Home | Charities & Groups | Running Your Organisation | How to… | GDPR and Data Protection

GDPR and Data Protection

WHAT IS DATA PROTECTION AND WHY IS IT IMPORTANT?

Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.

Image courtesy of Wheelpower

What is the Data Protection Act (DPA) 2018

The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018.

It sits alongside the GDPR, and tailors how the GDPR applies in the UK – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

For more detail on the DPA 2018 you can download the ICO’s Overview of the DPA 2018.

Who Does it Cover?

Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.

Data protection requirements after the UK leave the EU

The UK left the EU on 31 December 2020. At 11.00pm on this date the UK GDPR replaced the existing EU GDPR. This is the same as the EU GDPR in all material respects. Differences between the two are only reflected by the changes required to make it work in a UK only context.

As of 1 January 2021, the UK GDPR together with the amended Data Protection Act 2018 and the Privacy and Electronic Communications Regulation will make up the personal data protection legislation in the UK.

Being outside Europe will impact data protection matters in the UK in different ways. For further information watch the Information Commissioner’s Office (ICO) webinar on ‘Keep data flow at the end of the UK’s transition out of the EU’ (broadcast 3 December 2020)

Who are the ICO?

The Information Commissioner’s Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

their Guide to GDPR that they will regularly update and a FAQ page for charities
specific pages for charities
an advice service by phone on 0303 123 1113 with a specific service for small organisations (option 4) – you can also email casework@ico.org.uk
a self-assessment toolkit for small and medium enterprises
a guide to the privacy information you must provide to users

an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems.

Additional Resources

Knowhow: How to prepare for GDPR and data protection reform
FSI: GDPR – what small charities can do now
The Fundraising Regulator has information and guidance for small charities as well as easy to understand information about what GDPR will mean for you.
The Information Commissioner provides some good resources in the form of a self assessment toolkit to assist with the various elements that may or may not be directly relevant to you. They also have a hotline to support smaller organisations with GDPR queries. This can be reached on 0303 123 1113 Option 4.
NCVO’s Knowhow Non Profit site has also produced a 12 point plan, adapted from the ICO guidance
The Directory of Social Change (DSC) has a free, expert downloadable guide to GDPR
The company ‘IT Governance’ have produced a Compliance Guide which can be freely downloaded from their website.
If your organisation raises funds directly from individuals, there are changes there too which you need to be prepared for. Tim Turner, a former policy manager at the ICO, has produced a ‘survival guide’ which is freely downloadable from the ‘Civil Society’ website and the Institute of Fundraising has also produced a free guide for such organisations.
Protecture: Clearing the haze around the GDPR maze webinar

Privacy Overview

We use some essential cookies to make this website work. We’d like to set additional cookies to understand how you use our website, remember your settings and improve your website experience. We also use cookies set by other sites to help us deliver content from their services.

Necessary

Always Enabled

Necessary cookies are absolutely essential for the website to function properly. These cookies ensure basic functionalities and security features of the website, anonymously.

Cookie	Duration	Description
_GRECAPTCHA	5 months 27 days	This cookie is set by Google. In addition to certain standard Google cookies, reCAPTCHA sets a necessary cookie (_GRECAPTCHA) when executed for the purpose of providing its risk analysis.

Functional

Functional cookies help to perform certain functionalities like sharing the content of the website on social media platforms, collect feedbacks, and other third-party features.

Cookie	Duration	Description
akavpau_ppsd	session	This cookie is provided by Paypal. The cookie is used in context with transactions on the website.

Performance

Analytics

Analytical cookies are used to understand how visitors interact with the website. These cookies help provide information on metrics the number of visitors, bounce rate, traffic source, etc.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_UA-17527993-1	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gat_UA-61319948-14	1 minute	This is a pattern type cookie set by Google Analytics, where the pattern element on the name contains the unique identity number of the account or website it relates to. It appears to be a variation of the _gat cookie which is used to limit the amount of data recorded by Google on high traffic volume websites.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.
_hjAbsoluteSessionInProgress	30 minutes	No description available.
_hjFirstSeen	30 minutes	This is set by Hotjar to identify a new user’s first session. It stores a true/false value, indicating whether this was the first time Hotjar saw this user. It is used by Recording filters to identify new user sessions.
_hjid	1 year	This cookie is set by Hotjar. This cookie is set when the customer first lands on a page with the Hotjar script. It is used to persist the random user ID, unique to that site on the browser. This ensures that behavior in subsequent visits to the same site will be attributed to the same user ID.
_hjIncludedInPageviewSample	2 minutes	No description available.
CONSENT	16 years 5 months 16 days 13 hours 4 minutes	These cookies are set via embedded youtube-videos. They register anonymous statistical data on for example how many times the video is displayed and what settings are used for playback.No sensitive data is collected unless you log in to your google account, in that case your choices are linked with your account, for example if you click “like” on a video.
uvc	1 year 1 month	The cookie is set by addthis.com to determine the usage of Addthis.com service.

Advertisement cookies are used to provide visitors with relevant ads and marketing campaigns. These cookies track visitors across websites and collect information to provide customized ads.

Cookie	Duration	Description
IDE	1 year 24 days	Used by Google DoubleClick and stores information about how the user uses the website and any other advertisement before visiting the website. This is used to present users with ads that are relevant to them according to the user profile.
loc	1 year 1 month	This cookie is set by Addthis. This is a geolocation cookie to understand where the users sharing the information are located.
test_cookie	15 minutes	This cookie is set by doubleclick.net. The purpose of the cookie is to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.
YSC	session	This cookies is set by Youtube and is used to track the views of embedded videos.

Others

Other uncategorized cookies are those that are being analyzed and have not been classified into a category as yet.

Cookie	Duration	Description
at-rand	never	No description available.
m	2 years	No description available.
x-cdn		No description available.
yt-remote-connected-devices	never	No description available.
yt-remote-device-id	never	No description available.

There’s a lot to consider when you’re setting up or running a charity or community group. It’s a hugely rewarding role, but you need to make sure you’re doing it right.

What is the Data Protection Act (DPA) 2018

What is GDPR?

Who Does it Cover?

Data protection requirements after the UK leave the EU

Who are the ICO?

Additional Resources