Information and guidance
Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors. The GDPR took effect on 25 May 2018. The legislation:
- requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs)
- governs the processing of personal data including 'personal sensitive data'
- requires organisations to comply with its seven key principles
- allows employees, service users and other contacts to request to see the personal data held on them.
Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
Read our guidance for charities on how to comply with GDPR.
Charity Finance Group have also produced GDPR: A guide for charities
Support from the regulator
The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:
- their Guide to GDPR that they will regularly update and a FAQ page for charities
- specific pages for charities
- specific pages for small organisations
- an advice service by phone on 0303 123 1113 with a specific service for small organisatons (option 4) – you can also email casework@ico.org.uk
- a self-assessment toolkit for small and medium enterprises
- a guide to the privacy information you must provide to users
- an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems
- advisory visits to your organisation for a day, with a short follow up report.
Sample policies
It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.
- NCVO members can access free guidance on writing a GDPR-compliant data protection policy on our Knowhow Nonprofit website. Please note this is not a sample policy but guidance.
- Bates Wells Braithwaite law firm has a customisable and GDPR-compliant data protection policy you can purchase on their Get Legal document production site. It takes you through a guided questionnaire to produce a bespoke policy.
Watch our GDPR webinar
We ran a webinar with Protecture (one of our Trusted Suppliers) on 15 March 2018, you can watch the recording below and view the slides here.
Training and events
NCVO offer training on data protection and the GDPR for charities and voluntary organisations. This is delivered regularly at NCVO in London, at venues around the country or bespoke at your premises. Email our training team to discuss what might suit you.
Health checks and consultancy support
NCVO's consultancy service can provide a health check for your organisation to assess your data protection fitness and GDPR compliance. Email our training team for more details.
Trusted Suppliers
- Protecture provides tailored packages of support to ensure you have everything in place for the new GDPR legislation. NCVO members receive a 10% discount off the first year fee. See GDPR events by Protecture
- ClearComm provides a GDPR portal for voluntary organisations under £1m t/o that allows your organisation to stay compliant.
