skip to main content
NICVA Northern Ireland Council for Voluntary Action logo
Basket
Your Account
Your Wishlist
Venue Hire
Jobs
Join NICVA
About
About NICVA
Who We Are
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
More About Us
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Training & Events
Training & Events
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Help & Guidance
Help & Guidance
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Policy & Insight
Policy & Insight
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
Learn more
Policy
Research
Representation
State of the Sector
Campaigns
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
Services
NICVA Services
GrantTracker
Find & track funding.
MediaConnect
Find a journalist or industry expert.
SectorMatters
Find quality business services.
CommunityNI
Find community offered services.
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
News
News
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
List your news
News & Opinion
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Press Releases
Lorem ipsum dolor sit amet, consectetur adipiscing elit. Nulla a accumsan enim, vitae vehicula risus.
View
Want to stay informed on the latest job vacancies?
Sign up to the jobs bulletin for updates.
Register now
About
Who We Are
Meet our Team
Our Governance
Our Strategic Plan
Annual Reports
Our Values
Contact NICVA
Our History
Member Directory
Access Expert Support
NICVA News
Training & Events
Training
Events
Accredited Training
Bespoke Training
Our Programmes
Help & Guidance
Resource Bank
Setting Up Your Charity
HR
Running Your Charity
Research
Fundraising
Data Compliance
Charity Governance
Policy & Insight
Policy
Research
Representation
State of the Sector
Campaigns
Services
GrantTracker
MediaConnect
SectorMatters
CommunityNI
Hire a Venue
Access Expert Support
Document Review & Drafting
Jobs & Volunteering
Board Vacancies
Volunteering Opportunities
Advertise a Job With Us
News
News & Opinion
Press Releases
Venue Hire
Jobs
Join NICVA
Home
/
Help & Guidance
/
Resources

Data Protection Toolkit - Getting Started

26 Apr 2018
Back to resources
Your first steps to understanding and complying with data protection laws. This guide focuses on what you need to know and focus on now, with signposting to more practical advice and resources.

 

Contents

  1. Data protection and the law
  2. What you need to do right now
  3. How to do it
Back to top

1. Data protection and the law

Data protection law sets out what should be done to make sure everyone’s data is used properly and fairly.

It gives people ownership of information about themselves. It works to limit how organisations use that data and forces them to use it responsibly.

The relevant law in the UK is the Data Protection Act 2018. It was updated in 2019 with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations. The law and regulations align law in the UK closely to GDPR, the primary European regulation on data protection.

The ICO is the UK’s independent body that is responsible for promoting and regulating data protection. 

If your organisation cares about protecting the personal information of your staff, volunteers and the people you help, you shouldn't have any reservations about complying.

Back to top

2. What you need to do right now

Your initial focus will be to prioritise getting into line with the accountability and transparency requirements of the GDPR.

In the long-term, you should be aiming to move to best practice and developing a culture of privacy and transparency.

1. Familiarise yourself with the data protection principles

These are, in effect, the same as those established by the 1995 EU Directive (via the 1998 Data Protection Act). If you've not come across them before or need a refresher, do it now because you'll need to be able to have confidence that all of your processing is compliant with these principles.

Personal data must be:

  1. processed lawfully, fairly and in a transparent manner

  2. collected for specific, explicit, legitimate and limited purposes

  3. adequate, relevant and limited to what is necessary

  4. accurate and, where necessary, kept up to date

  5. kept in an identifiable form for no longer than is necessary (if it can be anonymised it can be kept for longer, but anonymisation is more difficult than you might think)

  6. processed in a manner that ensures appropriate security

In most cases, you'll be a data controller (the one who decides why and how personal data will be processed), unless you process data on someone else's behalf, in which case you're a processor. As a controller, you are accountable for demonstrating that these principles are being complied with.

Read: ICO: Data Controllers and Data Processors: what is the difference?

2. Document your current data processing activities

The GDPR is quite clear about the records you must keep in order to show that the effect of your data processing activities on people's privacy is clearly understood by your organisation.

The records you keep can be referred to as your Data Processing Register.

You might have to produce these records on request of the ICO, so make sure that they reflect what you do.

