GDPR Advice for Churches

Your church will have a membership list which may be stored within the church as a spreadsheet, word document and/or on paper.  When you originally started storing information on church members then you may have stated why you needed it and the purpose for which it would be used, and gained their permission.  If you didn’t, then you will need to get fresh permission from each person. This is the position in which a lot of churches will find themselves.   

If you did get permission then as long as the way the data is being used has not changed then you will not need to obtain permission again. However if the type of information that is being stored, or the way in which it is being used,  has changed, even if this is a slight change, you will need to regain permission to hold data about each person. This could be something as small as you are now recording employment or marital status, whereas when they gave consent it was just to store address details.  The only exception to this is if there is another legal basis for using or processing that data such as the processing is necessary for you to comply with the law.

The bottom line is that if you are not sure if you have obtained correct permission from a church member, you need to contact them to obtain permission. This should be done as soon as possible and certainly before GDPR comes into effect on the 25th May 2018.   

It is also important that if you are obtaining permission from people that your privacy notice is shown at the point of someone opting in or giving permission.

If you do not have permission by May 25th 2018 then these people must be deleted from your church database.


Privacy Policy | Website terms and conditions