WHAT IS GDPR?
On 25th May 2018 the new European General Data Protection Regulation (GDPR) comes into force and all UK organisations that keep any type of personal data need to ensure that they are compliant with this regulation by this date. This includes all of our churches.
The GDPR replaces the existing law on data protection (the Data Protection Act 1998, DPA) and gives individuals more rights and protection in how their personal data is used by organisations. Churches must comply with its requirements, just like any other charity or organisation.
CAN UCAN HELP ME?
In our March mailing we’ll send you a link to a UCAN GDPR pack containing more detailed information for the church context. We’ll also signpost you to a number of places where you can access expert help if there is something out of the ordinary with your churches data protection requirements. But for now, do make sure that you’ve read through the basics on GDPR and that this is on the agenda of your PCC/Elders/Deacons meeting. If you haven’t already done so, begin an audit of what type of personal data your church holds and where and how it is being held.
ACTIONS TO TAKE NOW
- Read over the basics of GDPR, below, to ensure that you are familiar with the key concepts.
- Ensure that your church leadership/PCC/Elders/Deacons are briefed on the basics of GDPR and are aware of their responsibilities under the act. There is a downloadable 2-page summary paper which may be helpful to circulate to your leadership body at this stage.
ACTIONS TO TAKE OVER THE NEXT MONTH
- Use a checklist so that you know exactly which steps are relevant for your church. A good checklist can be found here.
- Conduct a data audit so that you know what type of personal data you are holding, what it is being used for and how it is being provided and stored. A good audit template can be found here.
ACTIONS TO TAKE BEFORE THE END OF MARCH
Draft new privacy notices and consent forms as required and circulate these after being sure that returned consent forms will be kept securely. Examples of these can be found here and here.
FURTHER HELP AVAILABLE
You can find more detailed guidance on GDPR at these sources:
- The Parish Resources website has brilliant coverage of GDPR and is a good place to start.
- Check with your local Diocese or Circuit (if you are part of one) and see what resources they have developed to help you. For example, the Diocese of London has developed an excellent and comprehensive GDPR toolkit which can be accessed here.
- ChurchSuite and iKnow are also websites that contain a wealth of clear and useful resources on GDPR.
- The Information Commissioner’s website has some very helpful and more detailed guidance.
GDPR and UCAN
As an organization that collects and holds personal data itself, UCAN also needs to comply with GDPR, so we’ll be sending you information about the personal data we hold on you, what we will and won’t use it for and how we keep it safe. We’ll need to ask for your explicit consent to continue to use your information for mailings. So please don’t forget, when you receive something like this from UCAN, click onto the link and update your communication preferences in our secure database.
The Basics of GDPR – an overview
The General Data Protection Regulation (GDPR) is a Europe-wide data processing law coming into force on 25 May 2018. The UK government has affirmed that GDPR will be UK law – Brexit will not mean we don’t have to comply.
The GDPR requires organisations to clarify exactly what personal data is collected and why, how it is stored, how it is processed and what it is used for.
Explaining the jargon
Personal data is information about a living individual which is capable of identifying that individual.
Processing is anything done with/to personal data, including storing it.
The data subject is the person about whom personal data are processed.
The data controller is the person or organisation who determines the how and what of data processing.
Underlying Principles
The law is complex, but there are a number of underlying principles, including that personal data:
- will be processed lawfully, fairly and transparently.
- is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
- collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of data should be kept for specific processing.
- must be “accurate and where necessary kept up to date”
- should not be stored for longer than is necessary, and that storage is safe and secure.
Consent rights and accountability
From May 2018, people will need to give their consent before you send them marketing and communications. This will need to be clear and unambiguous – some form of positive action to ‘opt-in’. You may need to gather this consent if you do not already have it.
Data subjects have a number of rights, including that of knowing how data is used by the data controller, of knowing what data is held about them, of correcting any errors and generally the right ‘to be forgotten’. Your church will need to make provision for people to exercise these rights, including developing a Privacy Notice.
The GDPR also introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence.
In many ways, the GDPR does not differ hugely from its predecessor (Data Protection Act 1988 – DPA) except in its more detailed definitions of:
- the higher standard for clear, unambiguous consent required
- the requirement of explicit over implied consent and option to withdraw consent
- who holds responsibility
- the requirement of proof to demonstrate how an organisation is fulfilling the regulations
Lawful data processing
Under the GDPR, the conditions for lawful processing of data are:
- Consent of the data subject
- Processing is necessary for the performance of a contract with the data subject or to take steps
- Processing is necessary for compliance with a legal obligation
- Processing is necessary to protect the vital interests of a data subject or another person
- Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
- Processing is necessary for the purposes of legitimate interests* pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject
Where none of the other five lawful bases for processing data apply, explicit consent is required. If an organization cannot prove explicit consent from a data subject, they would need to explain in detail what they believe the lawful basis for processing is in their case. In the case of churches this would likely be legitimate interest, but the responsibility would be on the data controller to be confident that such a basis would stand up in court.
As a church, you may well need to gain consent from some data subjects. Remember though that there will still be some data processing you can do as part of normal church management that doesn’t need specific consent for that particular action – for example for purely administrative purposes in the church context Section 9(2)d may apply to some personal data*.
*Section 9(2)d is a special processing basis which allows religious (amongst others) not-for-profit bodies to process data provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
The place to start is to audit what personal data your church is holding and for each type decide on the lawful basis you are using for processing that data. If no other lawful basis applies then you will need explicit, opt-in consent and be able to produce paperwork showing that you have it. If you do not currently have this in place then you need to update/create your privacy notices and consent forms and send these to everyone you want to continue to process personal data on.