GDPR is nearly here!
If your response is ‘what is GDPR?’ then you really need to read this!
The General Data Protection Regulation (GDPR) is one of the biggest changes to data protection regulations that we have seen in many years and comes into force on the 25th May 2018.
Our detailed understanding of its implications is evolving all the time and this Bulletin builds on, and supports, two previous Rural Ministries Bulletins which you should read first:
- Data protection and your church (May 2016): this provides an introduction to pre-GDPR data protection requirements (most of which still holds true) and general good practice.
- Are you ready for the General Data Protection Regulation? (August 2017): contains an overview of the requirements of the GDPR.
This Bulletin gives more information on obtaining ‘consent’ and the exceptions to this requirement.
How do I get consent?
The GDPR requires that you have explicit consent for nearly all the data you hold and you can only contact people for the purposes they have agreed to. Large national charities (eg The National Trust) may want to contact people on their database for a variety of reasons: new products, special offers, events, membership and each of these may require separate consent. Most rural churches do not have that level of communications and so a simpler approach to consent may be appropriate.
Rural Ministries has collected a number of forms that are in use, either by ourselves or by churches we know, and which we turned into example forms. We do not claim they are perfect but and you may wish to adapt these for use by your church.
- Rural Ministries data review form – this is the form we used in 2017 to contact everyone on our postal mailing list. Download here
- Rural Ministries ‘Contact us’ card – this could be amended for churches to use. In many cases you will only need name and email address for first contact. Download here
- Event consent form – people signing in for basic event such as a Light Party don’t want to complete long forms when queuing to get in, so how about this simple way of capturing permission to stay in touch. Again, just a name and an email address is all that you need to collect to invite them to the next event. Download here
- Possible church data consent form – this allows you to collect and store more details as they develop a closer relationship with you. Download here
With the right forms getting consent for new contacts is relatively straightforward. For existing contacts, you need to go through the process of contacting people. Do not be worried about having to delete a large part of your contact list – the chances are that if they do not reply then they are not interested, or may even have moved away.
Other reasons for holding data
There are some cases where data can be stored and used without obtaining consent. This includes where data processing is necessary:
- for the performance of a contract to which the individual is party.
- for compliance with legal obligations – eg Gift Aid or Anti Money Laundering regulations
- for the purposes of ‘legitimate interests’ – this applies where there is a reasonable expectation that the individual will want you to store their data. Examples could be the local companies that you use for servicing the boiler or fire extinguishers, and your contacts in your local Churches Together group or denominational regional office.
What data should I store?
Firstly, you should only store data you have permission for (see wording on the Church Data Consent form above), but you should also record the basis for holding the data. On a spreadsheet this may be a box where you enter ‘2018 light party sign up’, ‘contact us card’, ‘Gift Aid’, ‘Legitimate Interest’ or other descriptor. You should also store the date entered and/or consent last received. Any forms containing consent should be stored securely.
You should also ensure that the issue of data protection and compliance with GDPR is discussed and minuted at a leaders meeting (ideally before the 25th May), its importance is recognised, and the steps towards compliance are agreed.