Campaigning guidance

Our guidance for charities on campaigning in the lead up to the general election. Learn more

Steps to improve data protection in your organisation

This page is free to all

Use this page to make sure you’re meeting your data protection responsibilities. It contains actions to take. It should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.

Paying an annual fee

If you keep any personal information, you’ll usually need to pay an annual fee to the ICO. For most organisations this is either £40 or £60. For registered charities it’s never more than £40. For some specific uses of data, it could be £2,900.

There are some fee exemptions for certain types of volunteer-run health groups who only keep data about their own members.

Decide who will be responsible for data protection

Make sure responsibility sits with either:

  • an internal role with specific responsibilities for data protection
  • a role dedicated to data protection.

Your trustees or management committee can take responsibility for this role.

Organisations who handle a very large scale of sensitive data, or who regularly and systematically monitor or track people, may be required to appoint a Data Protection Officer (DPO). You do not need to do this for managing employee data.

Some of the things a legally appointed DPO must do are also good practice for everyone else. If you are not legally required to appoint a DPO but you decide to appoint one, you will be held to the standard of an organisation that is legally required to appoint a DPO.

Use this information to help you work out best practice, even if you don’t need a formal DPO: ICO Checklist for what a DPO must do.

If you’re not sure if you need to appoint a DPO, questions in this toolkit will help: ICO data protection officer tool.

Identify what data you hold and where that data came from

You must keep a record of the personal data you hold and where it came from.

If you’re starting from scratch, organise an audit of your different systems and teams to find out what data you’ve got. The audit needs to include all personal data: employees and volunteers, service users and the activities you do with them, members, donors and supporters.

You should check:

  • where it comes from
  • what you do with it (why you have it, how you use it and whether you actually need it)
  • how (in what format) you hold it and where (on what server or computer, if electronic) it is stored
  • whether it’s transferred into any other systems
  • whether you give the data to anyone else to do things with it for you
  • whether you share it
  • how and when you should delete it
  • what risks are there if anything goes wrong.

When you audit what data you hold about employees, job applicants and past employees, use our HR guidance on data protection and employees.

Where the information is stored

Storing information (data) on servers (where all cloud software and many online packages keep data) outside the UK is a form of transferring data between countries.

You should only transfer data between countries when you are sure it can be done so lawfully. Double check to make sure the storage you use meets all your legal requirements. Specifically, you need to be clear about how you remove data from the system permanently (hard deletion) and if there are circumstances where the storage company would share your data.

You must give people transparent information about transfers of data between countries. Make sure your privacy notice includes information about where your data is transferred.

Find out about how storing data in the UK, EU or outside the EU may change with Brexit, and get links to more information about the adequate storing of data in our data protection after Brexit section.

Controlling or processing data

Most of the time, community groups, organisations and charities are controllers of their own data. The rest of this section assumes that your organisation is the data controller.

Sometimes you’ll also have a third-party processing data on your behalf.

  • While they don’t make choices about what data you collect, and all other aspects of data protection, they do have responsibilities for keeping the data safe and secure.
  • It’s your responsibility as data controller to check that your processors are doing things properly.
  • You must make sure you inform people that you are sharing this data when you collect it.
  • You should create a data-sharing agreement with the processor to make sure everyone understands the procedures.

Sometimes you’ll be joint controllers of some data. This means:

  • you make joint decisions about aspects of data protection
  • you’re involved in partnership projects.

As you review the data you hold, always note when there’s a joint controller or a processor. Make sure they are aware of their responsibilities. Document these in contracts or data-sharing agreements.

If you aren’t sure if you have joint controllers or processors use the ICO data controller and processor checklist.

Identify and document your ‘lawful basis’ for processing data

You’re only allowed to handle personal data in certain situations. To process data, you need a lawful basis and a specific purpose for doing so.

The lawful bases for processing data are:

  • the person expects you to process their data so you can deliver a service (legitimate interest)
  • you have the person’s consent for a specific use of data
  • someone’s health or safety is at risk which is why you’re processing their data (protection of life)
  • you have a contract that allows you to process the data
  • you have to process the data by law (for example, in some safeguarding situations)
  • the processing is necessary to perform a task in the public interest (this does NOT mean all charitable activities).

The lawful basis will be different for different sets of data you hold, depending on the purpose for which you hold that data. You only need to comply with one lawful basis for processing a set of data, not all six. If you need to change the lawful basis for processing a set of data, you must let the people whose personal data it is know that you have done this.

Each lawful basis has different requirements. You'll need to write a procedure for what you do with each data set to help make sure you comply.

Recording your findings

Depending on the size of your organisation, you may be required to keep records of all your data processing activity.

Keeping records is also a good starting point for a privacy impact assessment. You can use this to help you work out best practice and to plan how you’ll approach future projects.

A privacy impact assessment also gives you the information you need to start a register of all the data you hold. You should keep the register up to date.

