Upcoming Changes in Data Protection – how do they affect us?


In May 2018, the Data Protection Act 1998 (DPA) designed to protect personal data will be replaced by the European Union’s General Data Protection Regulation (hereafter, GDPR).

The GDPR was approved and adopted by the EU Parliament in April 2016. The regulation takes effect after a two-year transition period and, unlike a Directive it does not require any enabling legislation to be passed by government, which means that it definitely comes into effect on 25 May 2018. The aim is to give people more control over how their personal data is used because the current legislation was enacted before the internet and cloud technology created new ways of manipulating data.

Despite the fact that UK is in the process of leaving the EU, this regulation is likely to be converted into British law by introducing a new Data Protection Act which will mirror the GDPR. In fact, “if you process data about individuals in the context of selling goods or services to citizens in other EU countries then you will need to comply with the GDPR, irrespective as to whether or not you the UK retains the GDPR post-Brexit” (EU GDPR, Feb 2018).

Personal data is used in everything and by everyone including the sales sector, customer relationship management and marketing and therefore all businesses, charities and organisations that deal with any personal information will be affected. The changes brought by GDPR are not to be taken lightly, and businesses must realise the impact of processing personal data and the importance of ensuring safety and security towards someone’s privacy.

This article will discuss the most important things that you and your business, charity or any other type of organisation must know before GDPR comes into force.


What counts as personal data?

Personal data is any information that makes a person identifiable, such as name, identification number, location data, telephone number or online identifier (e.g. IP addresses).

If you think that you don’t process any personal information, then think again! Visitors to your website, people on your emailing list, the contacts you have on your phone or in your email system, clients in your CRM system, etc. they all count as personal information.


Who must comply with GDPR?

Everyone who deals with personal information, which is actually everyone.

The GDPR not only applies to organisations located within the EU but it will also apply to organisations located outside of the EU if they offer goods or services to, or have EU individuals on their emailing list. It applies to all companies processing and holding the personal data of people residing in the EU, regardless of the company’s location.


Does GDPR apply to charities and other not-for-profit organisations?

Oh, yes. As said above, any organisation whatsoever that processes personal information (and that includes email addresses and phone numbers) need to. All charities will have to ensure they are GDPR compliant by 25 May 2018, in the same way that they have to currently comply with the Data Protection Act (DPA).


What will be new under the GDPR?

  •  Consent and the Right to be Forgotten

 Under the new regulations, companies will have to keep a record of every single time an individual will give consent to store and use their personal data. However, consent is not enough to be through a pre-ticked box, but it will have to be through an active agreement, for example having the individual to sign a consent form. Note that withdrawing consent is also the right of the individual and in the case of a withdrawal of consent, the information stored must be permanently erased, and not merely deleted from the system. This is the right to be forgotten and an individual will also have the right to be informed of the reason why their data requires to be processed.

  • Data Breach Notification

If a data breach is detected, then it must be informed by the organisation to the relevant supervising authorities within 72 hours. Information about the breach as well as a solution on how to alleviate the effects of the breach must be provided by the organisation where the breach took place. The organisation must also inform their customer about the breach.

Personal data does not include only names and addresses. The new regulation will include IP addresses, internet cookies and DNA.

  • Data Protection Officer (DPO)

 It is recommended that organisations will appoint a DPO and that will be an effective way of being accountable. The DPO must be independent and will have the responsibility to address any possible issues with regards to data protection and the organisation’s compliance to the GDPR. The DPO will report directly to management if there are any concerns.

  • Data Controller & Data Processor

The Data Controller is the organisation that decides why and what data to collect and process in their own company, while the Data Process is the one that processes personal data on behalf of the Data Controller. Following the new rules, now the Data Processor is also responsible for the data processed for the client, not just the client. So you’ll need to know the source of personal data you’re working with and how any data service providers are storing it on your behalf.

  • Storage Systems

From May 2018 sensitive data will be known as ‘special category data’ and you won’t be allowed to store an EU citizen’s ‘special category data’ outside of the EU. Special category data includes information pertaining to health, political or religious beliefs, so if you work with medical or health practitioners then you can’t store this data in Dropbox for example (Dropbox holds the data in the US).

