Individuals have the right to have their personal data removed if it’s no longer necessary for the purpose it was originally collected or processed for.
If you control or process data about people you are required under the Data Protection Act 2018 to return or delete all personal data after the end of services, or on expiry of a contract or agreement, unless it’s necessary to retain the data by law.
You also have responsibilities for telling other organisations to delete any links to copies of that data, as well as the copies themselves.
You should have a clear plan and record of how you’ve complied with your legal obligations. If you’re unsure you can contact the Information Commissioner’s Office for advice.
Remember trustees or the management committee will still be liable for their data protection duties even after the organisation has closed.
More widely, computer hard drives should be cleaned or reformatted so that the documentation relating to the organisation is no longer available. All identifiable information about your work should also be destroyed so it can’t be accessed by anyone who could impersonate your organisation.
Get regular updates on NCVO's help, support and services
