General Data Protection Regulation

The General Data Protection Regulation (GDPR) came into effect on 25 May 2018. It aims to enhance the standards of data protection for all organisations handling EU citizens’ data, affecting the smallest grant-making trusts to the largest multinational corporations.

ACF is supporting members with GDPR. Here, we bring together a number of resources to help members understand what the changes mean for foundations. These resources are additional to the guidance and support offered by the ICO, which should always be the first port of call.

GDPR: A briefing for foundations 

The aim of this briefing is to answer members' questions, to assist in understanding the guidance through examples, and to signpost relevant pieces of guidance and regulation that hold fuller answers.

This document is based on the concerns raised by ACF members, as well as some other issues we have spotted.


ACF hosted a webinar on 12 December 2017, which is available to revisit below.

ACF held an additional webinar on 15 March 2018. Access the presentation from the webinar, and read the responses from the Q&A section.


Several ACF networks have addressed the GDPR at their network meetings, including the Operational support network, Monitoring & evaluation network, and Smaller funders' network. If you'd like to find out more about these meetings, please contact [email protected].


At ACF's Annual Conference, Farrer & Co. delivered a session on the GDPR. Access the presentation here.

Independent consultant Paul Ticher has written a summary of the GDPR for voluntary sector organisations. Read it here


The ICO continues to update its Guide to the General Data Protection Regulation. It has also produced a number of more specific resources, available below:


Please note that ACF has tried to ensure that all information provided by ACF on these pages is correct at the time we included it. We apologise for any errors. We do not guarantee the accuracy of these pages and any visitor using information contained in them does so entirely at their own risk.

This page also contains links to other websites operated by third parties. ACF does not accept any liability over the content of these third party sites and the existence of these links does not constitute an endorsement of such websites.

Any guidance provided on this page is not intended to replace professional advice and in case of doubt, please consult an appropriately qualified professional adviser. In no event will ACF be liable for any damages whatsoever arising out of or related to this guidance.

Full ICO guidance can be found using the links above. If you are in any doubt about your status or obligations under the GDPR you should seek professional advice or contact the ICO.