GDPR for churches
Just like any other charity or organisation, all parishes must comply with General Data Protection Regulations (GDPR).
The Regulations give individuals more rights and protection in how their personal data is used by organisations.
The national Church of England Parish Resources website has a page of advice, guidance, templates and a checklist to help parishes comply with the Regulations.
There are two guides:
- a two page overview (designed for use with PCCs), and
- a more detailed guide for the person implementing this in the parish.
The checklist covers the actions outlined in the guides, to help PCCs monitor progress.
Carrying out a data audit is recommended as the amount of personal data your parish stores and processes may surprise you. Parish Resources has a template data audit document along with some helpful hints to get you started.
There is a helpful Frequently Asked Questions & Some Common Myths document as well.
Parishes will also need to make sure they have consent to communicate with those on its mailing lists. You can find guidance and sample forms here.
Parishes will also need to produce a Privacy Notice. If you have a website, it’s good practice to make this available online. A Sample Privacy Notice can be found here which can be amended and adopted. Guidance on how you can write your own Privacy Notice is also available.
Finally however, there will be some data processing done as part of normal church management which you will not need to gain specific consent for, for example holding lists of group members etc. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.