Read our guide to documentation and templates to get you started.

3. Understand what your lawful bases are

Under the GDPR there are six lawful bases for processing personal data. Each of your processing activities must satisfy at least one of these or it will not be legal!

  • Getting permission from your data subjects through consent is an option, but it is only one of these lawful bases. Remember that it's far from the only option, and in many cases, you'll be able to rely on another of these permissions and therefore won't need consent. Obtaining consent should be your last option if you aren't able to satisfy another lawful basis, as it does require a fair amount of extra effort to make sure what you have obtained meets the standard for consent, which is higher under GDPR.
  • It could be that you consider the legitimate interests option for some processing relating to your organisation's purpose. If you do, it's important that there is a clear need to use the personal data for the purpose, and that you balance this with the rights and freedoms of the data subject before deciding on if it can apply. If so, you need to keep a record of how this was decided, and refer to the reasoning in your privacy notice.

Use the Legitimate Interests Assessment template to help you decide whether you can use legitimate interests as a legal basis.

  • In some cases you under a legal obligation to process personal data to fulfil another law. In the case of employment law, employers in Northern Ireland have to provide monitoring information on their workforce to the Equality Commission. This means that their employees' personal data will be processed, but can be done without their specific consent, due to it being a legal obligation - which forms another lawful basis.
  • If you have a contract with the data subject you may need to process some of their personal information in order to fulfil that contract. This should be limited to what is actually necessary in order to fulfil the contract. Note that a general service contract or contract with a funder does not apply here, it has to be with the person themselves.

There are two less-commonly used lawful bases: to protect someone's life (for example in emergency situations) or to carry out a public task (generally applying only to public authorities or an organisation carrying out a public task set out in law).

You should pick the most appropriate basis for each processing activity. For example, if you have to collect some personal information because it's a legal obligation, then that is the most appropriate basis. It would be a mistake to pick consent in this case as individuals would believe they have the right to withdraw their consent (you can start to see the sorts of bother this might get you in).

You can record the choice of lawful basis in your documentation, and expand on why you've made that decision. This means that if the responsibility for data protection in your organisation falls to someone else, they're not left to second-guess your thinking.

4. Update your privacy notice

So you've thought about all of your data processing activities and started to document these. It seemed like a lot of work - why do all this?

The documentation task isn't just about keeping records for your own purposes and to satisfy a legal requirement. The concern for transparency and the individual's right to be informed means that you need to communicate these activities to your data subjects, but in a more straightforward manner.

You can choose the most appropriate way to present this information, but having a privacy notice is the most common means. The GDPR contains a useful overview of the information that you need to provide at a minimum.

Though there's quite a lot of detail involved, you also must make sure that your notices are clear and easy to understand (especially if they cover data on children or people with a limited comprehension). Remember, the point of having a privacy notice is so that people understand what you do with their data and can make informed choices, so put yourself in their position when you write it.

Once you've updated your privacy information you can then let people know that's it's changed. Also, make sure that the privacy notice is provided when collecting information from people you've not been in contact with before (or when collecting more information from people who you have worked with before), either by pointing them to a link or giving them the relevant information at the time.

There are lots of good (and bad) examples of privacy notices out there. If you're not going to write one from scratch the important thing is to make sure that is appropriate for your organisation's processing activities. Also, make sure that your data subjects will be able to understand it and that you will implement the practices that you're putting across.

Use the privacy notice checklist and template to make your privacy information easy to access, read and understand.

5. Put the right processes and practices in place

There's no point putting this effort into updating your policies if you don't put the changes into practice. If you say you'll delete someone's data after a year, you need to make sure that you actually do it. You need to plan for how you are going to implement your data protection measures or it you will fall behind on your compliance.

Thinking about data protection should inspire a culture in your organisation where transparency and privacy are central to what you do. Data protection is very much a boardroom issue, and can't be left to individual members of staff to implement for themselves. It is not a one-off or a tick-box exercise—you must keep these practices under review.

Senior management should be involved in making decisions about internal data protection practices and security policies. The very worst approach would be to leave sole responsibility to the IT department. Data protection (and cyber security) can impact on reputation and operations if not taken seriously.

