If your organisation handles the personal data of citizens, 25 May 2018 is a date that needs to be emblazoned on your mind. New regulation governing data protection comes into force putting far greater requirements on churches to manage, protect and dispose of citizens’ personal data in an appropriate manner. Here’s how the rules will affect your church. And how you can face the new regulations properly by using ChurchDesk.
On 25 May 2018, the EU’s General Data Protection Regulation (GDPR) comes into force, putting far greater pressure on churches to manage, protect and dispose of citizens’ personal data in an appropriate manner.
Although the regulation originated on the EU’s statue book, the UK government has stated that it will remain in place after Brexit. So the regulation will continue to apply here, even after March 2019.
UK-based businesses and organisations therefore need to pay close attention to the GDPR, being certain to adhere to it. And crucially for churches, whereas the existing Data Protection Act (1998) makes exceptions for small charitable organisations, the new regulation does not.
Put simply, if you run a church, you’re just as bound by the GDPR as someone running a multi-million-pound company. The only difference is that, while the company will have the resources to pay someone to oversee compliance, the chances are you’ll be relying on the good will of your largely-volunteer workforce.
Data on your members is an integral part of your mission
Of course, legislation such as GDPR doesn’t mean you should avoid gathering data about your congregation members, or other people who interact with your church. Indeed, by keeping up-to-date records, you have a great way of reaching out to people, building connections, and keeping them informed about the activities that make your church community such a special place to be. The purpose of this article is to help you comply with the requirements to let you focus on what is important; your work in the church.
ChurchDesk is designed to help you run your church and complying with GDPR is no exception. Gathering of data is the natural result of your work around the church mission and we can help you do this in a easy, safe, and compliant way. In this way, church leaders and members can spend less time worrying about adherence to a complex new set of regulations, and more time engaging in ministry and mission. As ever, ChurchDesk means less admin, and more church.
How ChurchDesk can help you
The GDPR poses a significant challenge to churches, with a real risk of sanction for non-compliance. By choosing a church management system like ChurchDesk, churches can enhance their data-handling practice for two clear reasons.
To help you get started without getting overwhelmed with legal information and new lingo we have prepared a checklist that you can refer to. We are also fully available if you have any questions. Just send us an e-mail at email@example.com or give us a call.
The ChurchDesk checklist to GDPR compliance
1. Data processing agreement
As a church you need a data processing agreement with all the software providers you use to handle personal data. ChurchDesk offers all customers an agreement free of charge built specifically for churches to make sure you can be compliant with a minimum effort. You will get our data processing agreement once you become a customer.
2. Appropriate access and permission control
ChurchDesk already provides a granular access and permission control to help ensure an appropriate level of control. However, we want to go further and make it possible to increase collaboration internally in the church while increasing control. This means that a church will be able to specify access to subsets of data in our applications, including People, Forms and Intranet.
3. Improved security for logging in
ChurchDesk is a secure system. However, we are all just people and most passwords are simple to guess or even written down next to the monitor. As part of offering additional security we will enable two-factor authentication and eliminate risk of unauthorized access.
4. Data is owned by people, not the church
The right to be forgotten
People may have given you consent to use their data, however they ultimately still own their data and have the right to manage this - including the right to be forgotten. As always, you can request all data to both a user and a contact to be deleted fully. You do this by requesting it directly to ChurchDesk to avoid any data deleted mistakenly. Once the data is fully deleted it also can’t be retrieved from a backup
See all your data
Today we are already able to provide you all the data about a user and a contact at your request. The data is made available on a secure URL. To make it even easier for a contact to see all data they will be able to see their own profile online which makes it easier to request edits, change subscriptions and consents. This will require the contact to login for secure and private access.
Updated and correct data
Today we already make it very easy for you to ensure that you have updated and correct information on the people that you engage with as a church with a full integration of data between our Forms solution and our people database. It is key to have the correct data and making sure it is updated. Having the wrong data on people goes against GDPR and good practice
A key principle of the GDPR is to make it easy for a person to understand what they have given consent to. Today, you are already able to log any type of consent manually in ChurchDesk on a contact by using our custom fields. We also offer a consent template in our ChurchDesk Forms solution. However, we will soon make it easy to implement a way to store a more specified consent.
We are introducing three standardised types of consent that can be easily communicated and registered on the contact:
- Consent to register in the church database
- Consent to communicate targeted and personal
- Consent to communicate about paid and fundraising activities
6. Double opt-in and refreshing consent
ChurchDesk will make it easy for you to offer double-opt in for confirming given consents as well as as refreshing consent if your required consents have changed or are poorly documented.
Need help or advice?
We are here to help you get ready for 25 May 2018 and make sure your church successfully implements the requirements of GDPR.
If you haven't already started on the implementation we strongly recommend you to get started as it has several aspects and we only want for you to continue in your mission and run your church smoothly. We are available if you have any questions. Just send us an e-mail at firstname.lastname@example.org or give us a call.