Voluntary Action Camden

Guide to General Data Protection Regulation (GDPR)

GDPR is data protection legislation that applies to all European Union countries and the UK. The law came into force on 25 May 2018.

In this guide we explain how GDPR applies to voluntary organisations and what you need to know about the legislation to ensure your organisation complies with the rules.



In the rise of the Information Age, each of us creates large volumes of personal data through our online activities. GDPR was brought in to provide greater rights and protections against individuals, companies, corporations and governments that might otherwise use personal data in harmful ways.

The Information Commissioner’s Office (ICO) is the regulatory body responsible for enforcing GDPR and is the main authority for information about data protection and security in the UK.

If you would like to know more about the impact GDPR has on your organisation, either get in touch for a conversation or fill in our form to request support from us.

What is personal data?

The ICO defines personal data as ‘information that relates to an identified or identifiable individual.’ Types of personal information range from name and birth date, to an IP address, cookies and any other information that can be used to identify an individual.

In brief, GDPR enforces four data protection rights:

  1. Your right to object to your data being processed for a number of commercial and research uses.
  2. Your right to rectification if the information about you is incorrect or incomplete.
  3. Your right to erasure (right to be forgotten).
  4. Your right to restrict processing of your data that a company or an organisation is holding.

What do I need to do?

  • Watch our online training videos below, along with accompanying Guides and Resources.
  • Take the ICO’s data protection self-assessment for small organisations. The process will enable you to get to grips with the principles of GDPR and ensure you don’t unintentionally break the law when collecting, holding and processing personal data.
  • Ensure your organisation’s website has a privacy notice that clearly explains what personal data your organisation collects, and how it is used. Our privacy notice is here.
  • Use GDPR-compliant marketing and communications tools such as Mailchimp that gives subscribers the option to control how you use their data in your marketing activities. 

Fines for breaching GDPR

The penalties for breaching GDPR are serious and can result in hefty fines meted out by the ICO.

Read more about how GDPR breaches and fines can impact organisations at Charity Digital.

How we can help you stay compliant

Check out our online video workshops taking you through the theory and practical steps needed to comply with the GDPR.

We have put together some practical guidance on GDPR with three exercises and help with drafting a privacy policy. Download these documents here:

  1. GDPR data audit compliance check
  2. Drafting a privacy policy
  3. GDPR: what now? Practical steps to remain compliant with the GDPR.

NCVO published an interesting blog post about their interpretation of the ICO’s guidance and how useful they think it is for voluntary organisations.

Helpful links and resources

Guide to the UK General Data Protection Regulation (UK GDPR)

The Voluntary Arts Guide to GDPR

12 frequently asked questions for charities