What is it all about?
The General Data Protection Regulations, frequently referred to as GDPR, came into force on 25 May 2018. This represents a major update on the previous 1998 Data Protection regulations and originates from the EU. In case you’re wondering, it is unlikely to be affected in any significant way when we leave the EU as the same regulations will be absorbed into UK law.
GDPR controls the way in which personal data is kept and used by organisations, whether or not they are commercial or charitable. It does not apply to individuals, so your personal address book of friends and relations isn’t subject to this law. Although it may seem like a burden to the organisations trying to deal with it, it is in general a good thing as it strengthens the protection for all of us as individuals; it is intended to stop the misuse of personal data by organisations, to give them greater accountability and to give us more rights.
How does this affect us?
It affects you if your organisation collects and holds personal information. That can include names, addresses, email addresses, phone numbers, bank details, payment history, photographs – essentially anything which identifies a living individual.
GDPR identifies two categories for dealing with personal data:
A Data Controller is the person or people who make decisions on how personal data is processed. For a church this is usually the PCC, for a charity it is usually the trustees. Churches should note that the clergy are usually considered as separate Data Controllers because they hold personal data from pastoral contacts that could never be controlled by the church as a whole. Data Controllers carry the bulk of the responsibility for ensuring the safe and legal handling of data.
A Data Processor is any person, people or organisation which (surprise) processes personal data. Processing essentially means collecting, storing, using in any way, and deleting. If you do anything with the data you are a data processor. If data is stored on a cloud server, then that service provider is also a data processor. If you use a marketing automation platform such as MailChimp, they are a data processor. Data Processors have to safeguard the data, but they are acting at the behest of the Data Controller so they do not carry the same level of responsibility.
The Data Protection Principles
When we deal with personal data we must:
- Deal with it lawfully, fairly and in a transparent manner
- Collect data for a specific purpose and not use it in other ways
- Ensure the information we have is adequate, relevant and limited to what is necessary
- Ensure inaccurate data is corrected or erased
- Keep it no longer than necessary
- Ensure appropriate security including protection against unlawful processing and accidental loss
Lawful means you have to have a legal justification to use personal data. Getting consent is one of the legal reasons but there are others. You don’t always have to get consent but you do have to ensure that you comply with at least one of these specific legal justifications:
- Consent (more on this below)
- Necessary for performance of a contract. This often applies in an employment situation. If you employ me you have good reason to know my name, address, phone number and I would not have to give my consent to you storing them. Also if buy something online, you need to know the delivery address, and if I buy my electricity from you then you need to know who I am and where I live. There is a legal contract between us and keeping those personal details is part of it.
- Necessary to comply with a legal obligation. This covers other cases where there is no specific contract but there is another legal obligation. Church in Wales law requires the church to keep an electoral roll of members, including names and addresses. Churches have a legal obligation to do this and do not need to seek consent, although there is a mechanism for anonymising data when it is displayed publicly.
- In the legitimate interests of the data controller, unless overridden by interests, rights or freedoms of the data subject. This sounds promising, but be careful about the second part. Does the data subject really want you to use their personal data? For an organisation that has a membership list, it is reasonable to hold basic information about your members and to keep them up to date with what is going on. For groups within an organisation that have specific responsibilities (committee members, service coordinators) it is in the interests of everyone that their email addresses are used to help communicate effectively.
- Necessary to save or protect an individual’s life. This would normally relate to passing essential information to the emergency services or medical staff in order to save life.
- Necessary to carry out a task in the public interest. This is nothing to do with what the press like to consider as the public interest but more to do with the administration of justice and official bodies such as the police and the government. It is very unlikely to apply outside those boundaries.
Getting consent from the data subject is something which is now defined rather differently from the way it once was. Consent means:
- Freely given, specific, informed and an unambiguous indication of wishes.
- Demonstrable. We need proof of consent
- Can be withdrawn at any time
- Opt-in, not opt-out. You cannot use pre-ticked boxes which have to be unticked to mean no consent. You cannot use a box saying ‘tick here if you do not wish us to use your information’.
- Not a condition for something else – you cannot say things like ‘subscribe to our newsletter to get a free information pack’.
- It must be clear what consent is for, and the data can only be used for that purpose.
