General Data Protection Regulation - What you need to know
The General Data Protection Regulation (GDPR) is to come into force on 25 May 2018.
It gives individuals more rights and protection in how their personal data is used by organisations, and as a Church you will need to ensure you are ready for the upcoming changes and that you are compliant with the new regulations.
Please find details below on how ChurchBox is preparing for GDPR. If you have any questions please feel free to call us on 01400 630530.
Data Protection, GDPR and ChurchBox
GDPR places greater obligations on how organisations handle ‘personal data’ so if you gather any information about your church congregation then you will probably need to understand and get ready for GDPR coming in to force. As a data processor we have built features in to ChurchBox to help you to become compliant. The first part of this page helps you understand GDPR; as you are the data controllers you need to feel happy and comfortable with the data you are collecting. The second part shows how you can use ChurchBox to help stay compliant.
Who does the GDPR apply to?
The GDPR applies to ‘controllers’ and ‘processors’.
A controller (that's you) determines the purposes and means of processing personal data.
A processor (for the data held in ChurchBox that's us) is responsible for processing personal data on behalf of a controller.
If you are a processor, the GDPR places specific legal obligations on you; for example, you are required to maintain records of personal data and processing activities. You will have legal liability if you are responsible for a breach.
However, if you are a controller, you are not relieved of your obligations where a processor is involved – the GDPR places further obligations on you to ensure your contracts with processors comply with the GDPR.
The GDPR applies to processing carried out by organisations operating within the EU. It also applies to organisations outside the EU that offer goods or services to individuals in the EU.
Although we have implemented features to help you with GDPR the ultimate responsibility for controlling the data within your organisations remains with you. To help we have created some recommended actions below:
How you can prepare
The ICO will be taking the lead in helping prepare for GDPR coming in and for it's enforcement. They have created a document called "12 Steps - Preparing for the General Data Protection Regulation" which you can read in full on their website by Clicking Here. Here are highlights of the 12 steps below:
Awareness - You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information
Lawful basis for processing personal data You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
Consent You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
Children You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
Data Protection by Design You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
International If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.
Our Responsibilities and Data Protection Features
As from April 2018 we will require every church to specify who their data controller is. This could be an individual, or a sub-committee of Trustees. This will help highlight to churches that they need a data controller (or someone acting in that capacity) and it gives us someone to talk to in case any data protection issues arise.
We will ask for specific consent for processing the individuals data with a privacy notice which will be customisable for your Church. New users will need to agree on first login, and existing user will need to accept when they next log in. If you change your policy you can even trigger the consent box to appear again.
Age of Consent
The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’. This has been reduced in the UK to 13. We ask all new registrations for their DOB so that we can make sure no one under that age will be able to register themselves.
Erasure and Rectification
We provide an option in the users profile where they can request to be deleted from the system. This is to help with the 'right to be forgotten'. If this request is made the administrator will be notified and they will be able to log in and complete the process in the admin area to completely remove the user from all ChurchBox systems.
Security and Vulnerabilities
All our services run through SSL ensuring your data is encrypted as it travels over the net. We also run a suite of penetration tests on our servers and services ensuring they are protected against vulnerabilities such as SQL injection, CSRF and privilege escalation. See our Security page to see how we protect your data.
All features of ChurchBox have been built with privacy in mind. By default, members have to opt in to be shown in the Church Directory and even then they can choose what information is shared. A members email address is hidden where possible and forms are provided for inter-member communication. These small features are there to ensure a members information isn't leaked out where it shouldn't be.
Policies, policies, policies
Accurate and Up to date
Personal data must be accurate and kept up to date. Organisations should have a process for ensuring this. This can be handled automatically in ChurchBox with the click of a button. Check out our video for how to check your members Details
Although we can't specifically advise on exactly what you need to do to prepare for GDPR, here are some suggestion that you may find useful:
Create a sub-committee of trustees responsible for all aspects of risk within the operations of the charity, and to consider whether one person should be designated to be the lead person responsible for data protection
Form a team to assess the impact of the GDPR, collect all necessary information, and implement all the policies, procedures and responsibilities required to meet its requirements