Data Protection Officer

You will not necessarily need to appoint an official Data Protection Officer (DPO). The GDPR specifies that organisations only need to appoint a DPO if they:

  • are a public authority (except for courts acting in their judicial capacity)
  • carry out large scale systematic monitoring of individuals (for example, online behaviour tracking), or
  • carry out large scale processing of special categories of data or data relating to criminal convictions and offences.

More information can be found on the ICO website.

As religious affiliation comes under ‘special categories of data’ (along with other potentially sensitive information pertaining to race, political affiliation, etc), some larger churches may be required to appoint a DPO if they are processing a lot of records.

You are free to appoint a DPO even if you are not legally required to do so. However, if you do appoint one, you must ensure that they have the relevant experience and seniority to take the lead on all matters within the church relating to data protection. They do not need to have any specific qualifications, but they must have professional experience and a good knowledge of data protection law.

Even if you are not going to appoint an official DPO, you will need to decide who church members should contact if they want to exercise any of their rights under GDPR. The ICO suggests the term 'data protection lead'. This person or persons should also be responsible for gathering and monitoring the relevant consent. You should name this person in your church Privacy Policy so everyone knows who they should contact if they have any data-related concerns.

Terms and Conditions | Our Privacy Policy | Disclaimer