Data protection (GDPR)

The new General Data Protection Regulation legislation came into effect on Friday 25 May 2018.


The new legislation

On 25 May 2018, data protection law changed with the introduction of the European General Data Protection Regulation (GDPR). It is a significant change for all organisations that hold and process personal data. Voluntary and community organisations will need to overhaul their privacy and data policies in order to be compliant with the new and more stringent regulatory framework.

Brexit will not affect the introduction of this legislation as the UK was still a member of the European Union (EU) at the date of implementation, and the government incorporated GDPR into UK law through the Data Protection Act 2018.


Impact of GDPR

The GDPR affects voluntary and community organisations in one way or another.

If your organisation holds personal data on anyone, including service users and beneficiaries, members, donors and supporters, employees and volunteers this legislation applies to you.

It includes all types of data whether in the form of contact information or any other sort of personal data e.g. information about ethnicity, religious belief, or bank account or credit card information.


What changed

A lot of what’s in the GDPR mirrors current law under the Data Protection Act 1998 and guidance published by the Information Commissioner’s Office (ICO). However, GDPR also introduces some new rights and obligations and makes changes to some existing concepts.

Many of the regulations in the GDPR are designed to promote increased transparency and accountability. The legislation demands more rigorous and accountable data practices. Whilst not an exhaustive list some of the key differences to be aware of are:

  • increased enforcement powers: maximum fines of up to €20 million or 4% of total annual worldwide turnover of the preceding year, whichever is higher
  • extended geographical scope: non-EU businesses will be subject to the regulation if they provide their service to EU organisations or monitor the behaviour of EU residents
  • consent: more rigorous criteria will be applied to obtaining individuals’ consent. It must be freely given, specific, informed and unambiguous eg fundraising consent may not be valid if it is given when grouped with non-fundraising matters
  • opt-in: crucially, where consent is involved, you must gain explicit, opt-in consent
  • profiling: individuals will have the right to object to profiling, which includes most forms of online tracking and wealth screening
  • the right to be forgotten: individuals will have the right to request that you delete all their personal data
  • enhanced individual rights: individuals will have enhanced rights with new provisions covering the right to access data (replacing subject access requests), the right to be forgotten (the right to request that an organisation delete all their personal data) and the right to data portability
  • reporting obligations: you will also have a duty to report certain types of data breach to the ICO and, in some cases, to the individuals affected


What you need to do

In most cases you will need to review your existing practices and introduce new or enhanced data practices from 25 May 2018 onwards. This may include, for example:

  • updating your privacy notices (download ICO’s code for further information) which tell people how and why their data is being collected and what it will be used for
  • embedding data protection by design and default as part of day-to-day business as usual will no longer be a nicety but an obligation of GDPR
  • conducting data protection privacy impact assessments to identify the most effective way to comply with your data protection obligations
  • maintaining records of your data processing activities, including how long data is kept for and security measures you have in place
  • appointing a data protection officer, which in some instances will be obligatory but will also be considered good practice
  • a review of agreements with any third parties that process personal data on your behalf, such as external payroll providers or IT support companies


Key sources of information

The ICO is the UK regulator responsible for interpreting and enforcing GDPR, so their website is the best place to start if you want more information:  ICO online information hub on the GDPR

The ICO has a dedicated helpline for questions about GDPR. People from small organisations should dial the ICO helpline on 0303 123 1113 and select option 4.

NCVO has a dedicated webpage on data protection and GDPR for trustees and senior staff.


Brief overviews and ‘How to’ guides

If you want some short, sharp overviews of GDPR for yourself, or to share as first reading with staff, volunteers or trustees, you might find these resources helpful:


Training and Advice

GDPR and Criminal Records Information

  • Read our briefing on the impact of the GDPR on the way you collect, process and store criminal records data

Data Retention and Subject Access Requests


GDPR will mean changes to consent that will affect how you go about your fundraising and donor based activities. If you raise funds directly from individuals, the following guides look specifically at this:



  • IT Governance have written a Compliance Guide which can be downloaded for free
  • Charity Digital News, working with Access (a commercial concern who provide CRM software), have written a free 5 step plan, with a particular focus on how your CRM system should be compliant with GDPR


Jargon buster

Key bodies, laws and acronyms to be aware of:

  • Data Protection Act (DPA)
  • Privacy and Electronic Communications Regulations (PECR)
  • General Data Protection Regulation (GDPR)
  • Information Commissioners Office (ICO), the UK regulator responsible for interpreting and enforcing GDPR
  • The Fundraising Regulator (FR)