General Protection Regulation (GDPR) - what you need to know 


Many people and organisations in the voluntary and community sector are hearing the acronym GDPR but what is it and what do you need to do about it?

What is GDPR?

GDPR stands for General Data Protection Regulation which is a new piece of legislation that came into force on 25th May 2018. While it builds on existing Data Protection legislation, it represents a significant change for organisations that hold and process personal data.

Will it affect me?

If your organisation holds personal data, whether in the form of contact information or any other sorts of personal data (e.g. information about ethnicity, religious beliefs or bank/credit card information) elements of the next regulations will apply to you.

What can I do to prepare?

There are lots of resources available online; links to which are provided below. There is no ‘one size fits all’ approach as what will be required of you will vary significantly depending on the type of organisation you are and what you do with the data that you collect and hold.

The Charity Commission are advising all charities to check the Information Commissioner’s Office (ICO) website regularly for updates and follow all guidance issued by the ICO about GDPR (please see information below).

The ICO website gives five top date protection tips for small and medium sized charities and third sector organisations:

1.    Tell people what you are doing with their data
People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.

2.    Make sure your staff are adequately trained 
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.

3.    Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower-case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.

4.    Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.

5.    Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.

Useful Resources

ICO Data Protection Self Assessment Toolkit

Use this to assess your compliance with the Data Protection Act and find out what you need to do

ICO Charity section

Specific guidance for not-for-profit organisations which aims to answer questions regularly raised by charities and voluntary organisations helping you comply with your responsibilities to information rights.

ICO – Exemption from registration for not-for-profit organisations

This Good Practice Note aims to answer a number of questions regularly raised by charities and voluntary organisations about the exemption from the requirement to register under the Data Protection Act 1998 (the Act) for ‘not-for-profit’ organisations.

Should you require support to navigate the key resources available on GDPR please don't hesitate to contact our Community Support team by telephoning 01388 742040 or by email

Our Community Support Officers can support you to identify your needs and signpost you to the key relevant information.