If you use consent as your lawful basis, you need to do it right.

The law states that consent must be freely given, specific and easily withdrawn. You can’t rely on consent from pre-ticked boxes, silence or inactivity. People must positively opt-in and you must be completely open and honest about how you’ll use their information.

If you’re using consent as your lawful basis for holding data, you must not discriminate against people who don’t give their consent.

For more help understanding general consent use the ICO consent guidance and checklist.

Consent relating to children

Children can only legally give consent for online use of data from age 13 in the UK (16 for many other European countries). Below this age you can get consent from their parents if that’s appropriate. If not, the ICO suggests using another lawful basis.

When a child reaches 13, and when they become an adult, it’s good practice to offer them an opportunity to review any decisions previously made about their data. The ICO has done a lot of work thinking about designing privacy for children. Find out more from the Children’s Code Hub.

Consent and cookies

Cookies and other similar technologies that track people’s activities online fall under an additional set of regulations called PECR.

You must get opt-in consent from people to use cookies. The only exceptions are if the online service cannot work without cookies (such as an online shopping cart or a bank transaction).

Read ICO guidance on cookie regulations.

Prepare to support people properly

Data protection law is about giving people clear rights over their data.

You need to help people:

  • understand what data you have and how you use it
  • look at the data you have if they want to
  • correct the data you have if they think it is wrong
  • ask you to delete the data or restrict how you use it (depending on the lawful basis you are holding it under)
  • be able to take that data themselves so they can use it however they like
  • complain if they don’t like things you’re doing with their data.

You must make sure that everyone you hold data about knows and understands their rights. You must also make sure that they know and understand exactly what you’re doing with their data.

This is usually done through a privacy notice, statement or policy.

You need to plan systems and processes to make it easier for you to provide this support. You can write these plans up as a data retention and deletion policy. You’ll also need to make sure that any software, tools or applications you use make it possible for you to follow the policy that you plan.

Read about the legal names for these rights, how you can meet them and any exceptions in the ICO GDPR guidance.

See our guide to writing a data protection policy and procedures.

Prepare for someone wanting to see their data

A ‘subject access request’ is the formal term for what happens when anyone asks you for a copy of information you hold about them. They could ask verbally, in writing or even on social media. You have one month to gather the data you have and provide it to them in a secure way.

For many organisations, this will be simple and straightforward if you’ve done your initial audit and kept records up to date. But for organisations who hold a large amount of data, or who do not have good records, this can be very time-consuming.

Subject access requests are particularly important if you work in an organisation that keeps case records about people or discusses people in emails. You’ll need to:

  • plan for requests to come in
  • make sure you know how you'll find all the information
  • make sure the information you hand over doesn’t contain information about any other people
  • know how to ask for time extensions if you need them
  • have a plan to make sure you provide the information securely.

The better you plan ahead the easier it is to meet these requirements.

You can prepare by looking at the ICO subject access requests checklist.

Prepare to deal with a data breach

There are lots of small ways data can accidentally be breached, or be put at risk of a breach. For instance:

  • someone can accidentally cc an email that should have been bcc’d (addresses hidden)
  • someone tries to do something good by sharing data but hasn’t checked permissions and consent for this new use
  • out-of-date software can ‘leak data’ meaning it sends data around the internet or offices and file systems in ways that aren't considered secure any more
  • the wrong link can be sent to the wrong person
  • a service you use can change its terms and conditions and take data without you noticing
  • malware has got into your systems
  • someone has been the victim of a phishing attack.

To lower your risks:

  • check and update systems regularly
  • make sure all staff and volunteers know not to share data
  • make sure all staff and volunteers know how to report a breach (however minor the risk)
  • be clear that the organisation needs to know what has happened as quickly as possible so it can take actions and learn.

Get ready for things going wrong by having procedures or steps to follow.

  • Decide when you need to let the people who could be affected know and how you will do this.
  • Check whether the breach meets the rules that mean you must report it to the ICO within 72 hours of being made aware of it.
  • Include the ICO small organisation helpline in your procedures to help you (0303 123 1113).
  • Update your data processing procedures to reduce the risk of it happening again.
  • Develop training to reduce future risks.

Organisations holding more sensitive data need additional measures.

Data protection after Brexit

The UK now operates under what is called the UK GDPR. It is currently broadly the same as the EU GDPR, but this may change over time.

As of 28 June 2021, data can transfer from the EU to the UK without any additional safeguards. This is following the European Commission's adequacy decisions on data protection in the UK.

For up-to-date information, visit the ICO’s page on data protection after Brexit.

Last reviewed: 02 March 2021

Help us improve this content

GDPR, data protection law, Brexit and how to keep on top of your responsibilities

  1. Understanding data protection
  2. Steps to improve data protection in your organisation
  3. Writing a data protection policy and procedures

This page was last reviewed for accuracy on 02 March 2021

Back to top

Sign up for emails

Get regular updates on NCVO's help, support and services