and confident in how to respond to queries. Suppression files aren’t infallible: it can take a month for a name to be added to one (and up to three months for MPS amends to become available), and there are also multiple files to choose from with different sources. This can make it difficult to achieve 100% accuracy so mailings will occasionally reach the wrong person.

Added to this, consumers and supporters (like most of us), probably don’t keep track of every box we do or don’t tick. So campaigns will bring some queries about where you obtained someone’s data from.

Two weeks before your campaign goes out – particularly if your charity is an infrequent mailer – anyone who answers phones or emails, from donor support to reception, should receive short training on how to respond to these questions. Often, it’s as simple as explaining where data came from, offering to remove someone from a file, and signposting the MPS if they are responding to a cold mailing.

Making training engaging

For real impact, training should be:

• Short and easy to digest

• Practical, with real-world examples and case studies

• Interactive, using quizzes or role play to test knowledge

• Tracked, with attendance and completion monitored

• Audited periodically to ensure staff retain key information

Beyond internal training

Of course, refreshing staff knowledge is only part of the picture. Charities also need to regularly review their relationships with third parties, including annual checks of data processing agreements, goals, and aims.

Ensuring data is accurate is not only a legal requirement, but it also saves money on wasted mailings, boosts LTV, and helps people feel respected by the organisation. And of course, part of ensuring data is accurate is to keep it up to date, so including a simple message in campaigns – such as “If this isn’t for you, please let us know” – makes it easy for consumers to help you do so.  And at the same time, it reassures supporters that your charity is working hard to ensure it doesn’t waste their money. 

Refreshing data protection training isn’t just about ticking the compliance boxes. It’s about protecting people, building trust, and ensuring supporters remain at the heart of everything a charity does. Combining annual training updates with targeted pre-campaign refreshers and ongoing data quality checks all helps to strengthen compliance, reduce risk – and safeguard the relationships that matter most.

For more information on this topic, contact Suzanne here.