  • Penalties

 Organisations can be fined up to 4% of the organisation’s worldwide annual turnover, or €20 million. These penalties are making businesses and organisations comply more with these regulations and offering individuals a tougher protection of their personal data.


Three Most Important Privacy Threats

Under GDPR, organisations must protect private data and any breach will be penalised even if it is simply accidental or malicious. The three most important threats that businesses must keep an eye on are:

  1. accidental data leaks: these could be simply sending an email to the wrong address or forgetting important paperwork on the bus. GDPR recommends strong internal security policy in order to tackle this.
  2. disloyal employees: it often happens that after they leave the firm, employees want to take revenge against the organisation and leak important information. GDPR recommends data-access policies, identity and access management controls and tools that restrict access by user profile.
  3. cyber crime: also known as theft of personal information, targeted malware etc. GDPR recommends that organisations make sure their cyber defences prevent data reaching the wrong hands.


So what do organisations have to do to comply with GDPR?

Firstly, organisations must raise awareness of this new Act and train all the employees in data protection. For organisations, the most important value to clients and individuals is that their privacy and personal data is protected. Employees and staff must be trained and businesses must make sure that all employees and volunteers understand how data moves around their organisation as well as the importance of data protection.

Secondly, even though the rules are not that clear yet and it may take a year before they are set in stone, start now by doing anything you can now as it will be one less thing you’ll have to do later.

Here are some recommendations:

  • If you haven’t registered with the Information Commissioner (ICO) yet, then you must do that as soon as possible. It costs just £35.
  • Encrypt your hard drive and mobile phone.
  • Don’t share logins.
  • Encrypt emails when sending information like passport details.
  • Check that the software you use for storing or processing information is compliant with GDPR; check what their privacy policy is and where they hold the data they store.
  • Enable double opt-in if using Mailchimp for your emailing list.
  • Develop a Data Privacy Policy and a Cookie Policy for your website if you haven’t already.
  • Disable ‘Reply to All’ in your email agent to avoid ‘sharing’ confidential information by mistake.
  • Stay informed.



Security of personal data is a most important thing to be considered by organisations. It is not only about complying with a few rules. It is about protecting and caring for the customers, as well as ensuring a good reputation of the company as trustworthy and professional, which in turn will protect the future of the organisation. The changes brought by the GDPR might seem frightening, but there is nothing to worry about. These changes are a good opportunity for re-organising and addressing any gaps in order to ensure that your organisation is fully protected against any leaks, threats and breaches of the law.

In fact data privacy is actually a good thing because that also means YOUR data and My data as individuals is being protected.

Grants for organisations working with women

The Feminist Review Trust is accepting applications until the 31 January 2018 for projects in the UK and internationally that support women. In 2018 the Trust will particularly welcome applications from non-OECD countries in the following areas:

  • Lesbian and transgender rights
  • Violence against women and girls
  • Disabled women and girls

The Feminist Review Trust will fund:

  • Hard to fund projects – for example  the Trust supported the writing and publication of the history of Rape Crisis in Scotland and the translation and updating sections of ‘Women and Their Bodies’ into Arabic and Hebrew.
  • Pump priming activities – this means that they will provide a small amount of funding to help start an activity in the hope that it will then be able attract sufficient funding to continue.
  • Interventionist projects which support feminist values – for example core feminist concerns such as abortion rights and domestic violence.
  • Training and development projects
  • One off events
  • Dissemination
  • Core funding

Grant size

The maximum value of any individual award is £15,000.


31 January 2018

How to apply

In order to apply applicants need to download the application form here and email it to administrator@feminist-review-trust.com when completed.

Decisions about Awards are made by the Trustees. The Trustees meet three times each year.

For further details and to apply please visit the Feminist Review Trust.

Action Earth programme – grants for groups of volunteers

The Action Earth scheme by Volunteering Matters provides small grants of between £50-250 for local volunteer groups in Scotland to take action and improve their local environment through volunteering activities.

The funding is for volunteer groups that are creating or improving community gardens or wildflower areas, ponds, woodlands or local green areas.

