Is Your Church Ready For GDPR?

What Is GDPR?

On May 25th 2018, GDPR or the General Data Protection Regulation will become law across the EU and replace existing data protection laws.

The impact is going to be huge as there are a number of very significant changes that will impact every organization that processes data inside the EU.

This includes the Church.

My experience with Church has been that in most cases, we are very poor at complying with legislation as we somehow consider the mission above the law. This is, of course, something Jesus disagreed with.

A quick scan of “What does the bible say about obeying the law” will reveal well over 30 references.

However, from employment law to copyright, for whatever reason the Church seems to disagree.

Data Protection has been no exception, with many Churches or charitable organizations woefully ill equipped to process data in a way the complies with the law.

Does It Apply To Me?

With GDPR, the burden of process and procedures is going to be even worse, and I am concered that for many, they are simply going to ignore the changes as for some reason they will consider themselves exempt.

Let me set the record straight. If you process personal information, of any kind, inside the EU, GDPR will apply to you.

Doesn’t matter if it is paper based or digital, if you are keeping ANY sort of record (even on scraps of paper), you need to be aware of this as the fines are high and you can rest assured the EU will be looking to find some people to be their posterchild for punishment.

This applies to Churches who are owned/run from outside the EU. If you process any data in the EU (even attendance data), GDPR needs to be on your radar.

So what do I do?

First of all don’t panic! If you have reasonable processes in place already like locked cabinets, controlled access to rooms, etc, you are already making a good start.

But there is a long way to go.

You don’t need to read the full document (although I did!) as it is very, very long, but there are a number of steps you can practically take today, to ensure you are ready for GDPR when it comes into force on 25th May 2018.

Top Tips

1. Start preparing now. It is not too late, but the sooner you start the better. The best place to start is at the top of the organization and get ALL the leaders to understand the importance of GDPR. It is highly likley that GDPR will impact every area of your ministries so it is important you get the support of the leaders as you will need that as you think about training your volunteers.
2. Do an impact assessment. This is all about looking at what data you have, and what data you collect. Think about the registers for Sunday school (yes, they are very much part of GDPR), the volunteer rotas (I am talking to you Planning Center!) and even WhatsApp or Slack groups. Assess every bit of data you use.
3. PURGE! GDPR is very clear about holding data you no longer need, so a great first step is to clear the decks and bin any data that is no longer in use. You can’t afford to be sentimental.
4. Think about special requirements. GDPR has different rules for different ‘special’ data. This is particularly important with data we hold for minors (yes think Sunday school rotas, registers, emergency procedures etc) or any time where you are holding data about people’s preferences, including their religious standing.
5. Unambiguous Consent. Previously you could get away with adding people to your mailing lists or groups because they didn’t tick a box, or just because you knew them. This will no longer be good enough. For you to contact someone (phone, email etc) they must have intentionally told you they are ok for you to do so.
6. Update your policies. With all the changes needed in GDPR, you will need to update all your policies. From your website privacy policy to your data retention policy, all will need to be reviewed. You can short-cut some of this by buying some GDPR ready templates, but you will still need to review them and ensure they apply to your Church
7. Be prepared. One of the key parts of GDPR is Subject Access Requests. Without diving into the detail, this is simply the right for someone to ask for all (yes ALL) the data you have on them. This can include forms, emails, Slack messages etc.
8. Compliance by design. When building new systems now, build GDPR thinking in from the start. Don’t wait for May, you can make an impact now and it will start to change the culture towards compliance.

The bottom line is do NOT ignore this change. Start planning today and make headway.

If you would like to pick my brains on GDPR as it relates to the Church, please do reach out. It would be a pleasure to help. Just email hello@digitalchurch.com

About Digital Church

Here at Digital Church, this is our passion. We want to help Churches recognize the opportunities and then give them the strategies, tools and practical help to put it into practice.

Please do reach out and contact us on hello@digitalchurch.com, if you are interested in how we can help your church or organization.