GDPR and Data Protection

What is GDPR and why is it important?

Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.

The UK data protection regime is set out in the DPA 2018, which can be found on the website, along with the GDPR which also forms part of UK law. It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

The Information Commissioner’s Office regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate. Find out more information about their services on the Information Commissioner’s Office website.

What is the Data Protection Act (DPA) 2018

The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018.

It sits alongside the GDPR and tailors how the GDPR applies in the UK – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

For more details on the DPA 2018, download the ICO’s Overview of the DPA 2018.

What is GDPR?

GDPR stands for ‘General Data Protection Regulation’, and it is a new piece of legislation that came into force on 25 May 2018.

The legislation:

  • requires organisations to register with the Information Commissioner if they keep records, unless they are exempt (this includes many charities and clubs)
  • governs the processing of personal data including ‘personal sensitive data’
  • requires organisations to comply with its seven key principles
  • allows employees, service users and other contacts to request to see the personal data held on them
  • every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

Read the guidance from the Information Commissioner’s Office (ICO) before you write your policies.  NCVO members can access free guidance on writing a GDPR-compliant data protection policy – visit the Knowhow website. Please note this is not a sample policy but guidance.

The Information Commissioner’s Office also has a range of useful resources on fundraising and data protection – have a look at the free resources on the ICO website.

Who Does it Cover?

Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.

Data protection requirements after the UK leave the EU

The UK left the EU on 31 December 2020. At 11.00pm on this date the UK GDPR replaced the existing EU GDPR. This is the same as the EU GDPR in all material respects. Differences between the two are only reflected by the changes required to make it work in a UK only context.

As of 1 January 2021, the UK GDPR together with the amended Data Protection Act 2018 and the Privacy and Electronic Communications Regulation will make up the personal data protection legislation in the UK.

Being outside Europe will impact data protection matters in the UK in different ways.  For further information read the ICO’s page on data protection and the EU.

Who are the ICO?

The Information Commissioner’s Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

Additional Resources