Data Protection: Parishes and the GDPR
The General Data Protection Regulation (GDPR) will take effect in the UK from 25 May 2018. It replaces the existing law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations. Parishes must comply with its requirements, just like any other charity or organisation. This page provides guidance, templates and a checklist to help you. It will be updated from time to time so please check back periodically.
What is the GDPR, and what do we need to do about it? There are two guides to help you: a two page overview (designed for use with PCCs) and a more detailed guide for the person implementing this in the parish.
There is also a checklist available which covers the actions outlined in the guides to help you monitor progress.
Its helpful to start by carrying out a data audit you may be surprised at just how much personal data is stored and processed around the parish. There is a template here along with some helpful hints to get you started.
If you dont already have the consent that you need to communicate with people, youll need to gather this. There are guidance and sample forms available for you to use here.
You will need to produce a Privacy Notice. If you have a website, its good practice to make this available online so people can access it. There is a Sample Privacy Notice that you can amend and adopt, and some guidance on how you can write your own Privacy Notice.
Finally, whilst you will rely on consent for most of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action holding lists of group members, for example. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.