GDPR guidance

This page outline guidance for Friends of the Earth community groups on how to comply with the General Data Protection Regulation (GDPR), including actions that groups need to take, and where to seek advice.

24 Aug 2022

The Do’s and Don’ts of GDPR

This section outlines a practical guide for groups to follow. For more information and background on GDPR please read the next sections.


  • Get clear unambiguous consent from everyone before adding their contact details to your mailing lists. For example, a paper sign-up sheet at a market stall should clearly state that ticking an opt in box means a person will receive emails
  • Respond immediately to any data deletion or data update requests, e.g., if a member on your contact list wishes to unsubscribe to your newsletter and emails
  • Be clear about the purpose for collecting their data and only use it for its intended purpose. For example, when building a mailing list be clear that you will only email members about your campaign
  • Collect as little data as possible, for example if you want to create a mailing list only collect names and email addresses. Identifiers such as birthday, gender or where they went to school is not relevant
  • Hold all data securely, for example by putting a password on your Excel spreadsheet (if you use spreadsheets)
  • Have a role for one person in your group to manage and protect all personal data held by your group
  • Brief new members on data security, protection and consent
  • Delete old data such as old phone numbers and old email addresses
  • Regularly check and update your group members’ data such as contact number, email and postcode
  • Read our GDPR glossary at the end of this page
  • Contact us via [email protected] if you have any questions or concerns about a potential data breach


  • Ignore ‘opt-out’ or ‘unsubscribe’ requests from group or community members. These must be acted on immediately and are straightforward to address. We recommend sending the person a follow-up email to let them know you have acted on their request.
  • Use applications such as DropBox, Google Sheets or other third-party services to store personal data unless you understand and use the security features provided. It is very easy to share this data to the entire internet if you are not careful. If you have any questions about using a particular platform, please contact us via [email protected]
  • Share personal data with third parties without obtaining clear consent from group or community members beforehand. For example, if you are building an alliance with another local group and plan to create a new mailing list, you must inform all members on your mailing list and seek permission from them before adding them to your allied list
  • Hold on to old paper sign up or petition sheets, or old spreadsheets. Paper forms should be shredded early on, and old spreadsheets should be deleted and erased from your computer or shared drive. Access to old spreadsheets should be revoked
  • Be complacent about good data protection practices. Stay on top of GDPR guidance by revisiting this page from time to time, check the Information Commissioner’ Office website, for UK data protection guidelines or ask Friends of the Earth staff such as your regional coordinator for help
  • Panic if you are accused of a data breach. We’re here to support you and the sooner you alert us, the easier it is to manage. Contact us via [email protected] immediately

What is GDPR and what information does it apply to?

The General Data Protection Regulation is an EU-wide law (GDPR) that came into force on 25 May 2018 and which sets out how all organisations need to handle EU citizens’ personal data. It was written into UK law as the 2018 Data Protection Act and still applies post-Brexit.

The GDPR applies to personal data, which means any information that enables a person to be directly or indirectly identified. This includes names, postal or email addresses, phone numbers, reference numbers (e.g. National Insurance number) and even digital information such as IP addresses. Whilst community groups won’t need to hold all of these, even keeping one identifier on record means GDPR is applicable.

How are community groups affected?

Because of the relationships that community groups have with their members or local individuals it is expected that they will own and manage their own local records in support of those relationships. These records need to be held securely, and to be GDPR compliant. In simple terms, this means:

  • Clear and unambiguous consent is needed from each member or local individual for the community group to hold their personal data. This should be captured proactively at the earliest opportunity.
  • Individuals’ personal data should be held securely. You need to protect any locally held digital record (e.g. Excel spreadsheets) with a password and securely lock away any physical lists (e.g. on paper).
  • Anyone receiving communication from a community group by any channel or channels (email, post, etc.) has the right to opt out of any communication at any stage. If consent to be contacted via a particular channel is withdrawn, communication via said channel must stop immediately. It cannot be resumed until new consent is proactively given by that individual.

Not following these steps puts the community group at risk of GDPR non-compliance. This means that the group will lose the right to contact the member or individual. Continued contact when consent has not been given means that the group would be in breach of the GDPR regulations. This could result in a fine and significant damage to our good name both locally and nationally.

However, it isn’t all doom and gloom – this is a great opportunity to ensure you're holding correct information about your group members and have considered how you communicate with them and what works best. Some groups use this as a chance to consolidate their database of members, removing records for those who have long since left, and reaching out to those who have fallen out of touch recently.

What are the main things to focus on in relation to GDPR?

