GDPR // What to do in April


GDPR has got a lot of heads spinning, but what does it all mean? The General Data Protection Regulations (GDPR) will be implemented from May 2018.

Every month until May, we will bring you one or two actions directly from the Information Commissioner’s Office to help you make sure you’ve covered everything. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

What to do in April

Data Protection by Design and Data Protection Impact

You’ve done a great job making sure your existing data and processes are GDPR compliant, but what about new projects? This month, we’re looking at how you can embed GDPR best practice into future processes…

It has always been a good idea to think about privacy from the start of a new project or process (“Privacy by design” approach) and to carry out a Privacy Impact Assessment (PIA) as part of this.

However, GDPR makes privacy by design a legal requirement, under the term ‘data protection by design and by default’. It also makes PIAs – referred to as ‘Data Protection Impact Assessments’ or DPIAs – mandatory in certain circumstances.

A DPIA is required in situations where data processing is likely to result in
high risk to individuals, for example:

  • where a new technology is being used;
  • where a profiling operation is likely to significantly affect individuals; or
  • where there is processing on a large scale of the special categories of data.

You should therefore start to assess the situations where it will be necessary to conduct a DPIA. Who will do it? Who else needs to be involved?

You can find out more in the ICO’s guidance on PIAs as well as guidance from the Article 29 Working Party, and work out how to implement them in your organisation. This guidance shows how PIAs can link to other organisational processes such as risk
management and project management.


  1. GDPR follows the same principles as the Data Protection Act- these new regulations tighten up existing legislation.
  2. GDPR applies to data held about individuals.
  3. GDPR has implications for your whole organisation, not just fundraising.
  4. There is no definitive list of what you must do to comply. Our best advice is to read the ICO’s Overview of GDPR and consider how it applies to your organisation.

Please note: content for this article has been adapted from the Information Commissioner’s Office website.