General Data Protection Regulation
The information on this page gives an overview of the new GDPR regulation, signposting to useful resources, and will be updated regularly.
The General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (DPA) from 25 May 2018.
The GDPR strengthens the rights of individuals to access and amend their personal data; places greater emphasis on an organisation’s accountability; and introduces more serious consequences for non-compliance, including fines.
- The Data controller is the company, organisation or individual who holds personal data and determines the purposes and manner in which it will be processed. For example an organisation, a GP or pharmicist.
- The Data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example a market research company or payroll company.
In order to use personal data you need to identify a lawful basis, also called ‘condition for processing’, and document it in your GDPR policy. There are six lawful bases for processing data and you will need to decide which one covers each type of data you collect.
ICO guidance on Lawful Basis also includes a checklist for organisations.
How long does your organisation keep data for? If you're receiving funding for delivered services there might be contractual reasons for you to keep data for a certain amount of time. HR policies may also provide guidance in this area. Otherwise think about how long you reasonably need to keep personal data for, document this in your GDPR policy, and ensure you schedule time to go back and delete it when it's no longer needed.
Subject Access Requests
Any individual has a right to see what data you hold on them, have it corrected if wrong, and have it deleted if they choose. You will need to have a process and train your staff team to know what to do if someone makes this request (and they may not call it a 'Subject Access Request'). Write this process into your GDPR policy and have a named person responsible for ensuring requests are responded to as soon as possible (and within one month) and for free.
What should my organisation be doing to be GDPR compliant?
To be GDPR compliant you will need to have policies and processes in place relating to personal data and make sure all staff are trained. In particular you should:
- Have a named person responsible for personal data in your organisation and make sure all staff and trustees know the GDPR is coming - and when
- Do a data map: identify what personal data you hold and where it came from. Sefton CVS have created a Information Audit template and other resources which can be amended to suit your organisation
- Document your lawful basis for storing and using personal data
- Put systems in place to respond to requests for access or updates to personal data or for the data to be deleted (called ‘subject access requests’)
- Make sure your privacy notices are written clearly and are easily accessible.
- Review and update how you seek and manage consent (an opt out option is no longer good enough!)
- Put procedures in place to report a data breach to the ICO within 72 hours if necessary, and make sure all staff understand what constitutes a data breach. Further guidance on data breaches is on the ICO website.
- Think about extra protections for under 16s
- If you’re a fundraiser, make sure you follow the latest guidance from the Fundraising Regulator.
Information Commissioner's Office (ICO)
The ICO is the independent authority set up to uphold information rights. It is the ICO who will take action if your organisation is not complying with the GDPR. The ICO website contains all the information relating to GDPR and regularly update the guidance. In particular they have published:
- Guidance for not-for-profit organisations including for direct marketing, a list of FAQs for charities and an advice line for small organisations
- A self assessment 'Getting ready for the GDPR' checklist for organisations
- A full Guide to the GDPR including information on key definitions; lawful basis for processing; the increased rights of the individual and data breaches
- A series of GDPR myth busting blogs
NCVO have produced guidance and resources specific to the voluntary sector on GDPR:
- Guidance on how to prepare for the GDPR
- Sample policies, GDPR webinar, and notification of training and events on the NCVO website