Data Protection

All charities and non‑profit organisations in the Bailiwick that process personal data must comply with the Data Protection (Bailiwick of Guernsey) Law, 2017. This means you must treat people’s personal information responsibly, lawfully and in a way that respects their rights.

Why it matters

Personal data includes any information that identifies an individual, such as names, contact details, opinions or other personal records. Protecting this data:

• builds trust with supporters, beneficiaries and volunteers;

• helps avoid harm from data misuse or breaches;

• ensures you meet legal obligations under the Bailiwick’s data protection law.

Failing to comply with data protection requirements can lead to penalties and enforcement action by the Office of the Data Protection Authority (ODPA).

Your key responsibilities

All charities that process personal data must:

• Register with the ODPA
You must register with the Office of the Data Protection Authority each year if you process personal data. Registration is a legal requirement and helps demonstrate you understand and manage your data responsibilities.

• Follow the data protection principles
Under the law, you must ensure personal data is:

• processed lawfully, fairly and transparently;

• collected for specific purposes and not reused incompatibly;

• limited to what is necessary;

• accurate and kept up to date;

• stored only as long as needed;

• kept secure against loss or unauthorised access.

• Have a clear privacy policy (fair processing notice)
A privacy policy (sometimes called a data processing notice) must explain in clear language:

• what personal data you collect;

• why you collect it;

• how you will use it;

• how you protect it;

• who can access it;

• how people can exercise their rights (for example, access their information).

  
  This notice should be easy for people to find, such as on your website or in forms you use.

• Respect people’s rights
Under the law, individuals can request:

• access to their personal data;

• correction of incorrect data;

• restriction or erasure of data in some circumstances;

• object to certain types of processing.
  

  Your policy should explain how you will respond to these requests.

• Ensure secure records and backups
You must protect personal data against loss, unauthorised access or accidental destruction. Your policy should state where and how data is stored, how it is backed up, and who may access it.

Good practice tips

• Keep data to a minimum — only collect what you genuinely need.

• Train volunteers and staff who handle data so they understand how to keep it safe.

• Review your practices regularly to ensure your privacy policy and procedures are up to date.

Help and support

The ODPA provides guidance and regular training to help charities understand their responsibilities. Support sessions and drop‑ins may also be available to assist with registration and compliance.