GDPR: Personal data and data mapping

Worryingly, only 44% of charities have heard about GDPR according to a government survey but the General Data Protection Regulation isn’t as scary as it sounds and presents an opportunity for all of us to improve, and be more confident in, the way we use data.

GDPR emphasises handling personal information in a clear, honest and transparent way; and offers six ‘lawful bases’ for processing data:

  • Consent
  • Contract
  • legal obligation
  • vital interests
  • public task
  • legitimate interest

The new legislation requires all organisations to understand how they obtain data; document the lawful basis under which the data is processed; have clear data retention policies; and allow people access to their own personal data on request.

As VONNE goes through the GDPR preparation process I’ll be writing a series of blogs looking at a different area of GDPR.  I don’t have all the answers but hopefully this will help support anyone else in the sector going through the same process.

For this first one it’s personal data and data mapping.

Personal data means anything which could – directly or indirectly - identify an individual. So a work email address, a NI number, address, or IP address could be personal data.

Sensitive data is also called ‘special categories’ of data and under GDPR it includes genetic and biometric data as well as ethnicity; physical or mental health records; sexual orientation, etc.  The GDPR also makes special reference to handling information about criminal offences

All VCSE organisations will handle personal and sensitive data in some form (in HR and recruitment functions for example) and some who work directly with clients or service users may be processing sensitive data in their records.

Create a data map

Think about what data you hold and who in your organisation is best placed to conduct the first step towards GDPR compliance: data mapping. At VONNE we’ve split it between myself (external comms and member data) and Angela our Finance and Office Manager (recruitment/employee and Board data).

After attending some excellent training organised by Newcastle CVS and NCVO with Mark Burnett – Data Protection Officer at NCVO – we used his template to create a data map in excel with the following headings:

  • Data collection point
  • What data is collected?
  • Is a privacy or consent form used at point of collection?
  • Where is the data stored?
  • What is the data used for?
  • Who can access the data internally?
  • Who can access the data externally? (‘Third party sharing’)
  • How and when is the data reviewed and updated?
  • How long is the data kept for?
  • What is the current policy on data?

This has helped us enormously to see exactly what information we are collecting and where we need to improve processes to become fully GDPR compliant.  

Next month I'll be writing about privacy notices (long and short).

Find more GDPR resources on the VONNE website.

Anne is VONNE's Marketing and Communications Manager and can be contacted at