AI, data protection and charities: What you need to know about using data-driven tools

Artificial intelligence (AI) products offer charities significant opportunities to improve their operations and unlock efficiencies. From donor analytics to beneficiary support tools, data-driven technologies have clear benefits. However, these come with important legal and regulatory considerations. Even in the absence of UK-specific legislation targeting AI, data protection requirements are still very relevant, and the Charity Commission have confirmed that “AI should be used responsibly in a way that furthers your charity’s purposes”. If your charity carries out activities in the EU you are likely to also be subject to the EU AI Act.

A recent report showed 76% of charities are using AI, but only 22% are reviewing their AI governance. In this article we’ll look to summarise some of the key considerations and risks when using AI, and what your governance goals should look like.

Using personal and sensitive data

If you’re a charity providing an AI system with access to your data, this may include:

• Personal data: names, contact details, donation histories, or volunteer records.
• Special category (sensitive) data: information about health, ethnicity, religious beliefs, or other protected characteristics – the relevance and risk here will largely depend on your charity’s purpose.

You might use AI tools which access or are trained on that personal data to identify patterns, make predictions, or provide suggestions (such as targeting campaigns more effectively or deciding where to focus resources). Data protection law requires that your use of personal data must be lawful, fair and transparent. Particular care is required where:

• Sensitive data is used (triggering stricter conditions for processing), or
• Decisions are made solely by automated means, where they may have a significant effect on individuals.

Other AI uses

AI is also commonly used to generate content (including text and images) which might be used outside of the charity.

Key risks for charities

Charities should be alert to several common risk areas:

• Lack of transparency or lawful basis: individuals may not understand how their data is being used or that AI is involved. You may also be profiling individuals in a way which infringes data protection law.
• Bias and discrimination: AI outputs may be biased and using an AI system may lead to unfair outcomes.
• Confidentiality: non-enterprise AI systems often use input data to train their own models, meaning the data your provide is no longer private.
• Security: Using a publicly available AI system (such as a customer chatbot) also brings AI-specific security risks (such as a user manipulating the AI system to gain unauthorised access to data).
• Infringement: AI-created content may infringe third-party rights, or the limited rights you have in it may affect your ability to act against third parties that copy it.

Addressing risks

To use AI responsibly and compliantly, charities should consider the following steps:

1. Review existing data protection procedures

Review your lawful bases to ensure your use of AI is compliant, and update privacy notices to clearly explain how AI tools are used, what data is processed, and the purpose of that processing.

2. Carry out Data Protection Impact Assessments (DPIAs)

Where using personal data is likely to result in high risk to individuals (which will often be the case when utilising AI), a DPIA is mandatory under data protection law. This will also help identify and mitigate risks at an early stage. Consider expanding this assessment to include other AI risks.

3. Audit and record

Ensure you understand what AI systems are currently used in your organisation, and create a record of them.

4. Carry out due diligence and monitoring

This applies to your external providers (including reviewing their contracts), and to the continuing performance of your AI systems.

5. Implement internal governance structures

Set out clear internal rules on what AI can be used, how it is used, and what human oversight is required. You should also create overarching governance policy and identify individuals responsible for AI compliance within the organisation.

Final thoughts

AI presents exciting opportunities for charities, but its use must be balanced with robust governance. By staying aware of data protection requirements and other risks from the outset, charities can harness innovation while maintaining trust and compliance.

If you are considering deploying AI tools and would like tailored advice, or would like to know more about our AI Governance Toolkit, please contact our team.