Last week at NCVO’s Trustee Conference I chaired a session on data protection and the General Data Protection Regulation (GDPR), aimed at providing trustees with an overview of the key changes and challenges ahead and equipping them with advice on how to ensure their charities are compliant.
The room was full of delegates wanting to hear directly from the Information Commissioner’s Office what they need to know and what they need to do to prepare for May 2018, when the GDPR comes into force.
For those who were unable to join, I thought it would be helpful to share they key things I took away from the session which trustees need to know and do.
1. Develop a culture of commitment to privacy
Data protection and GDPR are an important board-level issue, as they involve judgements that need to be made about how the charity will approach compliance. But there is also a higher level of responsibility, in relation to developing a culture of commitment to transparency that informs all the activities of the charity.
Data protection is principles-based legislation that involves balancing different interests and making decisions on a case-by-case basis, so it is important that those decisions are informed throughout by your wider culture and values.
2. Consent is not the only ground for processing
There are six grounds for processing, of which consent is only one.
The most appropriate ground will depend on:
- what you’re doing
- how intrusive the activity is
3. Just because you hold data, you don’t own it
That data still belongs to an individual, so treat it accordingly. In particular, the principles of lawfulness and fairness should always be followed.
4. If you have data you don’t need, get rid of it
Although there are no specific minimum or maximum periods for retaining personal data, it must not be kept for longer than is necessary for the purpose it was processed.
In practice, this means you will need to review the length of time you keep personal data, and securely delete information that is no longer needed.
Keeping personal data for too long and when it is no longer being used increases the risk that the information will go out of date, or that it will be used in error.
This is the fifth data protection principle on ‘retention’.
5. Make someone responsible for data protection and GDPR compliance
This does not need to be a data protection officer as is mandatory for certain controllers and processors under the GDPR. But every organisation will need someone to takes responsibility and oversight of its data processing activities. That person will be a ‘yes, but…’ person: they won’t stop you from doing something (unless it’s against the law!) but they will make sure you are doing it correctly and following all the requirements.
And, last but now least, don’t panic!
Despite all the hype, the GDPR is a continuation of the existing regime set in the Data Protection Act. ‘It’s an evolution, not a revolution’ – so if you are processing lawfully under the existing act, you are already in a good place with respect to the GDPR.
Further practical information
View slides from the various Trustee Conference sessions, including one on data protection
GDPR and the changes to data protection legislation will be one of the many topics of our Charity Regulation Conference, which is taking place on Monday 5 February 2018.
See all of NCVO’s GDPR support
Elizabeth was head of policy and public services at NCVO until 2020. 
