GDPR

The information on this page gives an overview of the new GDPR regulation, signposting to useful resources, and will be updated regularly.

We also have a series of blog posts sharing our own GDPR preparation experience which you may be interested in.

The General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (DPA) from 25 May 2018.

The GDPR strengthens the rights of individuals to access and amend their personal data; places greater emphasis on an organisation’s accountability; and introduces more serious consequences for non-compliance, including fines. 

It is a 'values based' regulation which means there is no 'one size fits all' answer as to how to implement it for your organisation.

Key definitions 

  • The Data controller is the company, organisation or individual who holds personal data and determines the purposes and manner in which it will be processed. For example an organisation or charity.
  • The Data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example an IT support or payroll contractor.

The ICO has some GDPR guidance on contracts and liabilities between controllers and processors.

Lawful Basis

In order to use personal data you need to identify a lawful basis, also called ‘condition for processing’, and document it in your GDPR policy. There are six lawful bases for processing data and you will need to decide which one covers each type of data you collect.

ICO guidance on Lawful Basis also includes a checklist for organisations.

Legitimate Interest may be the lawful basis which you decide to use to process personal data.  The ICO have published guidance on legitimate interest and this is available on their website.

Privacy Notices 

Privacy notices need to be specific, not one catch all, and should be displayed at the point at which someone hands over their personal information.  They need to be clear, concise and easy to understand. The short version should state what you are going to do with the data, who will see it, how long you'll keep it for and who to contact with queries. It should also link to a longer version which goes into a lot more detail.  Guidance on what should be included in your privacy policy is available on the ICO website

Data Rentention

How long does your organisation keep data for?  If you're receiving funding for delivered services there might be contractual reasons for you to keep data for a certain amount of time.  HR policies may also provide guidance in this area.  Otherwise think about how long you reasonably need to keep personal data for, document this in your GDPR policy, and ensure you schedule time to go back and delete it when it's no longer needed.

Subject Access Requests

Under the GDPR individuals have more control over their personal data, in line with eight keys principles of GDPR.  Any individual has a right to see what data you hold on them, have it corrected if wrong, and have it deleted if they choose.  You will need to have a process and train your staff team to know what to do if someone makes this request (and they may not call it a 'Subject Access Request'). Write this process into your GDPR policy and have a named person responsible for ensuring requests are responded to as soon as possible (and within one month) and for free.

What should my organisation be doing to be GDPR compliant?

To be GDPR compliant you will need to have policies and processes in place relating to personal data and make sure all staff are trained.  In particular you should:

  • Have a named person responsible for personal data in your organisation and make sure all staff and trustees know the GDPR is coming - and when
  • Do a data map: identify what personal data you hold and where it came from. Sefton CVS have created a Information Audit template and other resources which can be amended to suit your organisation
  • Document your lawful basis for storing and using personal data
  • Put systems in place to respond to requests for access or updates to personal data or for the data to be deleted (called ‘subject access requests’)
  • Make sure your privacy notices are written clearly and are easily accessible. 
  • Review and update how you seek and manage consent (an opt out option is no longer good enough!)
  • Put procedures in place to report a data breach to the ICO within 72 hours if necessary, and make sure all staff understand what constitutes a data breach. Further guidance on data breaches is on the ICO website.
  • Think about extra protections for under 16s 

GDPR Resources

Information Commissioner's Office (ICO)

The ICO is the independent authority set up to uphold information rights.  It is the ICO who will take action if your organisation is not complying with the GDPR.  The ICO website contains all the information relating to GDPR and regularly update the guidance.  In particular they have published:

VCSE sector resources

VODA have produced a GDPR Toolkit (PDF: 862 KB) targeted at VCS groups without paid staff.

NCVO have produced guidance and resources specific to the voluntary sector on GDPR:

Fundraisers