Warrington Voluntary Action. Engaging People. Empowering Communities.

Getting ready for GDPR

If your organisation collects personal data from beneficiaries, the changes to legislation in May 2018 will affect you. Personal data is defined as any information that acts as an identifier, such as an email address, date of birth, or phone number. 

The General Data Protection Regulation (GDPR) will become law from May 25th 2018, and provides updated rules about data protection to reflect our activities online. The new legislation is very similar to the current 1998 Data Protection Act, so if your organisation's policies are compliant to current legislation, your procedures are likely to be valid and a good starting point to develop from. 

On this page you will find links, resources, and FAQs to increase your understanding of GDPR and to support you to make organisational changes where necessary.

What is GDPR?

GDPR is a piece of European legislation that reflects new data protection guidelines for our increasing use of online services and apps. The Data Protection Bill is the UK legislation that details how GDPR will be carried out in this country. The Information Commissioner's Office (ICO) website has all the latest news and information which is presented in a clear and accessible manor. Click here to be directed to the ICO website.

What do we need to do?

The ICO have also created a simple 12 step guide to support your organisation to review your policies and procedures in time for May 2018. Click here to be directed to the online guide.

What should our data protection policy look like?

WVA have a range of up to date policies to support your organisation's governance, including data protection. To request the most up to date version of a template policy, email info@warringtonva.org.uk 

Frequently Asked Questions:

How do I obtain informed consent from people who lack capacity? 

Evidencing informed consent is of high importance under the GDPR guidelines, and you can read the general rules surrounding consent here. The principles for obtaining consent from vulnerable people will remain the same under GDPR, that is where a person lacks capacity due to their age or mental ability, assent can be obtained from a legal guardian or professional. GDPR puts the emphasis on evidence, so you may need to think about how you keep a record of consent/assent for individuals. For more information about obtaining informed consent from people who lack capacity, you can reference the Mental Capacity Act or the National Institute for Health Care Excellence website.

Do I need to get consent for my existing contacts? 

If your procedures for obtaining informed consent are robust enough that they already comply with GDPR, then you will not need to approach your existing contacts. That is, you can demonstrate that each individual has understood how and why their data will be used and have actively opted in through a tick box for example. However, if you do not have records evidencing that each contact has positively opted in and clearly given consent, you will need to contact those individuals to notify them of GDPR, and get them to positively opt in to your service i.e. a mailing list. You will need each individual to reply and/or actively tick a box to demonstrate that informed consent has been obtained. It will not be enough to ask individuals not to reply if they give their consent, and to only get in touch if they want their details removed. In order to get as many people to reply as possible, you will need to sell your services and it's benefits. You can read more about informed consent on the ICO website here. 

Are business emails the same as personal emails?

Under GDPR, personal data is defined as "data which relate to a living individual who can be identified – (a) from those data, or (b) from those data and other information which is in the possession of, or is likely to come into the possession of, the data controller, and includes any expression of opinion about the individual and any indication of the intentions of the data controller or any other person in respect of the individual." There are no specific guidelines on how business emails should be treated, however general guidelines state that if data can be used to indentify an individual, it comes under the bracket of personal data and should be handled accordingly. Often, an individual's business email address will be on the businesses website and therefore in the public domain. However, to avoid any potential breach in conduct, all email addresses you hold, whether they are buisness or otherwise, should be treated as personal data. For more information related to personal data, please refer to the ICO's handy online guide 'Determining what is Personal Data'.

Warrington skyline

The Gateway, 89 Sankey Street, Warrington, WA1 1SR Tel: 01925 246880
Registered in England & Wales as a Registered Charity 1129343
and as Company Limited by Guarantee No:6805818