Data Protection Toolkit - Templates and Guidance

Our guidance addresses some common themes for data protection in the voluntary and community sector. We've created some templates as a starting point for you to work with.

Document your processing activities

Under Article 30 it is a legal requirement that you keep records of your processing activities, and provide them to the regulator on request if necessary.

There are certain things that you need to capture and keep a written electronic record of.

This guidance and template will help you to get started. Read more.

Write a privacy notice

A privacy notice gives individuals important information about their data and how you use it.

Your approach to should provide clear and plain information. A privacy notice is a common way to do this.

This checklist and template makes sure you cover all the required information. Read more.

Carry out a legitimate interests assessment

If you're relying on legitimate interests, perhaps as an alternative to seeking consent, it's important that you balance your legitimate interests against the interests, rights and freedoms of the data subject.

You also need to keep clear records to show that you have properly considered this balance. A legitimate interests assessment (LIA) shows that you have done this.

This template comprises a series of questions that you can answer in deciding if you can use this lawful basis for your processing. Read more.

Contracts and data sharing

It's often crucial that charitable organisations share personal data with others to provide important services to people in need. This could include work with service delivery partners, reporting to funders or making referrals.

It is important that the data protection principles are observed when sharing data with another person or organisation, or when engaging the services of a data processor.

We have a template data processing agreement and tips for what a data-sharing agreement should cover. Read more.

Put a data protection policy in place

A Data Protection Policy is an internal policy which outlines your approach to protection data.

It is a set of rules and guidelines that help you to govern and implement data protection. It can include some practice steps for staff to follow.

Our guidance explains what a Data Protection Policy should cover. You'll also find a link to NICVA's own Policy provided as an example. Read more.

Handle a breach

If the world were perfect, you'd never have to do this. But it isn't, and you can never be 100% certain that human error or a cyber attack can't and won't happen.

It's best to be prepared so that you know what to do should you need to.

It'll also reassure you to know that there's a process in place so you can deal with it, rather than worry unnecessarily. Read more.

Deal with a subject access request

Individuals have certain rights over their personal data. You have to protect these rights and facilitate people who want to exercise them.

Through the right of access, people can ask for access to their own information. You have to fulfil certain obligations in dealing with these within set time periods.

Our guidance clearly explains the main points you'll need to consider in making effective responses. Read more.

Work with children's data

If your charity or community group offers services directly to children, or collects the information about children in a household receiving a service, you should carefully consider what data you collect about children and how it is used.

Because children do not have the same level of understanding as adults, you need to address the particular protection needs for their data. This goes beyond simply considering whether to get consent from a parent.

There are some questions that naturally arise when you are using children's data, as well as some issues that you may not have considered. Read more.



Every effort is made to ensure that the contents of this document are accurate, but the advice given should not be relied on as a definitive legal statement.