You'll need to be able to recognise and deal with subject access requests and (hopefully not, but possibly) a data breach.

  • Appoint someone to take the lead on data protection matters. This doesn't have to be a fully-fledged Data Protection Officer (unless you are required to have a DPO), but someone with the level of oversight of compliance and business-wide processes. It is not a case of making that person solely responsible—it is the organisation that is accountable—but it gives someone the ability to ensure that good privacy practices are taking place across the organisation.
  • Update your staff handbook to reflect policies and outline best guidelines. Embed the data protection principles in your policies and ensure that they're reflected in how you handle personal data.
  • Train your staff, including volunteers, in recognising their responsibilities. How you do this depends on what your staff need to know. It could be provided in-house by a knowledgeable member of staff.
  • Make sure that staff know who to report a data protection issue to if they don't know how to deal with it themselves.
  • Review data sharing and contracts with suppliers or partners, especially anyone who processes data on your behalf (processor). You have a responsibility to ensure that anyone you share data can provide sufficient assurance that they are also compliant under the GDPR. This includes third-party services that you use to upload or collect personal data (such as Mailchimp, Survey Gizmo, cloud storage services, etc).
  • Keep records of issues and plan how you will address them. This includes any breaches, requests from data subjects, security risks and issues with compliance. Report these as part of your organisational risk register or information asset register.
  • Asses your technical security measures. Make sure they're appropriate and up to date. If you are using old software that is out of support this may need to be addressed. This needn't be a task solely for IT professionals. The National Cyber Security Centre guidance for charities has practical steps you can take now to assess and improve security.
  • If you work with children think about how you will protect their data. There aren't many hard and fast rules about using children's data, but the principle of the GDPR requires you to ensure that their data is given specific protection. Our guide covers what you need to consider.

Read our guide to implementing data protection policies for your organisation

Read our subject access request guide on how to recognise and deal with requests for copies of information

Read our data breach guide to know what to do in the event of a breach

Read our practical guidance on how to encrypt data to protect it from unauthorised access

Back to top

3. How to do it

How you do it is down to you. You know what your organisation does best, and you know who the right people are to engage with.

As with the implementation of any change in organisational practices, there are a number of things to make sure you do:

  1. Make sure your staff and volunteers are aware of the changes that the organisation will be going through, and engage them early on in getting their input.
  2. Assess what you do currently, and record it. Making sure that your information processing activities are thoroughly documented is an important part of being accountable. Address any gaps in your current data processing activities.
  3. Review your current policies and procedures. You may find that you only need to make small tweaks to your current practices. If you've not done this in a while, there might be a bit more work in it. Concentrate on the highest-risk areas e.g. where there might be sensitive information or the activities relate to your main purpose.
  4. Plan for what to do when things go wrong. This doesn't mean that the worst-case scenario can be made entirely avoidable, but if you can show that you're prepared for when it does, the negative effects will be limited.

The ICO's self assessment checklist can help you find any areas you might be deficient in.

 

Back to top

Hubs

  • gdpr

Share

LinkedIn Facebook X Email

More resources

All resources
The independent examination of charity accounts - what is it and what to look for in an Independent Examiner
08 Nov 2022
Supporting the Planet and Your Organisation
22 Apr 2024
Guest post: Tapping into Corporate Social Responsibility (CSR)
29 Jan 2018
MODAL CONTENT HERE

Footer

NICVA Northern Ireland Council for Voluntary Action logo
Facebook
twitter
linkedIn
YouTube
Subscribe to our bulletins
Contact Us
Office
61 Duncairn Gardens,
Belfast, BT15 2GB
Phone
028 9087 7777
Training & Events
Training
Events
Programmes
Bespoke Training
Accredited Training
Services
GrantTracker
CommunityNI
SectorMatters
Venue Hire
MediaConnect
Document Review & Drafting
Join NICVA
About Us
Policy & Insight
Help & Guidance
News
Jobs
Privacy Policy Cookie Policy Accessibility Statement
NICVA Northern Ireland Council for Voluntary Action
Company Number: NI001792
Registered Charity Number: NIC100012
site by Green17