Clergy and PCCs need to make preparations for the General Data Protection Regulation (GDPR) which comes into force on May 25th
2018. And the best way to start is to follow our simple steps.
The General Data Protection Regulation is a stronger version of the Data Protection Act which we are already legally obliged to comply with. It takes into account the massive changes in technology since the Data Protection Act was introduced in 1988. The GDPR enhances and strengthens an individual’s rights.
All parishes and clergy must comply with GDPR.
As soon as you gather information – on an electoral roll or mailing list for instance – then you need to comply. The GDPR does not prevent you from holding data provided you treat it responsibly.
You will need to comply if you hold information that can identify a person by reference to any of these things
Your first simple steps
An identification number
Sensitive personal data (health, sexual orientation)
You must take this seriously but you don’t need to panic. We will be issuing plenty of guidance and forwarding information from the national church and Information Commissioners Office (ICO). But for now take these simple steps.
First you need to appoint a “Data Compliance Officer”. That may be your PCC Secretary or employee. They need to be your expert (and a key person for us to send information to. When you have chosen this person ask them to email email@example.com
so we can keep them up to date with information
Talk about GDPR at your PCC so all your trustees share in the responsibility for making this happen
: Review the personal information you hold. You can use this form to help you.
You will then need to do some work around how you seek consent, keep and delete data, how you manage requests for information and other elements of this. We will be putting together further briefing about this over the next few weeks.
See here for more detailed guidance
Thanks to the Diocese of Portsmouth for documents and support in putting this information together.