We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

How to comply with GDPR

Every organisation that processes personal data should be compliant with the GDPR but getting to grips with GDPR can be daunting and it can be difficult to know where to start. This 12-point plan, adapted from the Information Commissioners Officer (ICO) guidance, is here to help you take the right steps.


Make sure the right people in your organisation know this is important

Your trustee board and senior staff should be aware they need to comply with GDPR. They need to know enough to make good decisions about what you need to do to implement GDPR. They need to be aware that reviewing where you are and what you need to do to be fully compliant may take considerable time and effort. They need to ensure data protection is part of your risk register if you have one. 


Identify what data you hold and where that data came from

If you don’t know what personal data you hold and where it came from you will need to organise an audit of your different systems and departments to find out. This means all personal data including employees and volunteers, service users, members, donors and supporters and more. You should document your findings as GDPR means you must keep records of your processing activities. You should also record if you share data with any third parties.    


Update your privacy notices

You must always tell people in a concise, easy to understand way how you intend to use their data. Privacy notices are the most common way to do this. You may well already have privacy notices on your website for example have you checked they are up to date? Privacy notices must give information such as how long you will keep data for and what lawful basis you have to process data. The ICO has guidance on GDPR compliant privacy notices.


Check your processes meet individuals’ rights

GDPR gives people clear rights over their data. For example people have the right to have their personal data deleted. Would you be able to find the relevant data and who would be responsible for making sure that happened? Get to know the eight rights and have the systems in place to be able to deliver on each of them.


Know how you will deal with ‘subject access requests’

Individuals have the right to know what data you hold on them, why the data is being processed and whether it will be given to any third party. They have the right to be given this information in a permanent form. This is known as a subject access request. Your organisation needs to be able to identify a subject access request, find all the relevant data and comply within one month of receipt of the request. The ICO gives guidance on handling subject access requests.


Identify and document your ‘lawful basis’ for processing data

To legally process data you must have a ‘lawful basis’ to do so. For example it is a lawful basis to process personal data to deliver a contract you have with an individual. There are a number of different criteria that give you lawful basis to process and crucially, different lawful basis give different right to individuals. For example if you rely on consent as a lawful basis, individuals have stronger rights to have their data deleted. Understand and document what lawful basis you have to process data using the ICO guidance on lawful basis.


Review how you get consent to use personal data

If you rely on consent as your lawful basis for processing personal data, then that consent must be freely given, specific and easily withdrawn. You can’t rely on pre-ticked boxes, silence or inactivity to gain consent instead people must positively opt-in. Read the ICO guidance on consent.


Build in extra protection for children

Many charities support children and young people and this means you need to implement special protection for children’s personal data. GDPR says children under 16 cannot give consent although this is likely to be reduced to 13 in the UK, so you may have to seek consent from a parent or guardian. You need to be able to verify that person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in language that children can understand.


Be able to detect, report and investigate personal data breaches

A data breach is a breach of security leading to ‘accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data’. You need to have the right procedures in place to detect, investigate and report a personal data breach. Certain types of data breaches must be reported to the ICO and in some cases to the individuals concerned. You need to be able to demonstrate that you have appropriate technical and organisational measures in place to protect against a data breach. Read guidance from ICO on data breaches.


Build data protection into your new projects

Privacy by design means building data protection into all your new projects and services and under GDPR it is a legal requirement. To achieve this, data protection impact assessments should be undertaken where new technology is being deployed, where profiling may significantly affect individuals or sensitive categories of data will be processed on a large scale. Clarify who will be responsible for carrying out impact assessments, when you will use them and how you will record them. Read ICO guidance on privacy by design and  data protection impact assessments.


Decide who will be responsible for data protection in your organisation

Someone in your organisation, or an external data protection advisor, has to take responsibility for compliance with data protection legislation and have the knowledge and authority to do this effectively. Some organisations will need formally appoint a data protection officer (DPO) for example if you organisation carries out large scale processing of sensitive personal data such as health records or information about criminal convictions. Find out more from the ICO about when to appoint a DPO.


Make sure your fundraising is compliant

The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques. If you use personal data to fundraise then you need to follow the latest guidance on fundraising and data protection. The Fundraising Regulator provides guidance which complements guidance from the ICO on direct marketing.

Further information

See our general page on data protection for more on data protection health checks, GDPR training and sample policies.



Page last edited May 28, 2019 History

Help us to improve this page – give us feedback.