What is GDPR and why does it matter for your Friends Group?

Introduction to GDPR

On 25 May 2018, the General Data Protection Regulations (GDPR) came into force, replacing the previous Data Protection Act. These regulations apply to all types of organisations, including small charities and voluntary groups, and continue to be important today. If your group handles any kind of personal data, GDPR is something you need to be aware of – it may mean making some changes to how you collect, store, and use that data.

GDPR is about organisations handling personal data in a fair, responsible, and transparent way. You must have a clear reason for holding and using personal data, and be upfront about what those reasons are. In some cases, you’ll also need to gain consent from individuals – and GDPR strengthens individuals’ rights over how their data is used.

What is personal data?

The GDPR broadened the definition of personal data to include almost anything that can be used to identify someone. This might be contact details, a membership number, or even a photograph. You should consider all the data your group holds. A common name on its own might not be identifying, but combined with an email or postal address, it could be. Similarly, bank details or ID numbers may be non-identifiable on their own, but together they can become personal data.

What does GDPR mean for your group?

Even now, GDPR remains a useful prompt for reviewing how your group handles personal data. If you haven’t looked at your policies in a while, or you’re unsure about your current processes, it’s a good time to make sure you’re handling data responsibly and staying compliant.

What action should your group take?

Start with a data audit: What information do you have? How do you use it? Do you still need it?

Think about all the ways your group may hold personal data – not just names and addresses, but digital and paper records, and data collected by staff, volunteers, or visitors.

You need a valid reason to use personal data, but you don’t always need consent. For example, you don’t need someone’s permission to hold their contact details if they’re a member and you’re contacting them about group activities.

However, when consent is required, GDPR says it must be clear and affirmative. That means individuals must actively opt in (e.g. ticking a box) rather than being automatically opted in.

Regardless of whether you need consent, you should always provide a specific privacy statement explaining how and why you’ll use the data being collected. It should relate only to the specific data being provided – for example, if someone books a place at an event, you can’t add them to your newsletter list unless you clearly told them you would.

Data retention: Only keep data for as long as you need it. What counts as “needed” will vary depending on the type of data, but if you no longer require it, you should securely delete it.

Documentation: You must be able to show that you have processes and policies in place for managing personal data responsibly.

Does the GDPR apply to your group?

Yes! GDPR applies to all organisations, from global companies to local volunteer groups. It might feel like extra work, but ultimately, GDPR exists to protect people and ensure that organisations treat personal information with care. Most of us expect the same when it comes to our own data.

Please note: This is only a brief overview of GDPR to help you understand how it may affect your group. For full guidance, visit the Information Commissioner’s Office (ICO): ICO GDPR Guide