Use this page to make sure you’re meeting your data protection responsibilities. It contains actions to take. It should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.
If you keep any personal information, you’ll usually need to pay an annual fee to the ICO. For most organisations this is either £40 or £60. For registered charities it’s never more than £40. For some specific uses of data, it could be £2,900.
There are some fee exemptions for certain types of volunteer-run health groups who only keep data about their own members.
Make sure responsibility sits with either:
Your trustees or management committee can take responsibility for this role.
Organisations who handle a very large scale of sensitive data, or who regularly and systematically monitor or track people, may be required to appoint a Data Protection Officer (DPO). You do not need to do this for managing employee data.
Some of the things a legally appointed DPO must do are also good practice for everyone else. If you are not legally required to appoint a DPO but you decide to appoint one, you will be held to the standard of an organisation that is legally required to appoint a DPO.
Use this information to help you work out best practice, even if you don’t need a formal DPO: ICO Checklist for what a DPO must do.
If you’re not sure if you need to appoint a DPO, questions in this toolkit will help: ICO data protection officer tool.
You must keep a record of the personal data you hold and where it came from.
If you’re starting from scratch, organise an audit of your different systems and teams to find out what data you’ve got. The audit needs to include all personal data: employees and volunteers, service users and the activities you do with them, members, donors and supporters.
You should check:
When you audit what data you hold about employees, job applicants and past employees, use our HR guidance on data protection and employees.
Storing information (data) on servers (where all cloud software and many online packages keep data) outside the UK is a form of transferring data between countries.
You should only transfer data between countries when you are sure it can be done so lawfully. Double check to make sure the storage you use meets all your legal requirements. Specifically, you need to be clear about how you remove data from the system permanently (hard deletion) and if there are circumstances where the storage company would share your data.
You must give people transparent information about transfers of data between countries. Make sure your privacy notice includes information about where your data is transferred.
Find out about how storing data in the UK, EU or outside the EU may change with Brexit, and get links to more information about the adequate storing of data in our data protection after Brexit section.
Most of the time, community groups, organisations and charities are controllers of their own data. The rest of this section assumes that your organisation is the data controller.
Sometimes you’ll also have a third-party processing data on your behalf.
Sometimes you’ll be joint controllers of some data. This means:
As you review the data you hold, always note when there’s a joint controller or a processor. Make sure they are aware of their responsibilities. Document these in contracts or data-sharing agreements.
If you aren’t sure if you have joint controllers or processors use the ICO data controller and processor checklist.
You’re only allowed to handle personal data in certain situations. To process data, you need a lawful basis and a specific purpose for doing so.
The lawful bases for processing data are:
The lawful basis will be different for different sets of data you hold, depending on the purpose for which you hold that data. You only need to comply with one lawful basis for processing a set of data, not all six. If you need to change the lawful basis for processing a set of data, you must let the people whose personal data it is know that you have done this.
Each lawful basis has different requirements. You'll need to write a procedure for what you do with each data set to help make sure you comply.
Depending on the size of your organisation, you may be required to keep records of all your data processing activity.
Keeping records is also a good starting point for a privacy impact assessment. You can use this to help you work out best practice and to plan how you’ll approach future projects.
A privacy impact assessment also gives you the information you need to start a register of all the data you hold. You should keep the register up to date.
If you use consent as your lawful basis, you need to do it right.
The law states that consent must be freely given, specific and easily withdrawn. You can’t rely on consent from pre-ticked boxes, silence or inactivity. People must positively opt-in and you must be completely open and honest about how you’ll use their information.
If you’re using consent as your lawful basis for holding data, you must not discriminate against people who don’t give their consent.
For more help understanding general consent use the ICO consent guidance and checklist.
Children can only legally give consent for online use of data from age 13 in the UK (16 for many other European countries). Below this age you can get consent from their parents if that’s appropriate. If not, the ICO suggests using another lawful basis.
When a child reaches 13, and when they become an adult, it’s good practice to offer them an opportunity to review any decisions previously made about their data. The ICO has done a lot of work thinking about designing privacy for children. Find out more from the Children’s Code Hub.
Cookies and other similar technologies that track people’s activities online fall under an additional set of regulations called PECR.
You must get opt-in consent from people to use cookies. The only exceptions are if the online service cannot work without cookies (such as an online shopping cart or a bank transaction).
Data protection law is about giving people clear rights over their data.
You need to help people:
You must make sure that everyone you hold data about knows and understands their rights. You must also make sure that they know and understand exactly what you’re doing with their data.
This is usually done through a privacy notice, statement or policy.
You need to plan systems and processes to make it easier for you to provide this support. You can write these plans up as a data retention and deletion policy. You’ll also need to make sure that any software, tools or applications you use make it possible for you to follow the policy that you plan.
Read about the legal names for these rights, how you can meet them and any exceptions in the ICO GDPR guidance.
See our guide to writing a data protection policy and procedures.
A ‘subject access request’ is the formal term for what happens when anyone asks you for a copy of information you hold about them. They could ask verbally, in writing or even on social media. You have one month to gather the data you have and provide it to them in a secure way.
For many organisations, this will be simple and straightforward if you’ve done your initial audit and kept records up to date. But for organisations who hold a large amount of data, or who do not have good records, this can be very time-consuming.
Subject access requests are particularly important if you work in an organisation that keeps case records about people or discusses people in emails. You’ll need to:
The better you plan ahead the easier it is to meet these requirements.
You can prepare by looking at the ICO subject access requests checklist.
There are lots of small ways data can accidentally be breached, or be put at risk of a breach. For instance:
To lower your risks:
Get ready for things going wrong by having procedures or steps to follow.
Organisations holding more sensitive data need additional measures.
The UK now operates under what is called the UK GDPR. It is currently broadly the same as the EU GDPR, but this may change over time.
As of 28 June 2021, data can transfer from the EU to the UK without any additional safeguards. This is following the European Commission's adequacy decisions on data protection in the UK.
For up-to-date information, visit the ICO’s page on data protection after Brexit.
Last reviewed: 02 March 2021
Help us improve this contentGet regular updates on NCVO's help, support and services