What is the ‘GDPR’, and what do we need to do about it?
Through its Parish Resources website, the Church of England offers two guides to help you: a two page overview (designed for use with PCCs) and a more detailed guide for the person implementing this in the parish.
There is also a checklist available which covers the actions outlined in the guides to help you monitor progress.
It’s helpful to start by carrying out a data audit (see below).
If you don’t already have the consent that you need to communicate with people, you’ll need to gather this. We’ve guidance and sample forms available for you to use here.
You will need to produce a Privacy Notice. If you have a website, it’s good practice to make this available online so people can access it. We provide a Sample Privacy Notice (see attached file below) that you can amend and adopt, and click here for some guidance on how you can write your own Privacy Notice.
Finally, whilst you will rely on consent for most of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action – holding lists of group members, for example. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.
For up to date information and guidance from the Church of England keep an eye on the GDPR page here.