GDPR Guide: UK Data Protection Laws In a Nutshell

General Data Protection Regulation, commonly known as GDPR, emerged in 2018 in response to high-profile data scandals to combat the risk of identity fraud and to ensure proper use of personal data. It is managed by the Information Commissioner’s Office (ICO), an independent regulatory body in the UK. They’ve created a very comprehensive Guide to GDPR.
But, if you’re just getting started, we’ve collected some high-level concepts to help you get a handle on how to ensure GDPR compliance for your church.
GDPR legislation pertains to the personal data your church uses or collects from your congregation members and visitors. This includes both electronic and hard copy (paper) data. Personal information is literally any information about a living individual that can identifying that individual. In GDPR talk, the individual is often referred to as the data subject. Identifying information includes factual information, such as address or date of birth, personal opinions, and photo or video.
Churches, like other organizations, have a responsibility to protect this personal information. Failure to comply can result in hefty fines.
If you haven’t already adapted your church or have regulatory guidance for GDPR compliance from your diocese, you will need to start with appointing a Data Protection lead, or trustee.
GDPR legislation largely covers eight key categories of data protection for individuals.
An important part of GDPR is making sure the people whose data you collect or hold know that you have it. The best recommendation for this is including a Privacy Notice on your website and physical location. This public document explains how your organization processes personal data and how it applies to data protection principles. Articles 12, 13, and 14 of GDPR provide detailed instructions on how to create a privacy notice, placing an emphasis on making them easy to understand and accessible.
Privacy Notices should adhere to the following principles:
Here’s a sample to get started.
There are simple steps to make sure you are doing your due diligence to protect the data you hold. Such as:
As you live stream your services with in-person attendees, you open up the possibility of accidentally sharing identifiable information. The big thing to remember here is you must offer the opportunity for an individual to consent to data collection. Consent must be explicit and freely given.
To mitigate possible regulation issues:
ICO has created several quick assets to perform an internal self assessment of GDPR compliance.