Triratna Resources

Some info on GDPR (data protection law) updated July 2021

On Tue, 3 September, 2019 - 21:29
Development Team's picture
Development Team

DON’T PANIC! It’s unlikely we are straying too far from the law, given we aspire to ethical and respectful living!

In the UK, the ICO (Information Commissioners Office) oversees GDPR compliance and has an advice line for small organisations which you can call if you have any tricky questions - 0303 123 1113 and select option 4 

You may also find information on their website of interest, particularly this page. If you’re concerned about whether you need a Data Controller, see this page.

The main thing is to be able to justify what you have done – and to have had that signed off at the charity board/trustee level.

You need to be able to show that you’ve taken good care of people’s data, responded to requests not to contact folk and that any contact you have made can be justified at some level of legitimate interest/soft opt in.

There are some good videos on YouTube about assessing your organisational holding of personal information. Look at small business ones - don’t frighten yourself, it’s easy to over react to this. This video is a quite recent one which covers:

  • privacy notices – why they are important and what you need to get them right
  • common pitfalls – subject access requests, data breaches and contracts
  • key practical tips that assist with compliance

The principles of the legislation are:

  • Lawfulness, fairness and transparency (you only hold personal information you have a legitimate right or good reason to - they know about it and everyone knows what you do with it) 
  • Purpose limitation ( you only use the personal information for the reason it was give to you)
  • Data minimisation (you keep only the miminum personal information that you need/are required to)
  • Accuracy of the data
  • Storage limitation (there are agreed timelines for the destruction of the personal information you hold)
  • Integrity and confidentiality (that information is not available to others who have not been agreed in the purpose and is kept securely) 

We should ask ourselves what kinds of personal information do we hold about individuals? eg

  • name, address, phone number, email address
  • bank account details and other details for team members 
  • records of which events they’ve attended
  • standing orders that Sangha members give 
  • notes on their development/progress towards ordination perhaps

Against each kind of information answer these questions:

  • What is my legal right/requirement/legitimate business need to hold this information?
  • Do I have explicit consent to hold this information from the person involved?
  • If this information is exempt from consent requirements in GDPR, what is the legal reason?
  • How long do I keep this information on record? 
  • How am I storing this information? 
  • Who is in charge of this information? (ultimately the trustees but they can delegate the responsibility of Data Controller to eg the Chair or Centre Manager, make sure it’s minuted)
  • Who has access to this information? (probably wise to have an explicit agreement with volunteers and Centre workers setting out the limits of what they can do)

After this assessment work out what you need to do to make your holding of information compliant with legislation. 

You need a privacy statement that details what kinds of information we hold for what purpose and for how long, and its security. It doesn’t legally have to be on your website but might as well be, and then you can link to it as required eg

If you have further questions around data protection feel free to get in touch and we may be able to help or put you in touch with others with experience in this field 

info [at]

Log in or register to take part in this conversation


Munisha's picture

Some of you may wonder questions about how data protection law affects the sharing - and storage - of information related to Safeguarding.

The short answer is that in the UK, the Data Protection Act 2018 contains an amendment specifically to permit the careful and limited sharing of information in order to address or prevent harm and crime - only between the few who need to know in order to address the matter effectively and swiftly.

Here is a document the Safeguarding team put out in 2018 to complement the ‘Changes to Data Protection’ document attached to the post above. It covers how to store confidential information/case notes securely, as required of Safeguarding officers in Britain.

And for those of you who live outside the UK… things may be very different indeed. In Sweden, where I live, the storage of confidential sensitive personal information or case notes by a charity/förening is completely forbidden! So check the law in your country.