The General Data Protection Regulation (GDPR) took effect on 25 May 2018. The legislation:
- requires organisations to register if they keep records (unless they are exempt and this includes many charities and clubs)
- governs the processing of personal data including 'personal sensitive data'
- requires organisations to comply with its seven key principles
- allows employees, service users and other contacts to request to see the personal data held on them.
Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.
Read our guidance for charities on how to comply with GDPR.
Charity Finance Group have also produced GDPR: A guide for charities.
Data protection requirements after the transition period
The end of the transition period when the UK will leave the EU will be 31 December 2020. At 11pm on this date, the UK GDPR is replacing the existing EU GDPR.
This is the same as the EU GDPR in all material respects. Differences between the two are only reflected by the changes required to make it work in a UK only context.
As of 1 January 2021, the UK GDPR together with the amended Data Protection Act 2018 and the Privacy and Electronic Communications Regulation will make up the personal data protection legislation in the UK.
Voluntary organisations should be aware of how their data protection practices might be affected.
Being outside Europe will impact data protection matters in the UK in different ways including:
- The international transfer of personal data including questions of adequacy and other safeguards
- The possible need to appoint a European Economic Area (EEA) representative in the EEA
- Lead supervisory authorities – who is yours and might it change?
Our Trusted Supplier, Hope and May, have written an article on what small and medium-sized organisations need to consider and the steps they can take to make sure they are practising robust data compliance. To summarise:
- Watch the Information Commissioner’s Office (ICO) webinar on ‘Keep data flow at the end of the UK’s transition out of the EU’ (broadcast 3 December 2020)
- Check whether or not you are storing data in the EU via cloud or local servers for back up
- If you are storing data in the EU, put appropriate safeguards in place
- If you need further help contact Hope and May
Hope and May also provide an Article 27 Rep service which supports organisations that do not have an office in an EU state but are processing the personal data of citizens that reside in the EU. Find out more about their Article 27 Rep service.
Support from the regulator
The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:
- their Guide to GDPR that they will regularly update and a FAQ page for charities
- specific pages for charities
- specific pages for small organisations
- an advice service by phone on 0303 123 1113 with a specific service for small organisations (option 4) – you can also email casework@ico.org.uk
- a self-assessment toolkit for small and medium enterprises
- a guide to the privacy information you must provide to users
- an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems.
Sample policies
It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.
- NCVO members can access free guidance on writing a GDPR-compliant data protection policy on our Knowhow website. Please note this is not a sample policy but guidance.
- Bates Wells law firm has a customisable and GDPR-compliant data protection policy you can purchase on their Get Legal document production site. It takes you through a guided questionnaire to produce a bespoke policy.
Further support from NCVO
NCVO can provide further support through:
- Online and face-to-face training
- Webinars
- Get in touch with NCVO's trusted supplier, Hope and May, who offer a range of services to help you on the topic of compliance with data protection law.