This is a continuation from last week.

IT has changed the world more so in the last five years that the previous twenty-five. We live in a world of an always-on, always-connected and that means the old communication models, the early church planting models, the church discipleship models are being disrupted daily. Congregations are expecting more of our ministry and the world is getting smaller and ever more connected than before. IT operating model are become more and more fractured under the digital demands of their congregations, middle governing bodies and partners. Data is the new oil in the modern world. Congregational information is as valuable if not more so than the data in financial institutions. Congregational data is often very personal and not just regarding identity but more about what makes us who we are in the modern world. Protecting information is all about being biblically faithful to our congregations. Just as the early church was open and sharing amongst the community of  Christians, we see in history a sense of protection from those who would do them harm.  In today’s world “harm” can be accomplished via the internet.  As we said last week: “There is no “passing the buck” to someone else when it comes to being compliant with “GDPR.”  Privacy of data is a new imperative for all churches and religious organizations.

What are the first steps?

There are two-stages you must think through. Stage 1 scour through your databases, mailing list, the book of records and all the various places in all the electronic filing systems and paper systems to determine if you have members of the EU. Stage 2 is what do you do with the data you find.

Let’s start with the email list (In-house, Constant Contact/MailChimp, etc.)

1. Segment your mailing list by country location, into people who are permanent residents in the EU/UK, EU/Germany, etc. (including those whose location is unknown create an unknown segment) and outside the EU such as Canada, Australia because they will be creating similar GDPR rules soon. If you are using Constant Contact/Mailchimp setc., they have hands-on experience with this, and if you reach out to them, they should be able to help with this if you find it a tad jaunting.
2. Next send an email s to list members in the country EU segments you created and in unknown, Canada and Australia locations and ask them to consent to continue receiving your emails going forward.
3. Note the responses and remove anyone in the EU/Unknown segment of your list who has not given consent. You absolutely need affirmative consent. There is no speculation or second-guessing. Having the “Unsubscribe” button on the email *may* not be sufficient for compliance.

Ok, you are scratching your head and saying, BUT I need to process the information, and they are not responding. What should I do?

If you do not get this consent, you will need to document the legal basis for why you are keeping/processing personal data based on one of 6 criteria:

1. direct permission from the individual;
2. the necessity to perform a contract;
3 protecting the vital interests of the individual;
4. the legal obligations of the organization;
5. necessary for the public interest; or
6. other legitimate interests of the organization.

Now, what about that website you have for your church, diocese, conference, etc.? For starters do the following four items:

1. put functionality in the websites to notify visitors/users about the use of cookies on the sites, what information is being collected and written, and clear options for opt in/opt out;
2. put functionality in websites to limit Google Analytics data collection of sites in the EU/UK/Germany etc.;
3. review contact and webforms to comply with GDPR; and
4. update the Privacy Policy and Terms of Use on the websites. Yes, you need to have a Privacy Policy on your website. You experience those all the time with all the other sites you visit.

When all that has been accomplished, you are now just beginning to perform the on-going process of maintaining and updating. You must be able to demonstrate and document compliance with GDPR. You will need to show that:

1. You have data protection practices and safeguards in place;
clear transparency and privacy notices regarding personal data;
data security and breach reporting policies;
2. Show that you have performed a general data audit to determine what information is being collected, where it is being collected, and why it is collected;
3. you have cleanup data in databases and website accounts and determine criteria for keeping/deleting;
4. Established contracts with all 3rd party suppliers who are processing data on your behalf (e.g., Constant Contact/MailChimp, Event Brite, Church software that is SaaS-based, etc.); and
5. identify a Data Protection Officer for your church, diocese, presbytery conference, synod or central governing body.

Keep in mind that the list and the steps I have recommended are not by any means exhaustive, and everything you do will need a legal review. Think of this as a good starting point and a good faith effort to comply with the GDPR in addition to being a good steward of your congregation’s personal data.  On your website, you will need a “privacy policy”  explaining to people in ordinary language format, how you handle and use the personal digital data of others.

With all the focus on privacy, something entirely foreign to the early Patristic Church we must not lose sight of what is our mission:

“You are the light of the world. A city built on a hill cannot be hidden. No one after lighting a lamp puts it under the bushel basket, but on the lampstand, and it gives light to all in the house. In the same way, let your light shine before others, so that they may see your good works and give glory to your Father in heaven.” (Matthew 5:14-16)