You should now be in the final stages of preparing for
changes that GDPR will require to your current policies and procedures. GDPR is
not just a tick box exercise and it needs all staff and volunteers to embrace
To help you prepare for GDPR, NCVO, ICO and various
organisations have clear guidance on their websites. Some of which are shown below.
Data protection legislation covers everyone about whom you
keep personal data. This includes employees, volunteers, service users,
members, supporters and donors. The legislation:
- requires organisations to register if they keep
records (unless they are exempt
and this includes many charities and clubs)
- governs the processing of personal data
including 'personal sensitive data'
- requires organisations to comply with eight
principles for data protection
- allows employees, service users and other
contacts to request to see the personal data held on them.
Every organisation should have a written policy and
procedure that is specific to their context about how they handle personal data
and enact privacy principles.
Requirements for these policies and procedures will change
when GDPR takes effect. Read the NCVO guidance
for charities on how to prepare for GDPR.
Charity Finance Group have also produced GDPR: A
guide for charities
from the regulator
The Information Commissioner's
Office (ICO) is the regulator for data protection and privacy law. Their
website is an excellent source of information and support and includes:
It can be hard to write a policy from scratch. There are a
number of suppliers of sample policies. These are intended as guidance only and
should be developed alongside the
guidance from the Information Commissioner’s Office to ensure it is
specific to your circumstances.