Medway Volunteer Network

Read More >

New Training Brochure - Voluntary Sector

View Now >

New Training Brochure - Private Sector

View Now >
Living with ADHD
Living with ADHD
Course aims to provide current information on living more

13-Jul-2017For Innovative Gardening Projects – The 2017 English Garden Future Fund Applications are being taken by the English Garden Future Fund to reward projects that will inspire gardeners and promote ho..

General Data Protection Regulations – Preparing for the Data Protection Reform



The revisions for Data Protection laws are due to take effect from 25th May 2018, and organisations are being advised to start preparing for the changes. 

Every organisation that handles and works with personal data will soon have to include and take on the new General Data Protection Regulations (GDPR) which come into effect on 25th May 2018.

This includes charities and voluntary organisations.

Taking on and working with GDPR could be seen to be worrying, as it could be difficult to know where to start.

The Information Commissioner’s Office (ICO) is the UK’s independent authority who work to support and maintain information rights in the public interest. They promote openness by public bodies and data privacy for individuals.

To help individuals and organisations take the right steps to prepare for when the GDPR rules come into effect, The ICO have devised and produced a 12-point plan which can be used as inclusive advice and guidance.

Below is a summary of what you need to know, as advised by ICO:

1. Make sure the right people in your organisation know this is coming

Your trustee board and senior staff have to be aware that the law is changing, as they will need to know enough to make the right choices about what you need to do to put GDPR into practice. They need to be aware that putting it into place could take time and effort, as well as add data protection to your Risk Register, or any Risk Management process you might have.

2. Identify what data you hold and where that data came from

If you don’t know what personal data you hold and where it came from, you would need to start making records of your different methods of data collection within the different areas of your organisation to find out.

This would mean all personal data – which does include employees and volunteers; service users; members; donors and supporters and more.

You should document your findings as GDPR means you must keep records of your processing activities. You would also have to record if you share data with any third parties.

3. Update your privacy notices

You must always tell people in an easy-to-follow manner about how you intend to use the information they give you.

Privacy notices are the most common way to do this. If you have privacy notices on your website, this would be a good example, but they would still need to be reviewed and updated if necessary.

According to the Data Protection Regulations which will be coming into effect next year, privacy notices have to show additional information, like how long you will keep data for, and any legal right you have to process data.

The ICO has guidance on GDPR compliant privacy notices to help with this.

4. Check your processes meet individuals’ new rights

The new Data Protection Regulations give people more rights over their data; they even have the right to have their personal data deleted.

Would you be able to find the right data to do this? Who is responsible for making sure this happened?

The ICO have good guidance and advice to help you understand individuals’ rights, and to help you prepare for this.

5. Know how you will deal with ‘Subject Access Requests’

The people and organisations you work with have the right to know what data you hold on them, why this data is being processed and if it would be given to any other organisations or third party.

They also have the right to be given this information in a permanent form; as a paper or ‘hard’ copy.

This is known as a Subject Access Request.

Your organisation would need to recognise when an access request is being made, find all the data that is being asked of them and comply within one month of receiving that request.

The ICO again gives good advice on handling access requests.

6. Identify and document your ‘lawful basis’ for processing data

To legally process data under GDPR you must have a lawful basis to do so.

You might have to process personal data because it is required to deliver a contract you have with an individual, so you would need lawful basis to be able to do this.

There might be different reasons that give you lawful basis to process data; more importantly different lawful basis gives different rights to individuals.

You might be dependent on getting consent or permission from someone as a lawful basis; as a result individuals could have stronger rights to have their data deleted.

To understand and record what lawful basis you have to process data, ICO have guidance on lawful basis to help you with this.

Please click here for Part 2 of this article that includes the next 6 steps

The second part on this subject will be cover areas such as how you gain consent for information; investigating data breeches and details protecting personal data for children.

At the time of writing, ICO are continuing their work to help you prepare for the new regulations, and has produced practical advice on how to comply with existing regulations, as well as how to improve data protection practices in your business, how to keep employees’ and customers’ personal information secure and how to get ready for the upcoming data protection reforms.

The booklet Preparing for the General Data Protection Regulation (GDPR) written by The ICO, goes into more detail about the above 12 steps you can take now to prepare for GDPR which will apply from 25th May 2018.

For more information visit the ICO website.

MVA also provides a Data Protection Self-Assessment Toolkit. Written by ICO, it has checklists to make sure that you or your organisation complies with the Data Protection Act and find out what you need to do.

The toolkit is available in the expanding Operational Section of the website. For more information visit MVA's Advice and Support webpage.



No Very

Captcha Image