0333 321 3021


Data Protection and GDPR

Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018.

Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.

The legislation:

  • requires organisations to register if they keep records
  • governs the processing of personal data including 'personal sensitive data'
  • requires organisations to comply with eight principles
  • allows employees, service users and other contacts to request to see the personal data held on them

Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

You should start preparing now for changes that GDPR will require to your current policies and procedures.

Data Protection Policy and Procedures Policy template we have produced a policy template which you can amend for your organisation, download the Data Protection Policy here or download the Data Protection Policy and Procedures template for small or volunteer-led organisations

Factsheet 21: General Data Protection Regulations (GDPR) and the Data Protection Act

How to prepare for GDPR and data protection reform
Every organisation that processes personal data must be compliant with new GDPR rules on 25 May 2018 and this includes charities and voluntary organisations. Getting to grips with GDPR can be daunting and it can be difficult to know where to start so this 12 point plan, adapted from the Information Commissioners Officer (ICO) guidance, is here to help you take the right steps.

Information Commissioner's Office resources Information Commissioner's Office

The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

ICO guidance for Charities

The ICO has issued guidance for not-for-profit organisations, which aims to answer questions regularly raised by charities and voluntary organisations, visit: https://ico.org.uk/for-organisations/charity/

GDPR hotline

The ICO has launch a dedicated advice line to help small organisations prepare for a new data protection law.  People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4 to be diverted to staff who can offer support. As well as a dvice on preparing for the GDPR, callers can also ask questions about current data protection rules and other legislationregulated by the ICO including electronic marketing and Freedom of Information.

GDPR PortalGDPR Portal: This website is a resource to educate the public about the main elements of the General Data Protection Regulation (GDPR).


Brexit and the data protection outlook
In light of an uncertain 'Brexit' -  I represent a data controller in the UK and want to know if I should still continue with GDPR planning and preparation?
If you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit. If your activities are limited to the UK, then the position (after the initial exit period) is much less clear. The UK Government has indicated it will implement an equivalent or alternative legal mechanisms. Our expectation is that any such legislation will largely follow the GDPR, given the support previously provided to the GDPR by the ICO and UK Government as an effective privacy standard, together with the fact that the GDPR provides a clear baseline against which UK business can seek continued access to the EU digital market.

We advise full compliance with GDPR until further Governmental notice.

Brexit and Data protection - This information has been produced by Paul Ticher. Paul Ticher is an independent specialist, with over 30 years' experience of Data Protection in the voluntary sector. However, Paul is not a lawyer. This rundown of what is happening, or likely to happen, after 31 December 2020 may not be a complete or accurate statement of the law, and it is not intended to be legal advice.

Federation of Small Buisnesses FSB (Federation of Small Businesses) GDPR preparation hub – Here you will find useful information and guidance on what the General Data Protection Regulation (GDPR) is and guidance on how to get GDPR ready.


NCVO blog post - What to consider when preparing for GDPR


A guide to GDPR guidance by Wright Hassall
General Data Protection Regulation presentation by The FSB
GDPR Checklist by Wood for Trees
GDPR: The essentials for fundraising organisations by the Institute of Fundraising
FSB 12 point GDRP checklist for small businesses FSB (Federation of Small Businesses) GDPR – 12 point checklist for small businesses
Charity Finance Group – General Data Protection Regulation: A guide for charities
ICO guidance - Lawful basis for processing consent