Use this page to understand what data protection is and why it matters. This should not be used as legal advice. We link to more detailed advice from the Information Commissioner’s Office (ICO) throughout.
Data protection law aims to make sure that personal data is gathered, stored and used responsibly and transparently. It gives people ownership of information about themselves. It works to limit how organisations use that data and forces them to use it responsibly.
The relevant law in the UK is the Data Protection Act 2018. It was updated in 2019 with the Data Protection, Privacy and Electronic Communications (Amendments etc) (EU Exit) Regulations. The law and regulations align law in the UK closely to GDPR, the primary European regulation on data protection.
The ICO is the UK’s independent body that is responsible for promoting and regulating data protection. We link to their advice throughout this page.
Use the ICO’s small organisation home page.
The exact nature of personal data is very complicated and varies from situation to situation. The legal definition of personal data in the UK is ‘any information relating to an identified or identifiable natural person’. That means that personal data is information about a person who can be:
For many organisations, personal data is the most obviously identifiable information about a person. Name, age, email address, full postal address or full postcode are all examples of 'personal data'.
Sometimes it’s less obvious that information is personal data. For example, technical information that can identify people, such as their computer’s IP address, is also considered 'personal data'.
You could hold data on a wide range of people – from past volunteers, to people who give you donations, and many others.
It isn’t only information you are directly collecting about people that counts. It could also be information people give you about others.
My Voice creates an app to help young people process what they are thinking in difficult situations. The young people can choose to send their entries to a counsellor who’ll contact them with follow-up advice. If they do this, the app collects and stores their phone number.
Most of the app focuses on clicking on preset words or images. Some young people ask for a free text space to vent. They expect the counsellor to see that venting. But sometimes they mention names and other information about friends or relatives in their text. My Voice doesn’t want to store that data and has no right to collect it, but it could fall under the definition of personal data.
My Voice doesn’t want to stop the young people getting help in the way they want to. So the counsellors agree to edit out any personal data about other people when they first open the message. This means it’s deleted from the organisation’s system as soon as possible.
There are also types of legally defined sensitive personal data. This is called special category data. It includes:
There are similar rules for data about criminal allegations, proceedings or convictions.
If special category data can be connected to a person there are additional rules to follow.
You need to know and understand what the legal principles of data protection are and what they mean for your organisation. They are as follows.
Find the full legal wording of the principles on the ICO’s website
For more on each of these areas see our our steps to improve data protection in your organisation.
The purpose of the data protection principles is to keep people safe and respect their rights.
People have a right to:
This page was last reviewed for accuracy on 02 March 2021
The fully revised and updated 4th edition for current data regulation and law for voluntary and civil society organisations.
A run-through of the data protection basics for small organisations, including small businesses and sole traders.
Data protection legislation covers everyone about whom you keep personal data. This includes employees, volunteers, service users, members, supporters and donors.
How to apply for grant funding for digital and technology costs
Get the basics on data and insight and why they matter to charities, organisations and community groups
Get started with digital communications, campaigns and content in the charity sector and find out who can help
Find out if you're doing everything you should be to make sure your websites and digital services are accessible
Sign up for emails
Get regular updates on NCVO's help, support and services