You may have heard the law regarding the protection of personal data is changing.
On May 25, 2018, the General Data Protection Regulation (GDPR) will replace the Data Protection Act 1998.
Parishes, in common with the Diocesan Offices, need to know what things they should keep doing and what things they should do differently to comply with the new law.
The good news first. The GDPR’s main concepts and principles are similar to those contained in the current 1998 Act. Therefore, if you are complying with the 1998 Act, much of what you do will still apply.
However, there are some changes and additions, so you may have to do some things for the first time and some things differently.
GDPR places a much greater emphasis on transparency, openness and the documents you need to keep to show you are complying with the legislation. This approach is incorporated within the idea of ‘accountability’ and the new ‘accountability principle’.
In essence, you cannot just state you are compliant; you have to prove it and provide the evidence.
To do this there are a number of actions you should take, such as documenting the decisions you take about your processing activities and various other ways that show compliance – such as attending training, reviewing any policies and auditing processing activities - for example, the processing of personal data in relation to the electoral roll.
In this case, the personal data processed is likely to be sensitive (by implication, if not directly, it relates to ‘religious belief’).
An electoral roll can be said to be a legitimate activity of the PCC, under the Church Representation Rules but if you wanted to share this data with another party, you would require the consent of any relevant individual(s) on the roll.
And so, consent is another area that parishes should be aware of when responding to the new GDPR regulations.
Where you rely on consent as the lawful basis for processing any personal data to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn.
Also, you will need to record how and when the consent was obtained (and review this over time).
As much of the data processed by a PCC or an incumbent in a parish is sensitive (relates to ‘religious belief’) if consent is needed this will have to be explicit consent.
Consent will require ‘clear affirmative action’ - silence, pre-ticked boxes or inactivity will not constitute consent.
You will also have to tell individuals that they have the right to withdraw consent at any time and ensure that the procedure for withdrawing consent is just as simple as granting consent, (e.g. by sending an email or (un)ticking a box).
A simple example related to this is that you cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking their consent first.
You will also need to keep records of all consents received and periodically review them to ensure that they are still valid.
Then there is data storage. Data must be held securely and not be easily transferable or downloadable. So, if it is stored on a portable USB drive it must be encrypted.
There is a lot more to GDPR. How do you find out more? Staff at the Diocesan Offices and the national church are working hard to support parishes …