There is a further safeguard on what is known as sensitive personal data, which includes ones racial origins, political or religious beliefs, sexual orientation, health and biometric identification. Explicit consent is required, no other legal basis is sufficient on its own, unless:
- The information is already in the public domain (it is no secret that the Pope is a Catholic), OR
- It is in the legitimate interest of a not-for-profit body with a religious aim AND there are appropriate safeguards AND relates to members, former members and people who have regular contact AND no transfer of information to a third party without consent, OR
- It is necessary for (… long list of conditions which I won’t go into here, but are unlikely to apply).
The sensitive data constraint would present a problem for churches and many charities with a faith basis, because by naming anyone within your membership their religious belief can be implied. This is the reason for the second rather wordy exception, which means you can use the legitimate interest basis as long as you only use it for people genuinely associated with your organisation.
- There are no special conditions for children’s data built into GDPR. The legislation covers data use and security, not safeguarding.
- However, children under the age of 13 cannot be deemed to have given consent. You need consent from a parent or another legal basis.
- Privacy notices must be clearly understandable by the people reading them, so if that includes children then you have to make sure the language and level of explanation is suitable.
Privacy & Electronic Communication Regulations (PECR 2003)
This is a separate piece of legislation concerned with the delivery of marketing and fundraising communications by organisations, as opposed to the use of personal data. Contacting people by email, SMS or phone for the purposes of marketing or fundraising requires their consent. You cannot send a bulk email to people telling them about your product or asking them to support your fundraising effort, unless you have their consent.
There is an exception to this known as the soft opt-in which says that if they have previously bought your product or supported your cause AND you gave them the option to opt out of communication at the time AND you give them that option in every subsequent communication, then you can contact them in that way.
Giving people information by hand, or sending it by post is not covered by these regulations, which only relate to electronic communication.
PECR was due to be superseded by the EU ePrivacy Regulations at the same time as GDPR but this has now been delayed and is expected at some point in 2019.
Data in the public domain
Data protection is about how we use data regardless of where it came from. The fact that it is in the public domain does not give us licence to use it as we please. GDPR & PECR still applies.
What you need to do to comply
- Make a data audit. You need to know whose data you have, what data you have, when you obtained it, where it is kept, how it is used.
- Create a Data Protection policy. This is an internal document to record what data you keep and use for each category, what the legal basis is, what you use it for and how long you retain that information. This is partly to clarify things for you, and also so you can demonstrate that you have thought about these things should an incident ever arise.
- Update your data collection forms and procedures. As wel as collecting information, you need to ensure that you are using opt-in and not opt-out, and that you explain what the data is going to be used for.
- Create a Privacy Notice. This is a public document, which you might put on your website to explain what data you hold and why, and to explain the rights of individuals (this latter part is boilerplate text)
- Ensure all members of your organisation employ good data security practices. There is a separate document about this.
- Provide a data protection contact, perhaps an email address on your website, where people can contact you regarding their personal data. It is not likely that anyone will actually contact you, but you need to give them the means to do so should they so wish.
These are some other websites containing useful guidance on GDPR which I made use of when considering how GDPR affects the organisations I am involved with.
Churches could look at the fairly comprehensive guidance issued by the Church of England. The advice issued by the Church in Wales was almost entirely based on this advice. The United Reformed Church also published their own advice page.
White Fuse Media is another web design company who have produced some very clear guidelines for charities.
The Information Commissioner’s Office should be the reference point, although their information is of necessity quite general. They have a Guide to the GDPR and also a page relating specifically to charities and to PECR.
Don’t Panic! Much has been made of huge fines and punitive action by the Information Commissioner’s Office. The plain fact is that there is no secret data police; the ICO is a small office and there is no way they can check up on every organisation in the UK. If you deliberately flout the law and someone reports you then you can expect a knock at the door. If you make a genuine effort to comply and don’t just ignore it, then you are unlikely to get into any trouble. The ICO wants to help people comply, not just punish them for minor errors.
This information was prepared by Skirrid Systems. It is a distillation of information obtained from many sources, but it is not legal advice. If you are concerned about any aspect of the data protection legislation you should consult a data protection lawyer. Most church bodies have a legal department that you can consult.