Skip to main content

GDPR and Personal Data

What is GDPR?

GDPR stands for General Data Protection Regulation.

It’s the UK version of EU data protection legislation. If we break this law, we risk consequences to the whole organisation and our ability to communicate.

Here's a short 6-minute video explainer of why GDPR is important to you and XR.

Following GDPR is about showing respect to rebels. We want to ensure that all rebels’ personal data is treated with respect and protected from misuse. GDPR provides a sensible set of principles that can help us to do that. If you’re collecting or using personal data, the resources here will help you to understand what you need to do.

Our GDPR training deck is packed with exercises to help you remember the core concepts!

Or you can visit the interactive GDPR training at Rebellion Academy.

What to do next

Planning on getting personal data? Already got personal data? Changing what you do with personal data?

There is a Data Checklist here to prompt questions about new data collection. It's also a good starting point if you have data and have got to catch up on the planning part.

You can contact us via our GDPR & Security Reception channel on Mattermost or by email at

Data planning for Personal Data in XRUK

What is this document for?
  • For training and awareness if you plan to gather Personal Data for something new
  • Checking how you use Personal Data already
  • Thinking through the Personal Data you need for a project - i.e. “Data Planning”
Why do this?

A good Data Plan will be clear about why, and how, we process individual’s data within our principles and values, and meet our legal, practical and financial constraints.

We check if we need a formal “Data Protection Impact Assessment” (DPIA)

  • so we check the risks of having the Data - and if that is justified,
  • we reduce the risks of us having the Data where possible, and
  • to meet our broader Data Protection legal obligations.

And we would do this even without the legal obligations - if we are trusted with Personal Data, we need to respect the people who have trusted us with that.

Use this document if you

  1. plan to get Data about individuals
  2. maintain processes which use Data about individuals
  3. want to collect Data about individuals in a different way
  4. want to change how some Data is used,
  5. are the GDPR champion in a circle, or group which has Data about individuals, so you know when a Data Plan is needed

Who can see Data Plan?

A “data subject” can request to see the Data Protection Impact Assessment (DPIA) if one is created. So when you are writing a Data Plan or DPIA – keep the language simple and clear.


  • The Information Commissioners Office (ICO) has got a very detailed website. The page about data gathering is a very good … and long. The “At a Glance” section is several pages long, the “In Brief” is also several pages, and if you really want the detail then there are several more documents and pages. (More info & link in the “Do we need to do a DPIA?” section of the Data Plan - please see the link to the Data Plan below.)

  • Doing this type of Data Planning is part of the General Data Processing Regulations (GDPR), part of UK law, and covers organisations including XR UK.

  • The ICO only cares about Personal Data - information that relates to an identified or identifiable individual. (If you have Data about non-personal things, some of this Data Planning may help but isn’t a requirement.)

  • “Processing” is doing anything with the Personal Data; collecting, storing, reading, using, deleting.

  • We have a duty of care for any Personal Data we collect. In some cases we have to do a “Data Planning Impact Assessment” (DPIA), for processing that is likely to result in a “high risk to individuals”, or certain types of “complex processing”. (“Complex processing” is more likely to be something an Insurance company does to your data, to get you a quote - we don’t normally do it.)

  • Planning the who, what, how, where, when and why, makes sense, to minimise the harm and maximise the value of the data to XRUK.

  • We want to take care of each other, and that includes being careful with information about each other, so this is totally in accordance with our XR Principles and Values.

Training and walk-through

If this is all new to you, and you think you need to use this information, please ask the GDPR & Security Circle for a walk-through. On Mattermost you can ask any questions on the “GDPR & Security Reception Channel”