‘In May this year, Europe’s data protection rules will undergo their biggest changes in two decades. Since they were created in the 90s, the amount of digital information we create, capture, and store has vastly increased … the old regime was no longer fit for purpose’.1
Whilst many might see this as media exaggeration, and many Christians may think it irrelevant as far as their spiritual activity is concerned, those engaged in business will have some appreciation of the amount of time, energy, and expense that organizations are investing in the matter. Is this all hype? Can we ignore it?
The European General Data Protection Regulation (GDPR), which will come into force on 25th May 2018, will change how businesses and public sector organizations can handle the information of customers. Whether we like it or not, local churches are regarded as ‘public sector or charitable organizations’ and are included in the scope of this new regulation. Equally, if, like Precious Seed, you have a database of subscribers to whom you mail out literature, or run a Christian youth camp that collects data on children’s medical and dietary requirements, or just simply hold data that enables an individual to be identified2 for other than household usage, your activity could come under scrutiny. It should be noted, too, that, ‘The GDPR applies to both automated personal data and to manual filing systems where personal data are accessible according to specific criteria’.3
A summary of the six basic principles is that data should be:
Whilst some, or all of these principles may be familiar to those who have worked with the Data Protection Act 1998, it is the last of these that will be applied with greater rigour and penalty for infringement in the future, particularly when the data may involve young or vulnerable people. Another area of significant change is in the area of ‘consent’.7
The person whose data you hold must have consented to you holding it. That you have positively sought that consent – asking the individual to opt-in – and have expressed the way in which you intend to use their data, is essential. The clarity of the language at this stage is vitally important. Records of that consent should be kept and the individual must be clear that they have the right to withdraw consent as well as to check and, if necessary, amend any data that you hold. No charge can be made if an information request is made, and you have one month in which to comply with that request.
It should be appreciated that a single page article cannot cover all the issues that this far-reaching piece of legislation will affect. The purpose is to highlight its impending application and to point the reader to areas where appropriate and up-to-date advice can be obtained.
The Information Commissioner’s Office website contains an in-depth treatment of the regulation. It can be accessed at https://ico.org.uk
The section dealing specifically with charities is here: https://ico.org.uk/for-organisations/charity
What are called ‘the twelve steps’ in preparation for the GDPR can be accessed here: https://ico.org.uk/media/for-organisations/documents/1624219/preparing-for-the-gdpr-12-steps.pdf
A complete data protection self-assessment section is available here: https://ico.org.uk/for-organisations/resources-and-support/data-protection-self-assessment
This is particularly helpful in determining what you may need to do to make your organization or activity compliant.
Finally, there is a phone service aimed at providing guidance to people running charities. Known as the ICO helpline, it can be accessed from within the UK by dialling 0303 123 1113 and selecting option 4. The line is staffed by those who can offer appropriate support on preparing for the General Data Protection Regulation, current data protection rules and other legislation regulated by the ICO, including electronic marketing and Freedom of Information.
This is the regulation’s definition of ‘personal data’. See https://ico.org.uk/for-organisations/guide-to-the-general-data-protection-regulation-gdpr/key-definitions/
Your Basket Is Empty