Many churches in the United States and dioceses are subject to the “General Data Protection Regulation” better known as GDPR if they meet specific criteria.
The first question to ask is: “Does our congregation have members who are citizens or residents of any country in the European Union (EU)? The members can be short-timers, maybe they are working for a company for three months, a year or multiple years and now are attending your church in your diocese or conference and are living in the United States and are in your database. Do you have members of your congregation who may have “retired” for a period of time and are now living in the EU and stay current in your database and receive periodic newsletters, church information, and related notices? If you have even one EU member or current member to your email list, database, application system, you are subject to the GDPR rules.
So, you ask: What is GDPR?
GDPR stands for General Data Protection Regulation. GDPR is a European regulation designed to protect the data of consumers and to give consumers more control over their personal data.
Any organization including churches ‘handling’ personal data of citizens or residents of the European Union (EU) must comply with GDPR. The key here is “citizen or resident.” If you have citizens of any EU country living in the United States and attending your church, and your church “handles” data that pertains to them, your church is subject to GDPR.
The GDPR requires organizations such as churches, dioceses, conferences, synods, and presbyteries along with all commercial entities, to keep “accurate and up-to-date records.” These records must be continually monitored and in compliance with GDPR standards.
So you are now scratching your head and are saying “what data do I have to monitor?”
Here are some examples:
• Name, address, social security number, age
• an e-mail address field on a contact form or contribution/tithe page;
• individuals are logging onto your website.;
• database with financial information;
• event sign-ups; and
• personal information stored in a database
“Personal data” for all practical purposes means any information relating to an identified or identifiable natural person ( your IT people will refer to this as the ‘data subject’). GDPR states that an identifiable person is one who can be identified, by any means, directly or indirectly, because of the use of a reference ID or number or symbol to another identifier such as a combination of their names, such as first initial and last name or full name or any combination. It also includes the use of an identification number or code, geographical location data, an online identifier such as the person login ID or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. Yes, that about covers everything imaginable!
Then the next question you ask: Do we process any of the information (data) of people in our congregation, in particular, the citizens of the EU.?
“Processing” is the operative word and it means any manual or computer operation or set of operations which are performed on personal data or on sets of personal data, whether or not by automated means, such as weekly collections, recording of events such as baptisms, confirmations, marriages, births, and deaths as an example. In the world of GDPR “Processing” also means how you and your technology people are structuring, storing, the data. It also indicates what forms adaptation or alteration, and retrieval of data do you perform. How do you use the data, for example for mailing list, for notices, for financial recordings, for sharing and are there any disclosure by transmission of data via the internet, Do you make the data available for other ministers to view, form alignment with other data, manipulate the data or any combination thereof. Lastly, what restriction, erasure or destruction of data is performed? And, the big question here is: Did the people give you consent to use their data?”
Does your church have a website?
For websites, GDPR requires website owners to inform visitors:
1. for which personal data is being collected;
2. what the information is being used for;
3. who is handling the data;
4. how the data was obtained; and
5. how and where the data is stored.
So what do you do?
Look into all of the different ways in which you are collecting congregational data. Put mechanisms in place to make sure that users can control their own data. Avoid collecting user data where it’s not necessary; and Most importantly of all, even if you are using third-party tools and solutions such as cloud services, Application service providers, etc., you need to make sure that all those entities are GDPR compliant as well. There is no “passing the buck” to someone else when it comes to being compliant with GDPR.
Next week we will take a look at where to begin to fix your situation be compliant with GDPR.