Man writingGeneral Data Protection Regulation information

The introduction of GDPR means churches have to take care when using people's personal data. Even things you have done in the past - say a church directory with everyone's names and their children's date of births - must be looked at carefully and permissions gained.

GDPR requires data to be processed in a fair, transparent and lawful way. Simply:
•  know what data you’re collecting  
•  why you’re collecting it
•  how you’re going to use it 
•  make sure you have a lawful basis according to GDPR - LAWFUL
•  tell everyone about it in your privacy notice – TRANSPARENT
•  use the data in the way you have described – FAIR

So, do not disclose any personal information about an individual without first obtaining that person’s consent – that includes: address, telephone number, email address, age, birthday, names of family members.

Another top tip: When emailing groups of people always put their email addresses in the ‘bcc’ row rather than the ‘To’ row.


Where to go next

See the national URC quick hints and tips.

GDPR Questions and Answers can be viewed here on powerpoint 

Mersey Synod has adapted the URC Consent Policy to include tick boxes.  If a church is processing personal data for several different purposes (eg membership records, sharing news and information, sharing pastoral news, publicity, fundraising, etc), provide separate boxes to tick, to enable people to consent to some processing but not others. Consent Template 

Church House has produced some basic advice and some template documents. These are all available to download

It is useful to review your data processes every year - to help we have included a checklist (A Church Data Audit Form).

Specific helpful advice may be found at

GDPR on the Information Commissioner's Officer website