skip to main content
The Charity Commission for Northern Ireland
Text size:

In this section

Print page PDF Page
News
  • Home
  • News
  • Blog: Is your annual return GDPR-compliant?

Blog: Is your annual return GDPR-compliant?

By Fiona Muldoon

Monitoring and Compliance Manager at the Charity Commission for Northern Ireland

When a charity submits its annual monitoring return (AMR), the PDF version of the charity’s accounts, examiner’s report or audit and the Trustee Annual Report (TAR) is automatically published on the register of charities.

Often called the annual report, the TAR is more than a compliance document - it’s your opportunity to showcase your charity’s work and achievements, as well as inspire your supporters. It is the story of your charity’s impact.

And with great storytelling comes great responsibility.

Personal data in the spotlight

Trustees often include volunteer stories, photos, or quotes to make their reports engaging and authentic. While this adds warmth, it also introduces data protection risks.

If your TAR includes personal data beyond what’s legally required, you must:

  • avoid sensitive details like full names, addresses, phone numbers or anything that could identify individuals without their explicit consent.
  • use photos responsibly, especially if they feature children or vulnerable adults. Always obtain written permission before publishing.
  • Follow UK GDPR regulations to protect privacy and avoid potential legal issues.

What happens if you get it wrong?

During the 2024–25 business year, 39 charities have had documents removed or replaced on the register:

  • 87% were due to errors, such as uploading the wrong year’s accounts, submitting drafts instead of signed versions or filing documents for a different charity.
  • 13% involved data protection issues. Examples of this type of issue was documents uploaded containing personal information - things like meeting notes, trustee forms or payroll files - instead of the reports they were meant to send. As soon as the Commission found out about these mistakes, the documents were removed.

Where a data protection breach occurs – and as well as notifying the Commission to have the document removed from the register - trustees should also consider whether it needs to be reported to the ICO.

While we aim to remove documents quickly when issues arise, sometimes the damage is already done. Prevention is always better than cure.

That’s why we urge charities to keep data protection front and centre when submitting their annual return and to always double-check before and after filing their annual reports and accounts.

Top tips

  • Review your TAR before submission with GDPR in mind.
  • Always ask “Do we have consent for this photo or story?”
  • Focus your report on impact, not individuals – unless you have their permission to share their data.

Your charity’s story matters but so does protecting the people behind it. Keep your reports inspiring, informative and compliant.

The charity register search
Online services for charities
Concerns about charities