What Happens to Your Charity's Data When Your IT Volunteer Leaves

Picture a scenario that plays out in small charities across the UK more often than most trustees would be comfortable admitting.

A volunteer — technically capable, enthusiastic, genuinely helpful — joins the organisation. Over the course of a few months, they become the person everyone turns to when something goes wrong with the website, the email system, or the shared drives. They set up the Google Workspace. 

They configured the donor database. They know the admin password for the website. They have access to the Microsoft 365 account. They are, in practice, the entire IT function of the organisation — and they do it all for free, in their spare time, because they believe in the mission.

Then one day, they leave. A new job, a change in circumstances, a move to another city. It happens quickly, as these things often do, and in the chaos of finding a replacement and keeping services running, nobody thinks to ask the question that matters most.

What do they still have access to?

The Access Problem Most Charities Ignore

The answer, in most cases, is: more than anyone realises.

They still have the admin login for the website — probably saved in their personal browser. They still have access to the shared Google Drive or OneDrive, which contains your beneficiary records, your trustee meeting minutes, your donor database, and your financial documents. If they set up the Microsoft 365 account, they may still be listed as the Global Administrator — meaning they have unrestricted access to every email account in your organisation. And if they ever connected to your systems from a personal device, that connection may still be live.

None of this is necessarily malicious. In the vast majority of cases, departing IT volunteers have no intention of misusing the access they still hold. But intention and exposure are two different things. A personal device with access to your systems that is later lost, stolen, or compromised does not care about anyone's intentions. And under UK GDPR, your charity is responsible for what happens to that data regardless of how the access came to exist.

One in five charities in the UK holds personal data that is not protected by techniques such as anonymisation or encryption. That figure comes from the government's own Cyber Security Breaches Survey. It represents organisations that are one lost laptop, one compromised personal account, or one disgruntled departure away from a data breach they are legally required to report to the ICO within 72 hours. 

Why This Keeps Happening

The structural reasons are not difficult to understand. Small charities operate on tight budgets and rely heavily on volunteers. High turnover and reliance on part-time staff make consistent training and access control persistently challenging, and 64% of charity team members use personal devices for work — compared to 45% of businesses — making security vulnerabilities harder to manage. 

When a technically capable volunteer arrives and offers to sort out the organisation's digital systems, the response is almost always gratitude rather than governance. There is no onboarding process that specifies what access they will have and under what terms. There is no offboarding process that specifies what happens when they leave. There is no register of who holds administrative access to what systems. And there is often no single person in the organisation who could tell you, right now, how many people currently have the ability to access your donor database.

This is not negligence. It is the predictable result of an organisation that has grown its digital infrastructure organically, one helpful volunteer at a time, without ever stopping to map out what has been built and who holds the keys to it.

What the Regulator Expects

The ICO does not make allowances for organisational size when it comes to data protection. A small charity with an annual income of £80,000 is subject to the same UK GDPR obligations as a multinational corporation. The ICO now has expanded enforcement powers, including fines of up to £17.5 million or 4% of global turnover, with changes being phased in between June 2025 and June 2026. 

More practically, if your charity suffers a data breach because a former IT volunteer still had access to systems they should have been removed from, you will need to report it. You will need to explain to the ICO what personal data was involved, how long the access had been in place, and what steps your organisation had taken to prevent it. "We didn't have a process for removing access when volunteers leave" is not a mitigation — it is the finding.

30% of UK charities experienced a cyber breach or attack in the past year, and the consequences extend beyond financial damage to include service disruption, reputational harm, and potential regulatory penalties. For charities that rely on public trust and donations, a single breach can have long-term consequences. 

The Specific Risks Nobody Talks About

Beyond the obvious scenario of a former volunteer retaining unwanted access, there are several related risks that most small charities have never considered.

The first is system dependency. When one person has been managing your digital infrastructure informally, institutional knowledge leaves with them. Nobody else knows how the email system is configured, where the backups live, or what the recovery process looks like if something goes wrong. The organisation becomes fragile in a way that only becomes visible when something breaks.

The second is personal device exposure. If your IT volunteer connected to your systems from their personal laptop or mobile phone — which they almost certainly did — those connections may remain active after they leave. If that device is later infected with malware or stolen, your systems are exposed through a door you did not know was open.

The third is credential sharing. In informal IT environments, passwords are often shared rather than managed individually. If your former volunteer knows the shared password for your website admin account, your email system, or your donor database, changing that password after they leave requires knowing that the password exists and was shared — which assumes a level of documentation that most small charities simply do not have.

What Good Access Management Actually Looks Like

The solution is not complicated. It does not require an IT department or a specialist hire. It requires a shift from informal to managed — from systems that grew organically to systems that are documented and controlled.

At a minimum, every charity should know — right now, today — who has administrative access to every digital system they operate. That list should be reviewed whenever someone joins or leaves the organisation, and access should be removed on the day someone's involvement ends, not when someone eventually gets around to it.

Individual accounts are more secure than shared ones. Every person who needs access to your systems should have their own login, with permissions set to reflect what they actually need rather than blanket administrative access. When they leave, their account is disabled — not just forgotten.

Multi-factor authentication on every account means that even if a former volunteer's credentials are compromised, an attacker cannot use them without a second factor that the former volunteer no longer controls.

And if you are not sure what access currently exists across your organisation's systems, that audit is worth doing before you need it — not after.

The Case for Managed Infrastructure

The deeper issue here is not really about IT volunteers. It is about what happens when critical infrastructure is managed informally by people who are not accountable to the organisation in the way that paid staff are, using personal devices and personal accounts that the organisation has no visibility over or control of.

A managed infrastructure model changes that entirely. Every system is documented. Every access credential is held institutionally rather than personally. Every departure triggers a structured offboarding process that removes access across every system simultaneously. And the organisation is never dependent on any single individual's availability, goodwill, or continued involvement.

For a small charity, the peace of mind that comes from knowing exactly who has access to what — and knowing that a volunteer leaving on a Friday afternoon will not leave the donor database exposed over the weekend — is worth considerably more than the cost of getting it right.

For registered UK charities, LINKBIT builds and manages digital infrastructure that is owned and controlled by your organisation from day one — not by whoever happened to set it up. If you are not sure where your current setup stands, start with a conversation.

Ready to make sure your charity's systems are properly managed and secured? Start your Discovery Session.