General Data Protection Regulation information
The introduction of GDPR means churches have to take care when using people's personal data. Even things you have done in the past - say a church directory with everyone's names and their children's date of births - must be looked at carefully and permissions gained.
GDPR requires data to be processed in a fair, transparent and lawful way. Simply:
• know what data you’re collecting
• why you’re collecting it
• how you’re going to use it
• make sure you have a lawful basis according to GDPR - LAWFUL
• tell everyone about it in your privacy notice – TRANSPARENT
• use the data in the way you have described – FAIR
So, do not disclose any personal information about an individual without first obtaining that person’s consent – that includes: address, telephone number, email address, age, birthday, names of family members.
Another top tip: When emailing groups of people always put their email addresses in the ‘bcc’ row rather than the ‘To’ row.
Where to go next
See the national URC quick hints and tips.
GDPR Questions and Answers can be viewed here on powerpoint
Mersey Synod has adapted the URC Consent Policy to include tick boxes. If a church is processing personal data for several different purposes (eg membership records, sharing news and information, sharing pastoral news, publicity, fundraising, etc), provide separate boxes to tick, to enable people to consent to some processing but not others. Consent Template
Church House has produced some basic advice and some template documents. These are all available to download urc.org.uk/GDPR
It is useful to review your data processes every year - to help we have included a checklist (A Church Data Audit Form).
Specific helpful advice may be found at www.gdprforchurches.org.uk
GDPR on the Information Commissioner's Officer website