General Data Protection Regulation (GDPR)
This regulation took effect in the UK on 25 May 2018. It gives individuals rights and protections with regard to how their personal data is used by organisations. Congregations must comply with its requirements as there are no relevant exemptions for charities or small organisations.
The underlying data protection principles set out in the GDPR are:
Personal data must be processed:
1 lawfully, fairly and transparently;
2 only used for a specific processing purpose that the data subject has been made aware of;
3 adequate, relevant and not excessive;
4 accurate and where necessary kept up to date;
5 not stored for longer than is necessary;
6 stored in a safe and secure manner.
There is also an accountability principle which ensures that the data controller must be able to demonstrate compliance with the first six principles.
Key definitions are:
Personal data is information relating to a living individual, who can be identified from that data or indirectly from other data held.
Processing is anything done with or to personal data, including storing it.
The data subject is the person about whom personal data is processed.
The data controller is the person or organisation who determines the manner and purposes of data processing.
Data is processed on the basis of legitimate interest such as membership lists or rotas and legal obligation such as Gift Aid and contracts. The data held reveals religious belief so becomes special category data which is processed where an individual has given explicit consent or where processing is carried out in connection with the legitimate activities of the church. Two safeguards are, firstly, that the processing relates solely to the members or former members or to persons who have regular connection with the church, and secondly, that the personal data is not disclosed outwith the church without consent. Data subjects have the right to know how the data is used, to know what data is held about them and to be able to have any errors corrected.
For any more details regarding our data protection policy or to speak to our Data Protection officer, please contact the Church Office at firstname.lastname@example.org.