New research exploring the volunteering experiences and perspectives of people from the global majority. Find out more
Use this page to understand what data protection is and why it matters. This should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.
Data protection law aims to make sure that personal data is gathered, stored and used responsibly and transparently. It gives people ownership of information about themselves. It works to limit how organisations use that data and forces them to use it responsibly.
The relevant law in the UK is the Data Protection Act 2018. It was updated in 2019 with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations. The law and regulations align law in the UK closely to GDPR, the primary European regulation on data protection.
The ICO is the UK’s independent body that is responsible for promoting and regulating data protection. We link to their advice throughout this page.
Use the ICO’s small organisation home page.
The exact nature of personal data is very complicated and varies from situation to situation. The legal definition of personal data in the UK is ‘any information relating to an identified or identifiable natural person’. That means that personal data is information about a person who can be:
For many organisations, personal data is the most obviously identifiable information about a person. Name, age, email address, full postal address or full postcode are all examples of 'personal data'.
Sometimes it’s less obvious that information is personal data. For example, technical information that can identify people, such as their computer’s IP address, is also considered 'personal data'.
You could hold data on a wide range of people – from past volunteers, to people who give you donations, and many others.
It isn’t only information you are directly collecting about people that counts. It could also be information people give you about others.
There are also types of legally defined sensitive personal data. This is called special category data. It includes:
There are similar rules for data about criminal allegations, proceedings or convictions.
If special category data can be connected to a person there are additional rules to follow.
You need to know and understand what the legal principles of data protection are and what they mean for your organisation. They are as follows.
Find the full legal wording of the principles on the ICO’s website
For more on each of these areas see our our steps to improve data protection in your organisation.
The purpose of the data protection principles is to keep people safe and respect their rights.
People have a right to:
Last reviewed: 02 March 2021Help us improve this content
Get regular updates on NCVO's help, support and services