A controller determines the purposes and means of processing personal data. If your charity or group decides how and why personal data is used, you are a data controller.
A processor acts on behalf of a controller to process personal data. If you use a third party (e.g. a payroll service or IT provider), you must ensure your contracts with them comply with data protection regulations.
Any living, identifiable person whose personal data is being processed. This includes volunteers, staff, service users, and donors.
Any action performed on personal data, including:
- Collecting
- Recording and storing
- Organising and structuring
- Altering
- Using
- Disclosing
- Erasing or destroying
Information that relates to a living person who can be identified from that data. Examples include names, addresses, phone numbers, job titles, dates of birth, and salary details—especially when stored in systems like personnel files or HR databases.
These are types of personal data that are considered more sensitive and require extra protection. Under UK GDPR, they include:
- Racial or ethnic origin
- Political opinions
- Religious or philosophical beliefs
- Trade union membership
- Genetic data
- Biometric data (used for identification)
- Health data
- Sex life
- Sexual orientation
These categories do not include data about criminal offences, which are governed by separate rules. If you need to process and store information about criminal offences as part of your Safer Recruitment and Safeguarding processes find out more on our Safeguarding and DBS pages (Link to E-portal pages) or speak to our ChatBot.
Read more about special category data here.
The legal reason for processing personal data. Under UK GDPR, there are six lawful bases.
- Contract – processing data to fulfil a contractual obligation to a data subject or provide a quote.
- Legal Obligation – if you need to process the personal data to comply with common law or statutory obligation.
- Vital interests – if you need to process data to protects someone’s life
- Public Task – in the exercise of official authority
- Legitimate interest - Processing is necessary for your organisation’s legitimate interests or those of a third party
- Consent - clear permission has been given for you to process their personal data for a specific purpose.
Full details of these can be found on the Information Commissioners Office website.
Individuals have a number of fundamental rights under data protection laws, which empower them to control their personal data and how it is used. These are
- Right to be informed
- Right of access
- Right of rectification
- Right to erase
- Right to restrict processing
- Right to portability
- Right to object
- Rights related to automated decision-making including profiling
Full details of these rights can be found on the Information Commissioners Office website.