You’ve probably heard about GDPR. The new European data protection regulation that applies practically to everyone enters in power on May 25, 2018. Especially if you operate a church or ministry website, it’s most likely that there’s already a process for getting your systems in compliance with the regulation.
GDPR in effect adds to or supersedes existing legislation on data protection, which up to this point has been provided by the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003. The regulation is basically a law that must be followed in all European countries (but also applies to non-EU organizations that have users in the EU). In this particular case, it applies to companies that are not registered in Europe, but are having European customers. So that’s most church organizations. The GDPR introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence. For example, where you process on the basis of consent, you should to store those consents. Since consent should be specific to a “purpose”, you may need separate consent to cover different areas of data processing within the life of the church
The impact is going to be huge as there are a number of very significant changes that will impact every organization that processes data inside the EU. This includes the Church, which has been that in most cases, very poor at complying with legislation. If your church organization or church website process personal information, of any kind, inside the EU, GDPR applies to you. This applies to Churches who are owned/run from outside the EU. If you process any data in the EU like website visitors, live broadcast viewers or attendance, GDPR needs to be on your radar.
Though, GDPR allows religious (amongst others) not-for-profit bodies to process data without specific consent as long as it relates only to members or former members (or those who have regular contact with it in connection with, there is still a great risk. Data that “reveals religious belief” becomes special category data – which requires additional care with regard to processing. Reveling of “religious belief” should not be assumed simply because someone attends church or church events, becomes a “friend” or gives money to a church. However, where someone is required to have affirmed belief (e.g. that they are baptized or that they are a member of the Church) e.g. processing of the electoral roll, then this could be argued to reveal religious belief.
In regard of this, the rights of the user/client (referred to as “data subject” in the regulation) under the new GDPR law are:
- the right to erasure (the right to be forgotten/deleted from the system),
- right to restriction of processing (keep the data, but mark it as “restricted”)
- the right to data portability (export data in a machine-readable format),
- the right to rectification (the ability to get personal data fixed),
- the right to be informed (human-readable information, rather than privacy terms)
- the right of access (the user is able to see all the data you have about them).
Additionally, the relevant basic principles are:
- data minimization (do not collect more data than necessary),
- integrity and confidentiality (all security measures to protect data)
- measures to guarantee that the data has not been inappropriately modified.
To set some context, it may be helpful to ask, “Whose data is it?” If we believe that the data we hold on our systems belong to us then we are likely going to be resistant to GDPR. If we are 100% clear that each person’s personal data belongs to that individual alone, and that we are custodians of their data, then we’ll likely have a much healthier response to GDPR. When we see ourselves as custodians, charged with a “trust,” we’ll likely want to do our very best when we receive, store and process people’s personal data. And also be more ruthless about removing any data that we don’t wish to hold within that trust.
The legal basis for processing data is premised on one or more of six conditions:
- consent of the data subject
- performance of any contract with the data subject relating to it
- compliance with a legal obligation
- that the vital interests of the data subject are protected
- that the data acquired and held is needed for the performance of a task carried out by the organization in the public interest
- that the legitimate interests of data subjects are protected
None of the other requirements of the regulation have an exception depending on the organization size, so “I’m small, GDPR does not concern me” is a myth. “Personal data” is basically every piece of data your organization has collected that can be used to uniquely identify a person.
Just an every day example, Google Maps shows you your location history – all the places that you’ve been to. Displaying your church’s map allows visitors to find you but also records their intent of movement history on any electronic device that can lock a GPS location (this includes any PC with internet connection too). It is still the visitor’s personal information that GDPR allows storing only under certain legal conditions.
An individual can object at any time to you using their personal information for:
- Direct Marketing (including fundraising). If an individual objects to you using their data to contact them for this purpose then you must cease immediately. There are no exemptions.
- Scientific, historical, research or statistical purposes. You can have an exemption from this if you have a legitimate need to keep processing it, e.g. you need to send Gift Aid information to HMRC.
- A ‘legitimate interest’ of the church (ex. video broadcast, family events, small group home gatherings, fund raisers, prayer call campaigns, etc.).
Age check – GDPR introduces special protection for children’s personal data. Broadly, for a child there will be a need to have consent from a parent or guardian in order to process any data lawfully. You should ask for the visitor’s age, and if the user is a child, you should ask for parent permission.
Keeping data for no longer than necessary – if your church collects the data for a specific purpose (e.g. product purchase, email campaign, call list, etc.), you have to delete it/anonymize it as soon as you don’t need it. Many churches offer welcoming package, registration, online offering, etc. The visitor’s consent goes only for the particular item for which you are obligated to keep a consent form.
Cookies – Every basic website nowadays use a number of different types of cookies. They are all subject of a different regulation (a Directive that will soon become a Regulation). However, GDPR still changes things when tracking cookies are concerned. I’ve outlined my opinion on tracking cookies in a separate post.
Encrypt the data in transit – means that communication between your application layer and your database (or your message queue, or whatever component you have) should be over TLS.
Encrypt the data at rest – this again depends on the database (some offer table-level encryption), but can also be done on machine-level
Implement pseudonymisation – the most obvious use-case is when you want to use production data for the test/staging servers. You should change the personal data to some “pseudonym”, so that the people cannot be identified.
Don’t log personal data – getting rid of the personal data from log files (especially if they are shipped to a 3rd party service or a plugin.
Above all, DO NOT use data for purposes that the user hasn’t agreed!
Finally, GDPR mandates identification and notification of breaches of the regulation to the individual, and sometimes the national regulator (the Information Commissioner’s Office, ICO) within 72 hours. The maximum fine for organizations which breach the regulation will be €20 million. Quite apart from anything else, this should give charity trustees pause for thought.
Where to begin? Start with the following questions and actions:
- Does your collection and use of personal or sensitive data fall within the “purposes” of your current Data Protection policy?
- Are there current uses that fall outside the current scope?
- Are your policy’s stated “purposes” sufficiently broad enough to cover all your ministry and activity? Highlight any areas that need further expansion in your policy.
- Note down any third party “processors” that use or further process the personal data like: Book keeper, WordPress, MailChimp, Planning Center, Stripe, GoCardless, Textlocal.
- Identify and list all the ways your church adds personal data into each module, including contact details, attendance or tracking data, and notes.
- Note any additional processing of information you carry out in your admin workflows within each module, such as communications you send, notifications to others in your church that get triggered, and any reports you produce and distribute in those workflows.
- Are there any areas of “bad practice” or risk that needs addressing? For example, using images from people’s social media profiles without consent or audio/video and live broadcast recordings of the same. Notes that express opinion rather than fact, or where consent has not been obtained for all of these.
- In respect of handling personal data, how do your church’s procedures demonstrate accountability practices?
- Are any changes communicated to those in your church or team that need to know?
- If you were a newcomer to your church, would you as a newcomer be clear at every point of submitting your personal data, what the church’s privacy notice and data protection policy is? Would you feel sufficiently informed about how your data will be used and would know how you could opt out if you wanted to?
Common sense disclaimer: This article is not legal advice. You need to contact your church attorney for a complete evaluation and action guide on how to fully protect your organization.