General Data Protection Regulation

The information on this page gives an overview of the new GDPR regulation, signposting to useful resources, and will be updated regularly.

The General Data Protection Regulation (GDPR) will replace the UK Data Protection Act 1998 (DPA) from 25 May 2018.

The GDPR strengthens the rights of individuals to access and amend their personal data; places greater emphasis on an organisation’s accountability; and introduces more serious consequences for non-compliance, including fines. 

Key definitions

  • Personal data means any data which relates to a living individual who can be identified from the data. The GDPR covers personal data kept on employees, volunteers, service users, members, supporters and donors.
  • Sensitive data means personal data consisting of information about the racial/ethnic origin of the subject; political opinions; religious or similar beliefs; whether they are member of a trade union; physical or mental health; sexual life; etc.
  • The Data controller is the company, organisation or individual who holds personal data and determines the purposes and manner in which it will be processed. For example an organisation, a GP or pharmicist.
  • The Data processor is any person (other than an employee of the data controller) who processes the data on behalf of the data controller. For example a market research company or payroll company.

Lawful Basis

In order to use personal data you need to identify a lawful basis, also called ‘condition for processing’, and document it. There are six lawful bases for processing data including ‘consent’ and ‘legitimate interests’.

ICO guidance on Lawful Basis also includes a checklist for organisations.

What should my organisation be doing to be GDPR compliant?

To be GDPR compliant you will need to have policies and processes in place relating to personal data and make sure all staff are trained.  In particular you should:

  • Have a named person responsible for personal data in your organisation and make sure all staff and trustees know the GDPR is coming - and when
  • Identify what personal data you hold and where it came from. Sefton CVS have created a Information Audit template and other resources which can be amended to suit your organisation
  • Document your lawful basis for storing and using personal data
  • Put systems in place to respond to requests for access or updates to personal data or for the data to be deleted (called ‘subject access requests’)
  • Make sure your privacy notices are written clearly and are easily accessible. Guidance on what to include in a privacy notice is available on the ICO website
  • Review and update how you seek and manage consent (an opt out option is no longer good enough!)
  • Put procedures in place to report a data breach to the ICO within 72 hours if necessary, and make sure all staff understand what constitutes a data breach
  • Think about extra protections for under 16s 
  • If you’re a fundraiser, make sure you follow the latest guidance from the Fundraising Regulator

GDPR Resources

Information Commissioner's Office (ICO)

The ICO is the independent authority set up to uphold information rights.  It is the ICO who will take action if your organisation is not complying with the GDPR.  The ICO website contains all the information relating to GDPR and regularly update the guidance.  In particular they have published:


NCVO have produced guidance and resources specific to the voluntary sector on GDPR: