Checklist

We recommend that you seek legal counsel to ensure that your church is completely compliant with GDPR. However, here are a number of steps you can take to try and make sure your church is in the best position possible:

  • Register with the ICO, if you need to.
  • Find out how much your notification fee is.
  • Make sure you understand the key terms of the GDPR including Data Subject, Data Controller, Data Processor, Data Protection Officer, and Data Protection Impact Assessment.
  • Learn about the different lawful bases for holding and processing data, and consider which apply to your church. Document these where necessary.
  • Where you need consent, document existing permissions and make sure they are still valid under GDPR.
  • Where you need fresh consent, request it in a way which allows individuals to give you explicit, opt-in, clear, comprehensive consent. Document this consent.
  • Ensure that you have documented processes in place to request, record, and manage consent.
  • Make a list of all the data you do or might collect from individuals. Try to be as comprehensive as possible.
  • Document all the ways in which you might use that data, from rota reminders to room booking to wedding ceremonies to spiritual and pastoral counselling. 
  • Consider all the different media you use to hold and process said data, from spiral notebooks to smartphones.
  • Put a procedures in place to make sure you can respond correctly to requests to exercise the Right to Access, the Right to Rectification, the Right to Erasure, the Right to Restrict Processing, the Right to Object, and Rights Related to Data Portability or Automated Decision-Making.
  • Document these procedures and make them available to all individuals, both at first contact and ongoing.
  • Make it clear to all individuals who they should contact to exercise their rights.
  • Be extra careful when it comes to children’s data. Have documented processes in place to ensure you are managing it correctly.
  • Ensure that your privacy information and other documentation is clear and precise to enable children to understand.
  • Make your Privacy Policies/Notices available to all individuals.
  • Document your policies around fundraising and marketing.
  • Make sure you have valid consent, where you need it, for fundraising and marketing.
  • Provide training to all church staff and volunteers to ensure they have a good knowledge of Data Protection and how it is managed within your church.
  • Appoint a Data Protection Officer if you need one, or;
  • Appoint a person or persons to be in charge of Data Protection and hold your organisation accountable.
  • Wherever possible, integrate Data Protection into every aspect of church administration, by streamlining procedures or using an holistic service like iKnow Church Software.
  • Document your Data Protection Policy, Data Retention Policy, and Information Security Policy.
  • Decide if you need to carry out a Data Protection Impact Assessment, and document your process for doing so.
  • Make a list of any third party organisations or Data Processors with whom you share data. Make this list available to all individuals.
  • Have written contracts in place with any third parties who may act as a Data Processor for your organisation.
  • Document your process for dealing with a Data Breach.
  • Finally, try to keep this question at the centre of all your operations: are you handling the data of others the way you would want someone to handle your own?
     




Terms and Conditions | Our Privacy Policy | Disclaimer