GDPR and Data Protection


Data protection is the fair and proper use of information about people. It’s part of the fundamental right to privacy – but on a more practical level, it’s really about building trust between people and organisations. It’s about treating people fairly and openly, recognising their right to have control over their own identity and their interactions with others, and striking a balance with the wider interests of society.

The UK data protection regime is set out in the DPA 2018, along with the GDPR (which also forms part of UK law). It takes a flexible, risk-based approach which puts the onus on you to think about and justify how and why you use data.

The ICO regulates data protection in the UK. They offer advice and guidance, promote good practice, carry out audits, consider complaints, monitor compliance and take enforcement action where appropriate.

What is the Data Protection Act (DPA) 2018

The DPA 2018 sets out the framework for data protection law in the UK. It updates and replaces the Data Protection Act 1998 and came into effect on 25 May 2018.

It sits alongside the GDPR, and tailors how the GDPR applies in the UK – for example by providing exemptions. It also sets out separate data protection rules for law enforcement authorities, extends data protection to some other areas such as national security and defence, and sets out the Information Commissioner’s functions and powers.

For more detail on the DPA 2018 you can download the ICO’s Overview of the DPA 2018.

What is GDPR?

GDPR stands for ‘General Data Protection Regulation’, and it is a new piece of legislation that came into force on 25 May 2018.

The legislation:

  • requires organisations to register with the Information Commissioner if they keep records (unless they are exempt and this includes many charities and clubs)
  • governs the processing of personal data including ‘personal sensitive data’
  • requires organisations to comply with its seven key principles
  • allows employees, service users and other contacts to request to see the personal data held on them.
  • Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

Read guidance from the Information Commissioner’s Office before you write your policies.   NCVO members can access free guidance on writing a GDPR-compliant data protection policy on the Knowhow website. Please note this is not a sample policy but guidance.

Also have a look at the ICO’s resources on fundraising and data protection.

Who Does it Cover?

Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.

Data protection requirements after the UK leave the EU

The UK left the EU on 31 December 2020. At 11.00pm on this date the UK GDPR replaced the existing EU GDPR. This is the same as the EU GDPR in all material respects. Differences between the two are only reflected by the changes required to make it work in a UK only context.

As of 1 January 2021, the UK GDPR together with the amended Data Protection Act 2018 and the Privacy and Electronic Communications Regulation will make up the personal data protection legislation in the UK.

Being outside Europe will impact data protection matters in the UK in different ways.  For further information watch the Information Commissioner’s Office (ICO) webinar on ‘Keep data flow at the end of the UK’s transition out of the EU’ (broadcast 3 December 2020)

Who are the ICO?

The Information Commissioner’s Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems.

Additional Resources