The General Data Protection Regulation (GDPR) took effect on 25 May 2018. The legislation:
- requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs)
- governs the processing of personal data including 'personal sensitive data'
- requires organisations to comply with its seven key principles
- allows employees, service users and other contacts to request to see the personal data held on them.
Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
Read our guidance for charities on how to comply with GDPR.
Charity Finance Group have also produced GDPR: A guide for charities
Further support from NCVO
NCVO can provide further support through
- face-to-face training
- webinars
- consultancy
- services provided by our trusted suppliers.
See the NCVO data protection page for more information.
Support from the regulator
The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:
- their Guide to GDPR that they will regularly update and a FAQ page for charities
- specific pages for charities
- specific pages for small organisations
- an advice service by phone on 0303 123 1113 with a specific service for small organisatons (option 4) – you can also email casework@ico.org.uk
- a self-assessment toolkit for small and medium enterprises
- a guide to the privacy information you must provide to users
- an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems
- advisory visits to your organisation for a day, with a short follow up report.
Sample policies
It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.
- NCVO members can access free guidance on writing a GDPR-compliant data protection policy on our Knowhow Nonprofit website. Please note this is not a sample policy but guidance.
- Bates Wells Braithwaite law firm has a customisable and GDPR-compliant data protection policy you can purchase on their Get Legal document production site. It takes you through a guided questionnaire to produce a bespoke policy.
