If your organisation records personal data on behalf of Employees, Volunteers, Board Members, Clients etc., you are likely to be a Data Controller and must have a Data Protection Policy, and be able to demonstrate compliance with the Data Protection principles.

This means you must identify:

All personal data you collect and your reason for doing so

Lawful basis for processing

The measures taken to secure such data

Information you provide to your Data Subjects regarding their rights.

If you collect personal data through your website you may also be required to publish a Privacy Statement on your webpage.

Under Article 5 GDPR, you must ensure that personal data are:

Processed lawfully, fairly and transparently;

Processed for specific purposes; limited to what is necessary;

Kept accurate and up to date;

Stored for no longer than necessary; and

Protected against unauthorised or unlawful processing, accidental loss, destruction, or damage.

GDPR legislation also stipulates that your employees and volunteers require regular training on Data Protection & Cybercrime.