Data protection

Data protection law reform is coming with the General Data Protection Regulation (GDPR) taking effect from 25 May 2018.

You should start preparing now for changes that GDPR will require to your current policies and procedures. GDPR is not just a tick box exercise and it needs all staff and volunteers to embrace new procedures.

To help you prepare for GDPR, NCVO has a range of services that we can offer direct and through partners to support you on your journey – see all of our GDPR support on this page.

Information and guidance

Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors. The legislation:

  • requires organisations to register if they keep records
  • governs the processing of personal data including 'personal sensitive data'
  • requires organisations to comply with eight principles for data protection
  • allows employees, service users and other contacts to request to see the personal data held on them.

Every organisation should have a written policy and procedure that is specific to their context about how they handle personal data and enact privacy principles.

Requirements for these policies and procedures will change when GDPR takes effect. Read our guidance for charities on how to prepare for GDPR.

Sample policies

It can be hard to write a policy from scratch. There are a number of suppliers of sample policies. These are intended as guidance only and should be developed alongside the guidance from the Information Commissioner’s Office to ensure it is specific to your circumstances.

Watch our GDPR webinar

We ran a webinar with Protecture (one of our Trusted Suppliers) on 18 October 2017, you can watch the recording.

Training and events

NCVO offer training on data protection and the GDPR for charities and voluntary organisations. This is delivered regularly at NCVO in London, at venues around the country or bespoke at your premises. This email address is being protected from spambots. You need JavaScript enabled to view it. to discuss what might suit you.


Consultancy support

NCVO's consultancy service can provide a health check for your organisation to assess your data protection fitness and develop an action plan for GDPR compliance. This email address is being protected from spambots. You need JavaScript enabled to view it. for more details.

Trusted Suppliers

  • Protecture provides tailored packages of support to ensure you have everything in place for the new GDPR legislation. NCVO members receive a 10% discount off the first year fee. See GDPR events by Protecture
  • ClearComm provides a GDPR portal for voluntary organisations under £1m t/o that allows your organisation to track your compliance journey working to timescales with bespoke action plans. 
  • HR Services Partnership are offering a seminar 'Getting ready for the GDPR - the HR implications' in London, February 22.

Further Information

The Information Commissioner's Office (ICO) is the regulator for data protection and privacy law. Their website is an excellent source of information and support and includes:

  • their Guide to GDPR that they will regularly update and a FAQ page for charities
  • code of practice for writing privacy notices and explains how to comply with both the existing Data Protection Act and the EU’s General Data Protection Regulation (GDPR). EU countries must comply with the GDPR from 25 May 2018.
  • specific pages for the charity sector including findings from ICO advisory visits to 32 charitable organisations
  • a self-assessment toolkit for small and medium enterprises
  • general guides on data protectionand freedom of information
  • an extensive index of specific guidance on a broad range of related topics like marketing, CCTV, data deletion, and filing systems
  • an advice service by phone on 0303 123 1113 (local rate) or 0162 554 5745 (national rate) – you can also email This email address is being protected from spambots. You need JavaScript enabled to view it.
  • advisory visits to your organisation for a day, with a short follow up report.
Site by Clickingmad