top of page

Managing my Organisation Well

>

Governance

>

Governance

Data Protection & GDPR

The General Data Protection Regulation (GDPR) law on data protection provides a range of safeguards around maintaining personal data.


Organisations and groups must handle personal information in a way that will give consideration to GDPR. Information systems should ensure appropriate privacy of sensitive information related to the charity or group and their beneficiaries. It is a legal requirement for organisations to document their processes relating to GDPR. In more recent legislation, individuals have more control over their data and its uses.


GDPR legislation applies to 3 main types of data:


Personal data

  • Identifiable person (E.g. name, email address, phone number and location data, including online identifiers such as IP address)

  • It also covers pseudonymized data (where information is given in a code to disguise information) if that code is easy to break

Special category data

  • Sensitive personal data (E.g. race, religion, gender, political beliefs, union membership, health concerns, sexual orientation)

  • Genetic and biometric data

Criminal offence data

  • Criminal convictions and offences

GDPR legislation also lays out 7 protection principles that covers organisations responsibilities when handling data

  1. Transparency, lawfulness and fairness

  2. Purpose limitation (data collected for specified, legitimate purposes and isn’t processed beyond them)

  3. Data minimisation (collecting data that is necessary for the purpose)

  4. Accuracy (data is accurate and up-to-date)

  5. Storage limitation (data is only kept in an identifiable form for the purposes of processing)

  6. Integrity and confidentiality (protect data against unlawful or unauthorised processing and accidental loss, destruction or damage)

  7. Accountability (comply with UK GDPR and be able to demonstrate your compliance


When it comes to organisations holding data on individuals, UK GDPR gives individuals 8 rights

  1. Right to be informed

  2. Right to access

  3. Right to rectification

  4. Right to erase/ be forgotten

  5. Right to restrict processing

  6. Right to data portability 

  7. Right to object

  8. Rights in relation to automated decision making and profiling

Key points

  • Organisations and groups must comply with legislation relating to personal information

  • Breaching GDPR has serious consequences



bottom of page