Skip to content

Friday, March 2nd, 2018

Legal update: further guidance to prepare for GDPR

This update has been published by Sandy Adirondack, containing information of specific areas of planning for GDPR compliance.

Getting sorted for GDPR: Children’s personal data, HR, faith organisations + more

This update lists GDPR resources for organisations which hold personal data about children; for staff with HR responsibilities in relation to employees, other paid staff, and volunteers; for churches and faith organisations; and in relation to contracts for data processors (third parties who process data on behalf of the data controller).

Children’s personal data

The rules on children apply to any organisation which holds children’s personal data – not just organisations specifically for children or providing goods, services, activities or digital media specifically targeted at children. Because misuse of children’s personal information can cause serious harm, organisations should ensure they are fully GDPR-compliant in relation to this by 25 May, or at least as fully compliant as they can be. It is particularly important to be aware of the new rules on getting consent from children, where consent is the basis for obtaining and processing the personal data.

HR (employees, volunteers and others)

Data protection law, including the GDPR, applies equally to the personal data of employees, casual staff, “gig workers”, temporary staff, interns, volunteers, and anyone else who carries out work, paid or unpaid, for the organisation – as well as job/volunteering applicants who want to carry out work, and former staff who have previously carried out work. If your organisation holds information about any them, it must comply with data protection requirements – even though many of the guides and briefings refer only to employees.

The best briefings are probably from CIPD (the Chartered institute of Personnel and Development) at, but these are available only to CIPD members. If you are not a CIPD member, try to find someone who is. In addition or instead, the briefings and articles below range from basic to more detailed. Obviously there is a lot of overlap, but they all have different emphases so you should probably look at all of them.

Faith organisations

This briefing is written for churches, but applies in the same way to other religious bodies.

Contracts with data processors

A data processor is a third party who processes, on behalf of a data controller, information from which living individuals can be identified.

For more on this and legal issues for the voluntary and community sector, visit Sandy Adirondack’s legal updates site.