We use cookies to help us provide you with the best experience, improve and tailor our services, and carry out our marketing activities. For more information, including how to manage your cookie settings, see our privacy notice.


Skip to content. | Skip to navigation

We’ve made our member-only resources free to everyone because of the current situation. We think it’s important people have the guidance they need to run their organisations during this time.

If you want to find out more about how you can volunteer to help deal with coronavirus, see our volunteering and coronavirus page.

If you are looking for advice on coronavirus and your charity, please see our dedicated coronavirus page.

Community-made content which you can improve Case study from our community

Data protection

This page is free to all
Guidance on writing a data protection policy.

All charities will collect, store and process personal information; usually in relation to staff, trustees, job applicants, volunteers and beneficiaries. The data protection legislation requires every data controller (eg employer) who processes personal information to register with the Information Commissioner’s Office (ICO), unless they are exempt (Are you exempt?). 

From 25 May 2018 the Data Protection Act was replaced by the General Data Protection Regulations (GDPR). The GDPR significantly changes the rights of data subjects and the obligations of those processing data. It also significantly increases the penalty for non-compliance.  

Because charities often collect such a wide range of information and store and use it in different ways it is important to understand how the Act applies to your organisation specifically. These guidelines are designed to help small charities consider the range of factors that may be relevant when drafting such a policy.

Download a Microsoft Word version of the information on this page (Word, 60KB).

When drafting or updating your data protection policy, the ICO is a good place to start. They publish a wealth of information on their website including:

The following questions/points may also help to guide you on the areas to cover:

  • Who does the policy apply to?
    GDPR defines the roles of ‘controller’ and ‘processor’. The controller determines how and why personal data is processed and the processor acts on the controller’s behalf. Processors have specific obligations and legal liability if there is a breach. 
  • Be familiar with the data protection principles and ensure that your policy states what these are.  The GDPR principles are similar to those in the DPA, with added detail and a new accountability principle.
  • Allocate responsibility for GDPR compliance to a designated individual and consider whether you need to appoint a data protection officer (DPO). A DPO must be appointed if you are a public authority or body, or if you carry out certain types of processing activities.
  • You should explain what personal data is and provide examples of the personal data that you may collect. The definition of personal data has become more detailed and broader under GDPR. An IP address or CCTV footage can now be personal data. Personal data is likely to include details of donors, beneficiaries as well as job applicants and people who work for the charity as staff or volunteers (including trustees).
  • Personal data and sensitive personal data are different. A definition and examples would help staff to understand the difference and how they are expected to collect, use and store the information. Again, the Information Commissioner website provides useful information. 
  • Under the DPA you need to state the conditions for processing data (both ordinary and sensitive).  Under GDPR, charities will need to identify and document a lawful basis before personal data can be processed.  The lawful basis for processing personal data can determine individuals’ rights. For example, relying on ‘consent’ means the individual will generally have more rights.
  • Ensure that your policy explains how your charity demonstrates compliance with the GDPR principles. Specifically, that you have an up-to-date data register that provides details on personal data processed by the organisation, why it is being processed, the categories of individuals and categories of personal data, retention schedules etc.
  • Under the DPA, an individual has limited right to request personal data is erased. For example, where processing causes unwarranted and substantial damage or distress. Under GDPR, the right to be forgotten enables an individual to request the deletion or removal of personal data where there is no compelling reason for its continued processing.
  • Retention of data – under what circumstances is data retained and not retained?  You policy should consider what data is destroyed and when. Allocating staff to this via job descriptions will help to ensure it is kept in focus.
  • Access to data – those whose personal data you process (applicants, staff, volunteers and beneficiaries), have the right to request that this information is sent to them. Under GDPR access to the information is free of charge and employers have one month in which to comply.  Charities may refuse, or levy a reasonable fee, if the request is unfounded or excessive. 
  • Storage and security – how will data be stored? Who will have access to the data? What will happen if a third party processes data? What steps should staff take to ensure that there is no unauthorised access to the data (for example, drawers must be locked, screens should be locked when staff step away from their desks etc)? What about if/when data is taken off site (for example that only encrypted data sticks must be used, that any manual files are logged out and back in, that leaving files on car seats is considered a security breach and a disciplinary matter etc)?
  • Be clear about the process to follow if you discover a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
  • Your data protection policy should be consistent with your privacy notice, which should be communicated to all those whose personal data you collect and process.

The HR Services Partnership

The HR Services Partnership can help you draft a policy or procedure which is specific to your organisation. And as an NCVO Trusted Supplier we offer preferential rates for members of NCVO.

Page last edited Apr 07, 2020

Help us to improve this page – give us feedback.