Changes for parishes to Data Protection rules
Data Protection: Parishes and the “GDPR”
The new General Data Protection Regulations (GDPR), which replace the Data Protection Act, will take effect from 25 May 2018 and, like all other charities and organisations, parishes must ensure that they comply with the new rules.
GDPR replaces the existing law on data protection (the Data Protection Act 1998) and give individuals more rights and protection in how their personal data is used by organisations.
Parishes must comply with its requirements, just like any other charity or organisation. There are a variety of resources which parishes can use to ensure that they are meeting the requirements - this page provides guidance, templates and a checklist to help you.
GDPR Resources and what you can do next:
What is the ‘GDPR’, and what do we need to do about it? There are two guides to help you: a two page overview (designed for use with PCCs) and a more detailed guide for the person implementing this in the parish.
There is also a checklist available which covers the actions outlined in the guides to help you monitor progress.
It’s helpful to start by carrying out a data audit – you may be surprised at just how much personal data is stored and processed around the parish. There is a template here along with some helpful hints to get you started.
If you don’t already have the consent that you need to communicate with people, you’ll need to gather this. There are guidance and sample forms available for you to use here.
You will need to produce a Privacy Notice. If you have a website, it’s good practice to make this available online so people can access it. There is a Sample Privacy Notice that you can amend and adopt, and some guidance on how you can write your own Privacy Notice.
Finally, whilst you will rely on consent for most of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action – holding lists of group members, for example. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.