DON'T PANIC! It's unlikely we are straying too far from the law, given we aspire to ethical and respectful living!
In the UK, the ICO (Information Commissioners Office) oversees GDPR compliance and has an advice line for small organisations which you can call if you have any tricky questions - 0303 123 1113 and select option 4
You may also find information on their website of interest, particularly this page. If you're concerned about whether you need a Data Controller, see this page.
The main thing is to be able to justify what you have done – and to have had that signed off at the charity board/trustee level.
You need to be able to show that you’ve taken good care of people’s data, responded to requests not to contact folk and that any contact you have made can be justified at some level of legitimate interest/soft opt in.
There are some good videos on YouTube about assessing your organisational holding of personal information. Look at small business ones - don't frighten yourself, it's easy to over react to this. This video is a quite recent one which covers:
- privacy notices – why they are important and what you need to get them right
- common pitfalls – subject access requests, data breaches and contracts
- key practical tips that assist with compliance
The principles of the legislation are:
- Lawfulness, fairness and transparency (you only hold personal information you have a legitimate right or good reason to - they know about it and everyone knows what you do with it)
- Purpose limitation ( you only use the personal information for the reason it was give to you)
- Data minimisation (you keep only the miminum personal information that you need/are required to)
- Accuracy of the data
- Storage limitation (there are agreed timelines for the destruction of the personal information you hold)
- Integrity and confidentiality (that information is not available to others who have not been agreed in the purpose and is kept securely)
We should ask ourselves what kinds of personal information do we hold about individuals? eg
- name, address, phone number, email address
- bank account details and other details for team members
- records of which events they've attended
- standing orders that Sangha members give
- notes on their development/progress towards ordination perhaps
Against each kind of information answer these questions:
- What is my legal right/requirement/legitimate business need to hold this information?
- Do I have explicit consent to hold this information from the person involved?
- If this information is exempt from consent requirements in GDPR, what is the legal reason?
- How long do I keep this information on record?
- How am I storing this information?
- Who is in charge of this information? (ultimately the trustees but they can delegate the responsibility of Data Controller to eg the Chair or Centre Manager, make sure it's minuted)
- Who has access to this information? (probably wise to have an explicit agreement with volunteers and Centre workers setting out the limits of what they can do)
After this assessment work out what you need to do to make your holding of information compliant with legislation.
You need a privacy statement that details what kinds of information we hold for what purpose and for how long, and its security. It doesn't legally have to be on your website but might as well be, and then you can link to it as required eg
If you have further questions around data protection feel free to get in touch and we may be able to help or put you in touch with others with experience in this field
info@triratnadevelopment.org