Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018.
Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.
- requires organisations to register if they keep records
- governs the processing of personal data including 'personal sensitive data'
- requires organisations to comply with eight principles
- allows employees, service users and other contacts to request to see the personal data held on them
Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
You should start preparing now for changes that GDPR will require to your current policies and procedures.
Data Protection Policy and Procedures Policy template we have produced a policy template which you can amend for your organisation, download the Data Protection Policy here or download the Data Protection Policy and Procedures template for small or volunteer-led organisations
Factsheet 21: General Data Protection Regulations (GDPR) and the Data Protection Act
How to prepare for GDPR and data protection reform
Every organisation that processes personal data must be compliant with new GDPR rules on 25 May 2018 and this includes charities and voluntary organisations. Getting to grips with GDPR can be daunting and it can be difficult to know where to start so this 12 point plan, adapted from the Information Commissioners Officer (ICO) guidance, is here to help you take the right steps.
Information Commissioner's Office resources
The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:
- a code of practice for writing privacy notices and explains how to comply with both the existing Data Protection Act and the EU’s General Data Protection Regulation (GDPR). EU countries must comply with the GDPR from 25 May 2018
- specific pages for the charity sector
- a self-assessment toolkit for small and medium enterprises
- general guides on data protection and freedom of information
- an extensive index of specific guidance on a broad range of related topics like marketing, cctv, data deletion, and filing systems
- an advice service by phone on 0303 123 1113 (local rate), or email: email@example.com
- advisory visits to your organisation for a day with a short follow up report
ICO guidance for Charities
The ICO has issued guidance for not-for-profit organisations, which aims to answer questions regularly raised by charities and voluntary organisations, visit: https://ico.org.uk/for-organisations/charity/
The ICO has launch a dedicated advice line to help small organisations prepare for a new data protection law. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as a dvice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislationregulated by the ICO including electronic marketing and Freedom of Information.
GDPR Portal: This website is a resource to educate the public about the main elements of the General Data Protection Regulation (GDPR).
Brexit and the data protection outlook
In light of an uncertain 'Brexit' - I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.
We advise full compliance with GDPR until further Governmental notice.
Brexit and Data protection - This information has been produced by Paul Ticher. Paul Ticher is an independent specialist, with over 30 years' experience of Data Protection in the voluntary sector. However, Paul is not a lawyer. This rundown of what is happening, or likely to happen, after 31 December 2020 may not be a complete or accurate statement of the law, and it is not intended to be legal advice.
FSB (Federation of Small Businesses) GDPR preparation hub – Here you will find useful information and guidance on what the General Data Protection Regulation (GDPR) is and guidance on how to get GDPR ready.
NCVO blog post - What to consider when preparing for GDPR