Local Nature Reserve (LNR) grants of up to £500 are also available for volunteer activities taking place on LNRs such as wildlife recording or protecting and enhancing biodiversity.

Eligibility criteria

In order to be eligible, volunteer groups need to:

  • Implement the project in Scotland;
  • Work on sites that are accessible to the general public
  • Involve at least 15 volunteers who each should give a minimum of five hours.


Applications may be submitted at any time.

How to apply

Applicants need to fill in an online form in order to be emailed a link the grant application form.

For further details and to apply please visit Volunteering Matters.


Internet Freedom Fund

The Open Technology Fund (OTF) is open for applications for its Internet Freedom Fund, a primary way to support projects and people working on open and accessible technology-centred projects that promote human rights, internet freedom, open societies, and help advance inclusive and safe access to global communications networks.

Applications should focus on the following:

  • Creating new open source circumvention technologies that fill a current need of targeted users; 
  • Improving the security, usability, and adaptability of existing open source internet freedom technologies; 
  • Providing new or deeper insights into the challenges of front-line communities that ultimately contribute to the improvement of technological solutions; 
  • Projects that emphasise applied research; 
  • Research that focuses on real-time monitoring and analysis of both technical and political threats to internet freedom, including network interference and shutdowns; 
  • New content redistribution methods able to reintroduce content behind firewalls, or similar services; 
  • Making targeted communities more resilient to digital attacks via customised solutions; 
  • Creating new open source circumvention technologies that fill a current need of targeted users; 
  • Next-generation tools that move beyond traditional “cat-and-mouse” circumvention techniques.

Grant size

Candidates can apply for up to $900,000 and no less than $10,000 for a year long contract.

OTF awards are performance-based contracts signed directly with the applicant. 

Project duration

OTF awards are generally 6 to 18 months in duration.

From time to time, OTF may consider requests to extend existing contracts. 

Eligibility criteria

Ideal applicants are making use of, support, or develop open and accessible technologies promoting human rights and open societies, and help advance inclusive and safe access to global communications networks. In addition, ideal applicants meet one or more of the following:

  • Individuals of all ages irrespective of nationality, residency, creed, gender, or other factors, with the exception that OTF is not able to support applicants within countries that the United States has trade restrictions or export sanctions as determined by the U.S. Office of Foreign Assets Control (OFAC);
  • Non-profit organization/non-government organization, including U.S.-based NGO, PIO, or foreign NGO;
  • Non-profit university or research institution in any country;
  • For-profit organization or business in any country;
  • Consortia of multiple people or organizations with one individual or organization designated as the lead applicant;
  • Have demonstrated experience administering successful projects, preferably targeting the requested program area, or similarly challenging program environments where OTF reserves the right to request additional background information on organizations;
  • Ideal applicants should not duplicate or simply add to efforts supported by other USG funding programs;
  • Ideal applicants must not reflect any type of support for any member, affiliate, or representative of a designated terrorist organization, whether or not elected members of government.


Next deadline for concept notes is 1 January 2018.

How to apply

The application process has two stages:

  • Concept note – accepted on a rolling basis, with submission rounds closing every two months
  • Full proposal – if your concept note is accepted, you will be invited to submit a full proposal.

For further details and to apply please visit Open Technology Fund.


Grants for projects focusing on Black, Asian and Minority Ethnic Communities and Dementia

The Life Changes Trust is looking to increase understanding about the particular issues that people from certain ‘protected characteristic’ groups may face when they are affected by dementia.

Projects must actively engage people living with dementia or people caring for someone who lives with dementia.

Grant size

The Trust is offering Awards of between £15,000 and £50,000, to be spent over a timescale of up to 2 years (starting from April 2018).


If you are interested in applying for this funding, please contact Graham Hart no later than Thursday 30 November in order to arrange a face to face conversation with a member of the Dementia Programme Team.

How to apply

The application process includes two stages: 

  • Face to face conversation 
  • Short application form and budget sheet which will be completed with a member of the Trust’s Dementia Programme Team.

For further details and to apply please visit the Life Changes Trust.