The new General Data Protection Regulation (GDPR)

Fundraisers and other charity staff alike need to know that GDPR (General Data Protection Regulation) is coming, and despite leaving the EU, it will still apply to charities. The GDPR, will apply in the United Kingdom from 25 May 2018.

National Council for Voluntary Organisations (NCVO), a Blog by Elizabeth Chamberlain

Read the blog by Elizabeth Chamberlain (external website)

The changes apply to all pieces of personal data collected, processed and stored: so also to marketing, campaigning, communications, volunteering and beneficiary databases. When an individual’s personal data is collected, processed and stored in any of these activities, the GDPR requires ‘freely given, specific, informed and unambiguous consent’ indicated ‘either by a statement or by a clear affirmative action’.

The basic concept of consent, and its main role as a lawful condition for processing, is not new. However the GDPR does set a higher standard for consent, building on the Data Protection Act in a number of areas.


What the GDPR says: a higher standard for consent

Consent under the GDPR will need to meet the following requirements:



There must be an unambiguous indication of the individual’s wishes: in practice this means that the way consent is collected should leave no room for doubt about the person’s agreement to their personal data being processed.


Affirmative action

The person must take an action, and that action will have to be a clear indication of consent. This is why as a short hand many talk about ‘opt in’. The GDPR text doesn’t refer to opt in, because the affirmative action required can be more than just ticking a box, such as for example making a statement. But it’s fair to say that the use of ‘implied consent’ will no longer be acceptable.


Freely given

There must be ‘genuine free choice’. So it will no longer be possible to make access to a service conditional on the person giving their consent.



Consent has to be separate and distinguishable for each purpose for which it is given, and it must cover all the processing activities carried out, where processing has multiple purposes, consent must be given for all of them.



Being informed means knowing about all the different purposes of processing, and knowing the identity of the data controller, as a bare minimum. It also means being informed of the relevant rights, such as the ability to withdraw consent or object to some types of processing.



Another condition for consent to be valid is that the controller must be able to demonstrate that consent was given by the individual to the processing of his/her personal data.
This means not just recording the fact that someone ticked a box in a form, but having an audit trail that links the action to the specific privacy notice that they agreed to.


Return to the Business Services Section