1. Home
  2. Voluntary Sector Support
  3. Guidance for voluntary sector organisations
  4. A guide to the General Data Protection Regulation (GDPR)

Voluntary Sector Support Guidance

A guide to the General Data Protection Regulation (GDPR)

The General Data Protection Regulation (GDPR) came into law in 2018. It replaces the Data Protection Act 1998. This information is designed to help you ensure your organisation complies with the legislation.

Questions to ask

The key questions all organisations need to ask themselves are:

  • What information do I hold?
  • Why have I got this information?
  • Do I have permission to hold it?

It is also important to identify the retention schedules for each piece of information you hold and whether you have a valid lawful basis for processing data of this kind.

There are six lawful bases for processing personal data, each depending on the company’s relationship with the individual.

A helpful guide to establishing whether or not you have a legal right to hold a particular data set can be found on the Lawful Lawful basis for processing page on the ICO website. The checklist on this page would be a good place for any organisation to start their process of becoming GDPR-compliant.

What information does GDPR apply to?

GDPR applies to both ‘Personal Data’ and also ‘Sensitive Personal Data’, meaning any information which could directly
or indirectly identify an individual.

GDPR also applies to personal data which has been anonymised, depending on how easy it would be to still match the anonymised data to an individual. Sensitive personal data includes ‘Special Categories of Personal Data’, for example ethnicity, religious beliefs or sexual orientation. Read more on our Equality and diversity commitments page.

The data protection laws concerning criminal convictions are slightly different to the generic ones set out in the GDPR legislation. Find specific guidance on the ICO website.

Individual rights

GDPR includes specific rules for the rights of an individual, and the organisations obligation to provide ‘fair processing’.

It also emphasises the need for transparency regarding why the data is being held and what it will be used for.

GDPR includes the following rights for individuals:

  1. The right to be informed
  2. The right of access
  3. The right to rectification
  4. The right of erasure (to be forgotten)
  5. The right to restrict processing
  6. The right to data portability
  7. The right to object
  8. Rights in relation to automated decision making and profiling. More information about these individual rights can be found on the ICO website.

Accountability, governance and compliance

An organisation must show that they are compliant with the new GDPR legislation and are expected to put in place comprehensive but also proportionate governance measures. The measures should minimise the risk of breaches but also outline how the organisation will process data in the future.

Find more information on about Accountability and governance on the ICO website.

Further information

The best place to find information about GDPR is the ICO website.