We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

Community-made content which you can improve Case study from our community

Data protection and GDPR

This page is free to all
Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.

The General Data Protection Regulation (GDPR) took effect on 25 May 2018. The legislation:

Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

Read our guidance for charities on how to comply with GDPR.

Charity Finance Group have also produced GDPR: A guide for charities.

Data protection requirements after the transition period

The end of the transition period when the UK will leave the EU will be 31 December 2020. At 11pm on this date, the UK GDPR is replacing the existing EU GDPR.

This is the same as the EU GDPR in all material respects. Differences between the two are only reflected by the changes required to make it work in a UK only context. 

As of 1 January 2021, the UK GDPR together with the amended Data Protection Act 2018 and the Privacy and Electronic Communications Regulation will make up the personal data protection legislation in the UK. 

Voluntary organisations should be aware of how their data protection practices might be affected. 

Being outside Europe will impact data protection matters in the UK in different ways including:

  • The international transfer of personal data including questions of adequacy and other safeguards
  • The possible need to appoint a European Economic Area (EEA) representative in the EEA
  • Lead supervisory authorities – who is yours and might it change?  

Our Trusted Supplier, Hope and May, have written an article on what small and medium-sized organisations need to consider and the steps they can take to make sure they are practising robust data compliance. To summarise:

Hope and May also provide an Article 27 Rep service which supports organisations that do not have an office in an EU state but are processing the personal data of citizens that reside in the EU. Find out more about their Article 27 Rep service.

Support from the regulator

The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

Sample policies

It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.

Further support from NCVO

NCVO can provide further support through:

Page last edited Dec 24, 2020

Help us to improve this page – give us feedback.