Checklist for boards of charities and other voluntary organisations

This is a list of legal aspects that need to be covered by most voluntary organisations.  The middle column then contains some suggestions on how the aspect could be monitored by your board.  The right hand column suggests available resources.

Please note that the list is designed to be adjusted to suit your organisation and is not an exhaustive list of legal obligations or good governance expectations. Legal duties may alter as new laws are passed therefore the organisation may need to add to or adjust the list in the future.

The following document includes guidance and information on:

  • Board Processes
  • Regulators
  • Operations
  • Employment Law
  • HMRC
  • Dealing with Assets


The following document lists some of the services that can be provided in a community centre:

Model Centre Checklist


The General Data Protection Regulation comes into force from 25th May 2018. Here are some steps to compliance:

  • Appoint a Data Protection Officer (DPO) in your organisation (highly recommended)
  • Register with the Information Commissioners Office as an organisation processing personal data.
  • Make preparations for implementing and performing Data Protection Impact Assessments (process to identify, assess and mitigate or minimise privacy risks with data processing activities)
  • Assess all points of data collection to ensure that explicit consent is properly requested in each case
  • Prepare, document and communicate processes for managing subject data access requests
  • Develop processes to allow individuals to amend or delete their personal data
  • Review data retention and destruction procedures for all data (including offline) as used by your organisation
  • Check data storage locations for proper security and apply access controls
  • Re-assessed your supplier contracts in relation to the GDPR
  • Make preparations to detect and report breaches as part of a response plan
  • Prepare for regular compliance audits or reviews to identify and fix issues
  • Review and update your Privacy policies
  • Review and update your Data Protection policy
  • Ensure that all Directors, Trustees, staff, volunteers are trained on GDPR and understand organisation’s policies
  • Safeguard your organisation by only allowing access to personal data to DBS checked individuals
  • Update your website and refer to the new policies in all communications
Common data processing activities
Membership Lists Event booking forms Invitation letters
Email Mailing Lists Funeral booking forms Marriage records
Text Messaging Lists Finance records Correspondence
Student registrations Donation receipts CCTV recordings
Events registrations Postal addresses Reception registers