I think the idea, like with HSE, fire brigade, etc is that you go to them for advice etc before shit hits fan rather than advice after you've cocked up.
It's the directors' (trustees) responsibility to be aware of all legislation that affects the business (charity) whether that be a safe place of work, insurance or not spreading sensitive information.
There is something to be said for making an example of even smallest organizations to encourage others to do what is right and head off worst cases.
Biting the hand that feeds IT
