The General Data Protection Regulation (GDPR) will take effect in the UK from 25 May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations. Parishes must comply with its requirements, just like any other charity or organisation. This page provides guidance, templates and a checklist to help you. It will be updated from time to time – so please check back periodically. (Apr 2018: The FAQ has been updated with additional questions and there is a specific guidance note relating to giving reviews and fundraising communications.)
What is the ‘GDPR’, and what do we need to do about it? There are two guides to help you: a two page overview (designed for use with PCCs) and a more detailed guide for the person implementing this in the parish. There are also a number of frequently asked questions.
There is also a checklist available which covers the actions outlined in the guides to help you monitor progress.
It’s helpful to start by carrying out a data audit – you may be surprised at just how much personal data is stored and processed around the parish. We’ve a template here along with some helpful hints to get you started.
If you don’t already have the consent that you need to communicate with people, you’ll need to gather this, and ongoing whenever you collect data that will be processed on the basis of consent, you should collect the consent as an integral part of the data collection. We’ve guidance and sample forms available for you to use here.
You will need to produce a Privacy Notice. If you have a website, it’s good practice to make this available online so people can access it. We provide a Sample Privacy Notice that you can amend and adopt, and some guidance on how you can write your own Privacy Notice.
Finally, whilst you will rely on consent for some of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action – holding lists of group members, for example. This can be processed as part of the legitimate interests of the PCC, and where “special category data” which reveals religious belief, this can be processed on the basis of a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
One specific question relates to how churches should run fundraising events and giving reviews – a specific guidance note on this is available here.