  • Use any engagement opportunity to seek consent. There may not be many chances to contact your community group members or supporters to seek their consent to be contacted by email/ post/ phone from your local activists. Think about doing this right from the first interaction you have with potential new members, for example when getting someone’s details at a stall.
  • Review your data. Check through the records that you hold. Are any out of date or duplicated? If so, guidance can be sought from [email protected] on how to update them securely and safely.
  • Take ownership. Under GDPR the importance of data security and protection is greater than ever. Each community group should appoint a person or group of people to be responsible for keeping the data secure (e.g. both the sole person or group who retains passwords, codes for safes and so on).
  • Record people’s preferences. When consent conversations or other communications (e.g. email) take place, record the preferences that the individual gives accurately and securely and make sure to keep a track record of changing consents.
  • Managing queries. Seek guidance if you’re not sure how to manage a query from an existing or new community group member.
  • Understand the risks. Take the time to make sure you are managing the personal data of group members and any other individual the group has contact with in a way that is GDPR compliant, and to understand the risks of non-compliance.
  • Contacting group members. It's important you don't share personal data of members publicly. This means sending emails to your mailing list using 'BCC' so email addresses are not visible to everyone on the list.
  • Use the GDPR glossary (below) to build your understanding of the different elements and definitions.
  • Be familiar with the requirements. Being familiar with the updated privacy policy, data protection policy and processes, and supporter promise may be helpful to you as this is new territory.
  • Recruiting new members. Should new people join the group who will be handling or recording data, you must make sure they are fully briefed on data protection and GDPR compliance (as laid out in this guide).
  • Collecting data at stalls and events. Prior to attending any events, make sure that everyone representing the group is aware of the most recent data compliance requirements, and that the most recent forms (with our current data protection statement) are used to capture both data and the individual’s consent.
  • What to do with old data. When disposing of old data, common sense should be followed at all times, so give some thought to how you do this. Most data breaches result from inadvertent poor processing of redundant data. Personal data held on paper (such as old petition sheets) should be shredded and recycled. Files on laptops should be permanently deleted (including clearing out the desktop recycling box) and memory sticks should be put into a secure recycling facility.
  • Take responsibility. Remember, data security and GDPR compliance is something your group needs to take responsibility for. You cannot ignore this, and help is at hand if needed. 

Photography and videography

While not immediately apparent, photos and videos where a person’s face is clearly visible are considered personal data and should be protected. For best practice, especially for events, follow these steps to help protect your community: 

  • Brief people in advance about any photography or videography happening 
  • If possible, display signs saying photography and/or videography is taking place 
  • Provide ‘no photography’ badges or stickers for those who do not want to be in any photos or videos 
  • Gather written consent using our consent forms below, or record verbal consent including who they gave consent to, where and when. Scan and save all consent forms and records 
  • You must collect written consent for any photo or video content that includes children 
  • Record the date of your photo and video content and set an expiry date to 5 years after they were taken. Treat old content like old data and make every attempt to regain consent for older photos and videos 

Check in with [email protected] if you have any questions. 

Download verbal photo consent form 

Download adult written consent form 

Download child written consent form 

Where can I get guidance or help?

Take a look at the ICO’s website where you can find lots of information about GDPR and data protection.

If you still need help, please raise your question via [email protected].

GDPR Glossary

  • Consent freely given, specific, informed and explicit consent by statement or action signifying a person’s agreement to the processing of their personal data.
  • Data Breach – the loss of data by an organisation, usually as a result of hacking or similar activities.
  • Data Controller – organisations that collect and manage personal data from EU or UK residents, e.g. a Community Group.
  • Data Portability – the requirement for controllers to provide the data subject with a copy of his or her data in a format that allows for easy use with another controller.
  • Data Processor – organisations that process data on behalf of data controller including 3rd party agencies.
  • Data Protection Act 2018 – the legislation that implements GDPR in the UK, sometimes known as UK GDPR
  • Data Protection Officer – the person responsible within an organisation for ensuring it is compliant with data protection laws and regulations, and for controlling that organisation’s data protection policies and procedures.
  • Data Sharing – the process through which different parts of an organisation, or different organisations, share data with each other.
  • Data Subject – the person / EU citizen about whom data is collected or held.
  • Encrypted Data – personal data that is protected through technological measures to ensure that the data is only accessible/readable by those with specified access.
  • GDPR – General Data Protection Regulation. The UK and EU wide data protection legislation that came into force on 25th May 2018.
  • Information Commissioner’s Office (ICO) – the UK regulator responsible for data protection.
  • Lawful Processing – the means by which organisations collect and manage people’s data (see also consent and legitimate interest).
  • Legitimate Interest – where GDPR compliant consent has been given previously, and organisations have evidence of this, personal data can continue to be used without the need for refreshed consent, provided that the interests of the data subject are not harmed.
  • Personal Data – any information related to a person or "Data Subject", that can be used to directly or indirectly identify the person.
  • Privacy Impact Assessment – a tool used to identify and reduce the privacy risks of organisations by analysing the personal data that are processed and the policies in place to protect the data.
  • Processing – any operation performed on personal data, whether or not by automated means, including collection, use, recording, etc.
  • Right to be Forgotten – also known as Data Erasure, it entitles the data subject to have the data controller erase his/her personal data, stop sharing their data, and potentially have third parties stop processing of the data.
  • Subject Access Right – also known as the Right to Access, it entitles the data subject to have access to and information about the personal data that a controller has concerning them.