Ceredigion Association of Voluntary Organisations

WCVA Publishes New GDPR Toolkit

WCVA Publishes New GDPR Toolkit for Third Sector Organisations in Wales

All third sector organisations need to keep personal data securely.

WCVA has produced a GDPR toolkit in partnership with Hugh James which is now available for free exclusively to third sector organisations based in Wales.

The new General Data Protection Regulation (GDPR) came into force on 25 May 2018 and applies to any organisation that holds personal data about employees, volunteers, beneficiaries and donors.

Third Sector Support Wales (TSSW) partners, WCVA at the national level and the 19 county voluntary councils (CVCs) at local level, have been helping third sector organisations to prepare for GDPR by providing information, guidance, resources and training.

WCVA has produced a suite of resources tailored for the third sector, including a short animation, providing an overview of GDPR, supported by an introductory information sheet and a series of #desktopdata webinars.

The new toolkit now adds a package of GDPR templates and guidance that organisations can use to create their own policies and procedures. The toolkit includes:

  • Privacy notice template
  • Data Protection policy template
  • Data Protection Impact Assessment template
  • Bring your own device for trustees and volunteers policy template
  • Data Retention guidelines for Human Resources data
  • GDPR compliance checklist
  • The lawful bases guidance

If you would like to receive a copy of the documents for your organisation, please email us at

In July three regional events were held to help groups to learn more about how to keep personal data securely and give them an opportunity to ‘ask the experts’ any questions about GDPR and cybersecurity.

Three events were held in partnership with Hugh James Solicitors, South Wales Police and Morgan and Morgan & Morgan Cyber Security specialists in Carmarthenshire, Denbighshire and Cardiff.

Top tips for GDPR compliance include:

  • Keep records of the data you have and the legal bases you are relying on;
  • Only keep people’s data for as long as necessary;
  • Ensure staff and volunteers are adequately trained;
  • Use strong passwords and encrypt all portable devices to ensure data can be stored securely;
  • Report data breaches to the ICO within 72 hours

The sixth principle of GDPR is security, so the events also raised awareness of cyber security and the steps that charities need to take to protect themselves and the personal and sensitive data they hold.

Cyber Essentials is a UK Government backed quality mark initiative which helps organisations to guard against the most common cyber threats and demonstrate your commitment to cyber security.  Cyber Essentials includes a self-assessment, to help your staff and/or trustee boards to assess your risks, and there is also an option to pay for certification.  Useful guidance and a check list is included in Five key controls for Cyber Security.

Judith Stone, Assistant Director for Sector Development at WCVA said “Storing personal and sensitive data securely is a crucial issue for third sector organisations to ensure the trust and accountability amongst the people and organisations we work with.  WCVA, with our local CVC partners, are working across Wales to help groups take important steps to strengthen systems and processes.”