GDPR Information and guidance
Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors. The legislation:
- requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs)
- governs the processing of personal data including ‘personal sensitive data’
- requires organisations to comply with eight principles for data protection
- allows employees, service users and other contacts to request to see the personal data held on them.
Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
Requirements for these policies and procedures will change when GDPR takes effect. Read the NCVO guidance for charities on how to prepare for GDPR.
Charity Finance Group have also produced GDPR: A guide for charities
Support from the regulator
The Information Commissioner’s Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:
- their Guide to GDPR that they will regularly update and a FAQ page for charities
- specific pages for charities
- specific pages for small organisations
- an advice service by phone on 0303 123 1113 with a specific service for small organisatons (option 4) – you can also email firstname.lastname@example.org
- a self-assessment toolkit for small and medium enterprises
- a code of practice for writing privacy notices .
- an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems
It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.
- NCVO members can access free guidance on writing a GDPR-compliant data protection policy on the NCVO Knowhow Nonprofit website.
- Bates Wells Braithwaite law firm has a customisable and GDPR-compliant data protection policy you can purchase on their Get Legal document production site. It takes you through a guided questionnaire to produce a bespoke policy.