General Data Protection Regulation, commonly known as GDPR, emerged in 2018 in response to high-profile data scandals to combat the risk of identity fraud and to ensure proper use of personal data. It is managed by the Information Commissioner’s Office (ICO), an independent regulatory body in the UK. They’ve created a very comprehensive Guide to GDPR.
But, if you’re just getting started, we’ve collected some high-level concepts to help you get a handle on how to ensure GDPR compliance for your church.
Summary of GDPR for Churches
GDPR legislation pertains to the personal data your church uses or collects from your congregation members and visitors. This includes both electronic and hard copy (paper) data. Personal information is literally any information about a living individual that can identifying that individual. In GDPR talk, the individual is often referred to as the data subject. Identifying information includes factual information, such as address or date of birth, personal opinions, and photo or video.
Churches, like other organizations, have a responsibility to protect this personal information. Failure to comply can result in hefty fines.
Prepare your Church for GDPR Compliance
If you haven’t already adapted your church or have regulatory guidance for GDPR compliance from your diocese, you will need to start with appointing a Data Protection lead, or trustee.
Learn the Eight Rights of GDPR for Individuals
GDPR legislation largely covers eight key categories of data protection for individuals.
- Transparency. Inform individuals about the collection and use of their personal data before collecting it.
- Access. An individual can request their data after it is collected. They can submit this request verbally or in writing, and the data controller has one month to provide a free copy of the data the controller holds about them.
- Correction. This is the individual right to correct perceived incorrect or inaccurate data that a data controller holds.
- Erasure. This gives the individual the right to ask that you destroy their data. In certain cases, a data controller can deny this right per legal or contractual requirements to process the data.
- Restrict or Suppress Processing. This allows an individual the right to request you not use their data even if it’s stored.
- Data Portability. A data subject can move, copy, or transfer personal data from one data controller to another, in a safe and secure way, in a commonly used and machine-readable format. This is very uncommon for churches to deal with.
- Object. A data subject can object to being subject to public authorities or companies processing their data without explicit consent. The individual can also stop personal data from inclusion in direct marketing databases.
- Not Be Subject to Automated Decision Making. A data subject can demand human intervention, rather than having important decisions made solely by algorithm.
Incorporate a Privacy Notice on Your Web Properties
An important part of GDPR is making sure the people whose data you collect or hold know that you have it. The best recommendation for this is including a Privacy Notice on your website and physical location. This public document explains how your organization processes personal data and how it applies to data protection principles. Articles 12, 13, and 14 of GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible.
Privacy Notices should adhere to the following principles:
- A concise, transparent, intelligible, and easily accessible form
- Written in clear and plain language, particularly for any information addressed specifically to a child
- Timely Delivery
- Free of charge
Here’s a sample to get started.
Protect the Data You Hold
There are simple steps to make sure you are doing your due diligence to protect the data you hold. Such as:
- Password protection on any device that holds personal or sensitive information
- Use the BCC when sending emails to groups or unconnected people
- Request permission to use photos or video of members of your church
GDPR and Live Streaming an In-person service
As you live stream your services with in-person attendees, you open up the possibility of accidentally sharing identifiable information. The big thing to remember here is you must offer the opportunity for an individual to consent to data collection. Consent must be explicit and freely given.
To mitigate possible regulation issues:
- Post a notice that filming will take place in specific areas – those who do not want to appear in the live feed should have a clear space to remain while attending the service
- Avoid using individual names in services when speaking to the attendees
- Keep the camera focussed on the speaker and not the chapel. In doing so you an avoid sharing imagery of any attendees
- Provide a consent waiver for attendees who do appear in a shot or speak on camera.
Quick Assessments of Your GDPR Compliance
ICO has created several quick assets to perform an internal self assessment of GDPR compliance.
- High-level compliance checklist
- Ensure you are following proper records management
- Marketing (your email, phone, and mailing lists) checklist
- Assess your data protection in areas of cyber security