From 25 May 2018 it is a legal requirement for every organisation (including churches and all charities) to comply with the General Data Protection Regulation.
This dictates how you can use people’s personal data.
Imagine this: it’s the first morning of your church’s holiday club; volunteers are buzzing around; parents and children are beginning to wander through the door. Excitement is mounting. You’re ready with your registration sheet to take names, addresses, phone numbers and dietary information for the children in your care, so that you can keep in contact with the family.
Or perhaps you’re looking through a list of church members, updating addresses and phone numbers, trying to format it all. Or maybe you’re a group of elders with emails flying between you on confidential matters.
Keeping information safe
But what do you do with this information? How do you make sure it’s safe and stored properly? How do you love the people whose data you’re keeping and maintain the reputation of your church as good stewards of other people’s property? These questions will become increasingly important when changes in data protection law come into force. In future, churches will have an even greater responsibility to care for the information that the mum from holiday club scribbled down on a registration form.
From 25 May 2018, the UK Data Protection Act 1998 will be replaced by the General Data Protection Regulation (GDPR). As a regulation, it will come into force automatically across the European Union, without member states needing to pass additional laws. Brexit will not make any difference, as the new Data Protection Bill will repeal the Data Protection Act 1998 and incorporate the GDPR into UK law.
A sign of the times
Growth in digital technology means that the world is a very different place compared with 1998 when the Data Protection Act came into force. We now use electronic record-keeping more than paper. Manipulating personal information is much easier and identity theft has become a significant issue. Understandably, people want greater choice and control over how their personal data is used.
The GDPR extends the data rights of individuals, making transparency a right, and increases the obligations on organisations to have clear policies and procedures in place to protect personal data.
Personal data is any ‘information relating to a living individual who can be identified from that data’ (e.g. names, addresses, photographs, email addresses). As soon as an organisation does anything with that personal data, such as obtaining or recording it, they are processing personal data and will be subject to the obligations in the GDPR. This means that all organisations need to review the impact of the Regulation on their operations as soon as possible, and determine what changes have to be made to ensure compliance. There are no significant charity exemptions.
A game changer?
Although the GDPR has been described as a game changer for data protection and privacy law, requiring substantial forward planning for every organisation, if organisations are already complying with the Data Protection Act, they may only need to make simple tweaks to their current procedures.
However, if organisations have not been used to giving much thought to data protection, they need to be aware that the GDPR increases the consequences for non-compliance (including penalties from the Information Commissioner’s Office of up to £17 million or 4% of global turnover).
Of course, churches and Christian organisations will be motivated not simply by wanting to avoid financial penalties, but also by a desire to obey Scripture by obeying the authorities. If your organisation is transparent in this area, it will also build trust and confidence with its membership and the community at large. It’s easy to see how pas-torally sensitive situations might be exacerbated or mitigated by how the information of the individuals involved is handled.
Tim Turner, a former policy manager at the Information Commissioner’s Office has said: ‘This is a terrible time to be bad at data protection. The stakes – in terms of reputation and enforcement – have never been higher’.
Here are some questions and pointers to get you thinking about how to approach data protection positively:
• Review your current procedures. What personal information does your church or organisation keep? Addresses, phone numbers, email addresses of members or other contacts? Who uses this information? How and where do you store it? Who do you share it with? Are you transparent about the use of this data? You ought to have a data protection policy, data retention and security policy and a privacy notice in place.
• Trustee Responsibilities. Although you may enlist the help of others in your organisation, remember that responsibility for compliance with all legislation ultimately lies with the trustees/directors. Breach of data protection legislation may be a breach of the duty of trustees to ensure compliance by delegating or overseeing appropriately. This may be a good time to review governance of your organisation more generally.
• Consent. One of the major changes which will come in with GDPR is how you get consent for the information you hold. There are other legal grounds for holding certain types of data but, if you are relying on consent, do you have a GDPR-compliant process for this?
• Storing information securely. How do you store the information you hold? If it’s paper copies, are they securely stored? If it’s stored digitally, is it encrypted? Who has access to the information? GDPR will mean organisations need to be more aware of securing information from any ‘data breaches’. Your church or organisation will be responsible for looking after the information that people trust you with.
• Using information responsibly. Do you have someone who is responsible for data protection in your church or organisation? How long do you keep information for? Why do you keep it? Get thinking about how you can incorporate data protection in the planning level of all your events. Get used to factoring it into your planning and processes.
Of course, data protection is just one area where churches and other Christian organisations can feel the pinch of increased regulation which impacts their gospel work.
FIEC is keen to encourage churches to see all legal compliance as part of the church’s gospel work and witness to the communities they operate in. That’s why, in March this year, FIEC set up a brand-new law firm called Edward Connor Solicitors.
This new firm is called Edward Connor Solicitors because it is implementing the vision of FIEC’s founder, the Revd E.J. Poole-Connor, ‘to save churches and missions trouble and expense by friendly legal advice’.
I’m delighted to be the Managing Director of Edward Connor Solicitors – the first-ever Christian charity to be authorised by the Solicitors Regulation Authority. We’re Christians first and solicitors second: a unique law firm offering our services solely to churches and Christian organisations. With a specialist team and cost-effective fees, our mission is simple – to release our clients for theirs.
We can support churches and Christian organisations with charity law and governance advice, property law and conveyancing, employment and HR advice as well as support with data protection and GDPR.
Download our free, comprehensive GDPR booklet from edwardconnor.com/gdpr. We’ve also produced a pack of model documents which are available to purchase. Please email email@example.com or call 01858 411568. This information has been provided on behalf of Edward Connor Solicitors, a charitable company (charity number 1175305) (company number 10821224) authorised and regulated by the Solicitors Regulation Authority (number 640691). It is designed for the purpose of knowledge sharing only and does not constitute legal advice. Each organisation is different and accurate legal advice must be tailored to each situation.
If you’re a Christian legal professional and would be interested in working for Edward Connor Solicitors please email firstname.lastname@example.org