Are you ready for the General Data Protection Regulations (GDPR)?
We have written previously about the importance of complying with the data protection regulations and the introduction of the General Data Protection Regulations (GDPR) in May 2018 means that it is more important than ever to address this since it can take a while to implement the requirements.
It is important to remember that ‘data protection’ is mainly about controlling how data is used rather than protecting the data itself (although that is important).
The GDPR replaces the existing Data Protection Act (DPA) and its biggest impact will be on charities that regularly contact their supporters - by whatever means - but it is also important for churches and other mission organisations to be aware of the requirements. It is therefore worth going over two key issues with data protection.
The GDPR will require explicit consent for personal details data to be stored (as opposed to assumed consent) in all cases. However, as churches hold data which can be classified as ‘sensitive’ (since it could imply a religious belief) they should already be doing this. Just because someone completed a registration form for a Parents & Toddlers session does not mean it is okay to contact them again about the next session. In asking for consent churches also need to explain what they are going to do with the data so the registration form could ask “please provide your email address if you want to hear about future events”. Forms will need to be kept on file as they must be able to prove consent.
The biggest challenge is the existing data. Unless there are existing consent forms it may be necessary to contact everyone on the church database and ask them to check their details and return the consent form. Without explicit permission, the data must be deleted unless it has to be kept for other reasons (such as Gift Aid).
Rural Ministries has been undertaking our own review, as many readers will already be aware. We do not claim the form we used is perfect but it may be of use to churches in preparing their own data review. Although the form refers to the DPA it will also apply to the forthcoming GDPR. Click here to view the Rural Ministries data review form,
Reviewing consent is a major undertaking so it is worth rolling it other activities such as an update of the church handbook or renewal of the Electoral Roll.
International data transfers
Anyone using ‘cloud storage’ to hold data will probably be continually moving data outside of the EU which is against the DPA and GDPR. However, the EU-US Privacy Shield scheme became operational in August 2016 which provides adequate protection to allow personal data to be transferred to the United States. The main cloud storage providers such as Dropbox, Google Drive and Amazon are all compliant but it is worth checking the listings to see which providers are compliant.
These are just two key issues and don’t forget about all the other aspects of data protection which we have covered in a previous bulletin.
The Information Commissioners Office (ICO) has prepared some guidance on the GDPR and other guidance for charities and fundraisers can be found here. Both are more detailed than most churches will require however they both contain useful information.
This guidance only seeks to provide generalised advice on the subject covered to assist churches in their operation. It is not a substitute for seeking specific advice on any particular issue.
This article was originally published in e-news August 2017