GENERAL DATA PROTECTION REGULATION COMPLIANCE

unsplash-logomarcos mayer

QUICK LINKS: Consent form, Privacy Notice (non-role holder), Privacy Notice (role holder).

The GDPR is Europe’s new framework for data protection laws. It replaces the previous 1995 data protection directive, which current UK law is based upon.

We are taking 7 steps to ensure that we are compliant with the GDPR legislation which is coming into force on 25th May.

  1. We are auditing the data we hold to make sure that we know where it is stored, how it is stored and what the current basis is for using it. We are also auditing who we share it with, the length of retention period, and how the data is secured to ensure that processing is justified by a legal basis (see point 5 below).

  2. We are publishing a Data Privacy Notice on this website. There are two versions (one for ‘employees’/church officers and one for members of the church). We are doing this because we need to tell you how we are processing your information and what their new data rights are. Following these link to view the Data Privacy Notices: Privacy notice – non-role holder, Privacy notice – role holder.

  3. We need to gain consent in the form of a positive ‘opt in’ from some of the church family for some of our data processing, in particular: newsletters and email communications, using information to contact people about activities and groups, and publishing a church directory with personal contact details. Please fill in this form and return it to the church office to grant us consent Consent Form.

  4. Store these consent forms to ensure that we can justify collection, storage and use of your data. Because consents need to be specific to a ‘purpose’, we will ensure that the consents are recorded for the specific purposes they were granted – including ‘how’ and ‘when’, and we will review this approx every 5 years.

  5. After 25th May we will delete any personal data which we do not have a legal basis to process. Just to let you know, there are several legal bases for processing data. Consent is only one form. Others are: legal obligation (e.g. processing Gift Aid or publishing the Electoral Roll); contract (e.g. letting out the church hall); legitimate interest (routine church management involving rotas, lists of group members etc). AS we mentioned in point one we are currently auditing are practices for each area of processing and we will be clearly recording which legal basis we rely on to carry out that processing. There are a few exceptions to this rule: safeguarding information about an individual cannot be deleted if the retention is still necessary, reasonable and proportionate – e.g. to protect members of the public from significant harm. Financial information, such as that relating to gift aid, cannot be deleted immediately due to financial auditing regulations. Personal data on the electoral roll can only be deleted in accordance with the Church Representation Rules, and information in parish registers cannot be deleted under any circumstances.

  6. We are also reviewing our procedures for dealing with information requests from people (for instance, there are new rights of data erasure and correction).

  7. Finally, we are reviewing data breach management procedures.