General Data Protection Regulation (GDPR)


General Data Protection Regulation (GDPR)

VOYC Devon Overview

Despite Brexit, the UK government has indicated that it will implement the EU’s General Data Protection Regulation (GDPR), and this will apply from 25th May 2018.

While the principles are similar to those in the Data Protection Act 1988, there are some additional requirements that Voluntary and Community Sector Organisations (VCSO’s) need to be aware of. The most significant is accountability as the GDPR requires you to demonstrate compliance by design. This means ensuring you have adequate systems, contractual provisions, documented decisions about processing and training in place. GDPR is in effect forcing VCSO’s to know exactly what personal data they hold and where it is located (whether on PCs, on servers, or in the Cloud), and have procedures in place to ensure its complete removal when a request to do so is made.

Under the new regulations, all VCSO’s must keep a thorough record of how and when an individual gives consent to store and use their personal data. Organisations will need to understand what data they hold and how the personal data is used.

Consent will now mean you have to have an active agreement. It can no longer be inferred from, say, a pre-ticked box. VCSO’s that control how and why data is processed will have to show a clear audit trail of consent, including screen grabs or saved consent forms.

Individuals will also have the right to withdraw consent at any time, easily and swiftly. When somebody does withdraw consent, their details must be permanently erased, from the relevant mailing lists as GDPR gives individuals the right to be forgotten.

In the event of a significant data breach, GDPR forces VCSO to inform relevant authorities within 72 hours, giving full details of the breach and proposals for mitigating its effects.

Over the next two pages we have set out a step by step guide to help you to get to grips with understanding what your organisation needs to be aware of and what actions need to be taken to ensure that your organisation meets the GDPR.

Please remember that the work required will be related to the size and scope of the VCSO and for many it will be simply building on what you are already doing! Please though feel free to give us a ring to discuss this if there is anything that is still unclear after you have read the guide.

Mark Goodman

Chief Officer

VOYC Devon


What Next, The VOYC Step by Step GDPR Guide:





Your trustee board / management committee and senior staff (paid or unpaid) need to:

  • be aware that the law is changing;
  • add data protection to your risk register if you have one;
  • make sure that you have an appointed lead person.

The Trustee Board / Management Committee need to know enough to enable them to make good decisions about what you need to do to implement GDPR. Please be aware that that this might take some time and effort and so don’t leave it too late!


Arrange an audit of just what personal data you currently hold, where it came from and who you share it with to get a sense of what you’ll need to do next.

Remember this means all personal data including lists of employees and volunteers, service users, safeguarding information, members, donors and supporters as an example.


You should now document the findings of the audit as GDPR means you must keep a record of your processing activities and also record what if any data you share data with any third parties with the reason why.

When you have the information you can then think if you actually need to hold all this information?

You could also put some thought to identifying if there is a need to hold any additional information (are there any gaps) on such things as people who have given donations to the VCSO?


You will now need to make a case for how long you need to hold the information for each of the lists you identified at 2 above. 

Remember to ensure compliance you will have to be able show that you are not holding data longer than absolutely necessary. For some Organisations there will be a statutory duty to hold information for a given time. For those Organisations who have a young people’s membership give some thought as to what for you is think is reasonable / practicable in terms of when to do you review of your membership list (is it six monthly / annually or on a fixed date).


You should be setting out in a concise, easy to understand way how you intend to use an individual’s data. This could be on:

  • your membership application form;
  • a membership renewal;
  • a privacy notice on a website or email footer as these are the most common way to do this.

Under GDPR privacy notices must give additional information such as how long you will keep data for and what lawful basis you have to process data. The Information Commissioners Office (ICO) has guidance on GDPR compliant privacy notices.

You may well already have privacy notices on your e-mails or website for example but they will to be updated.


You will need to ensure that you have systems and training in place which means that those who use the data are only using the data for the original purpose (for which you sought permission for).

Remember that you cannot change how you use such data from the original purpose(s) specified! Any new data lists held will require consent.


You should now be thinking about your processes for how you will gain active consent whilst also seeking the active agreement from any new people joining one of your data lists.


Why not start doing this before May 2018 to save you time in the future?


It is now time to contact all those who you want to remain on existing lists and also those who will be on any new data list to seek their consent. Remember you have to get an active agreement as it can no longer be inferred from a non-reply.


This request should include: why you hold the data, how long you will hold the data for, how this will be held by your organisation and also give an explanation of how the individual could remove themselves from the list. Remember that this also includes your lists of those children and young people that you are working with and their parents / guardians if applicable.


If your organisation offers online services to children and young people and relies on consent to collect information about them, then you may need a parent or guardian’s consent in order to process their personal data lawfully. You will need to be able to verify that person giving consent on behalf of a child is allowed to do so and any privacy statements will need to be written in language that children can understand.

For the first time, the GDPR will bring in special protection for children and young people’s personal data, particularly in the context of commercial internet services such as social networking. The GDPR sets the age when a child can give their own consent to this processing at 16 (although this may be lowered to a minimum of 13 in the UK). If a child is younger, then you will need to get consent from a person holding ‘parental responsibility’.


You now need to set up systems to ensure that you have a clear audit trail of consent, including screen grabs or saved consent forms.

Remember, this is confidential information and it needs to be stored securely.


You will need to be able to ensure that if somebody withdraws consent; their details will be permanently erased.  

You need to have a system that can be managed enabling you to delete records as Individuals have the right to withdraw consent at any time, easily and swiftly.


Your Organisations Data Controller will need to ensure that in the event of a significant data breach, that your VCSO informs relevant authorities within 72 hours.

They would need to be giving full details of the breach and proposals for mitigating its effects.


Build in regular reviews of the data list records.

You will need to review why you’re holding the information (dependent upon the size of your organisation and what you do) to ensure that you are following these procedures.


If you carry out extensive fundraising activities, then get up to speed on data protection and fundraising. on direct marketing.

The use of personal data is central to most fundraising activities and there has been a great deal of public and media scrutiny of fundraising techniques. If you use personal data to fundraise then you need to follow the latest guidance on fundraising and data protection.  The Fundraising Regulator provides guidance which complements guidance from the ICO


Good luck and if you need to talk this through contact us at the VOYC Office!



Other useful resources include:

Information Commissioners Office Guide to the General Data Protection Regulation (GDPR)