Data Protection Basics

The basic concepts of data protection are quite simple.

You might want to download the Induction Training presentation at the end of this post. Or, keep reading for a brief summary of the key points.


Lawful, fair and transparent

If you wouldn’t be willing to go and tell someone that you’re doing something with their information, you shouldn’t be doing it.

And you should be proactive about telling people what you’re doing. It’s a privilege to use people’s information, not a right. At the end of the day, it doesn’t belong to you – it’s still their information.

Collected for a specified purpose and not used for anything else

You can’t collect personal data for one thing, and then decide to do something completely different with it later.

For example, you collect someone’s information in order to tell them about an upcoming charity event. Great. Good. You can’t then use their information to send them marketing materials about plumbing supplies. They did not sign up for that.

Data minimisation

Don’t collect or use more personal data than you actually need. Don’t collect someone’s information just in case you “might” want it later. If you can do something without using personal data, or with the identifying information removed, you should.

Accurate and up-to-date

Things go wrong when you’re working with bad information. Letters get sent to the wrong person, or you might make a poor business decision.

Regularly update your contact lists, and give people a chance to check their information is still accurate.

Not kept for longer than necessary

If you don’t actually need the personal information anymore, get rid of it. Securely, of course.

Information security

We need to make sure we protect people’s personal information properly. Think about the different controls you could put in place to ensure files don’t get lost, aren’t accessed by people who shouldn’t see them, and to prevent your computer systems being hacked.


It is the organisation’s responsibility to ensure they comply with the law, and, if they were asked, they should be able to evidence that.


There are plenty of things for which you don’t need consent, for example if you have a contract. However, you do need it for things like direct marketing (which includes fundraising and communications activities).

Consent under the GDPR means something very specific: the person understands what you’re going to do with their information, they have actively agreed you can do it (i.e. ticking a box), and you could demonstrate that later.


An “incident” is any event or activity which is not in line with the law. Under the GDPR, serious breaches of the law need to be reported to the regulator within 72-hours. Some incidents won’t be serious, but you’re still going to want to keep a record of what happened and take steps to ensure it doesn’t happen again.

Relationships with other organisations

There are likely to be times where, quite legitimately, you need to share information with someone else. Maybe it’s an IT contractor who needs access to your systems in order to repair them. Perhaps you’re passing information to another charity, because they provide a service for you.

You just need to make sure you have a written agreement or contract in place, if you’re sharing data with someone regularly. You should also do some due diligence to make sure they’re taking care of the data properly on their end.



There is some data protection-specific jargon. And you’ll find the whole subject easier if you understand the language.

Data protection What we do, and don’t do, with personal data
Personal data Any information which relates to a living person e.g. bank details, name, car license plate, a photograph of them, a recording of a call.

Not information about companies

Processing Anything you do with personal data e.g. collecting it, using it, storing it, archiving it, deleting it
Controller The organisation that decides what you’re going to do with personal data, and how
Processor An organisation who follows instructions about processing personal data
Third party Someone with access to personal data that is not the data subject, controller, or processor
Data subject The subject of the data i.e. the person the information is about
Supervisory authority The regulator who looks after data protection, in this case, the Information Commissioner’s Office
Data sharing Giving someone personal data, or giving someone access to personal data

Got it?

Have a look at the Induction Training, and then take this quick Quiz to test your understanding.

Induction Training

Induction Training Quiz



One thought on “Data Protection Basics

  1. Pingback: Where do I start? | Data Protection in Practise

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s