General Data Protection Regulation - What you need to know

The General Data Protection Regulation (GDPR) came into force on the 25 May 2018.

It gives individuals more rights and protection in how their personal data is used by organisations, and as a Church you will need to ensure you are ready for the upcoming changes and that you are compliant with the new regulations.

Please find details below on how ChurchBox can help you become compliant. If you have any questions please feel free to call us on 01400 630530.

Data Protection, GDPR and ChurchBox

GDPR places greater obligations on how organisations handle ‘personal data’ so if you gather any information about your church congregation then you will probably need to understand your responsibilities under GDPR. As a data processor we have built features into ChurchBox to help you to become compliant. The first part of this page helps you understand GDPR; as you are the data controllers you need to feel happy and comfortable with the data you are collecting. The second part shows how you can use ChurchBox to help stay compliant.

Who does the GDPR apply to?

Although we have implemented features to help you with GDPR the ultimate responsibility for controlling the data within your organisations remains with you. To help we have created some recommended actions below:

Steps to Compliance

The ICO is responsible for helping embed GDPR and for it's enforcement. They have created a document called "12 Steps - Preparing for the General Data Protection Regulation" which you can read in full on their website by Clicking Here. Here are highlights of the 12 steps below:

  1. Awareness - You should make sure that decision makers and key people in your organisation are aware that the law is changing to the GDPR. They need to appreciate the impact this is likely to have.
  2. Information you hold You should document what personal data you hold, where it came from and who you share it with. You may need to organise an information audit.
  3. Communicating privacy information You should review your current privacy notices and put a plan in place for making any necessary changes in time for GDPR implementation.
  4. Individuals’ rights You should check your procedures to ensure they cover all the rights individuals have, including how you would delete personal data or provide data electronically and in a commonly used format.
  5. Subject access requests You should update your procedures and plan how you will handle requests within the new timescales and provide any additional information
  6. Lawful basis for processing personal data You should identify the lawful basis for your processing activity in the GDPR, document it and update your privacy notice to explain it.
  7. Consent You should review how you seek, record and manage consent and whether you need to make any changes. Refresh existing consents now if they don’t meet the GDPR standard.
  8. Children You should start thinking now about whether you need to put systems in place to verify individuals’ ages and to obtain parental or guardian consent for any data processing activity.
  9. Data breaches You should make sure you have the right procedures in place to detect, report and investigate a personal data breach.
  10. Data Protection by Design You should familiarise yourself now with the ICO’s code of practice on Privacy Impact Assessments as well as the latest guidance from the Article 29 Working Party, and work out how and when to implement them in your organisation.
  11. Data Protection Officers You should designate someone to take responsibility for data protection compliance and assess where this role will sit within your organisation’s structure and governance arrangements. You should consider whether you are required to formally designate a Data Protection Officer.
  12. International If your organisation operates in more than one EU member state (ie you carry out cross-border processing), you should determine your lead data protection supervisory authority. Article 29 Working Party guidelines will help you do this.

Our Responsibilities and Data Protection Features

Data Controllers

As from April 2018 we have required every church to specify who their data controller is. This could be an individual, or a sub-committee of Trustees. This will help highlight to churches that they need a data controller (or someone acting in that capacity) and it gives us someone to talk to in case any data protection issues arise.


We will ask for specific consent for processing the individuals data with a privacy notice which will be customisable for your Church. New users will need to agree on first login, and existing user will need to accept when they next log in. If you change your policy you can even trigger the consent box to appear again.

Age of Consent

The GDPR states that, if consent is your basis for processing the child’s personal data, a child under the age of 16 can’t give that consent themselves and instead consent is required from a person holding ‘parental responsibility’. This has been reduced in the UK to 13. We ask all new registrations for their DOB so that we can make sure no one under that age will be able to register themselves.

Erasure and Rectification

We provide an option in the users profile where they can request to be deleted from the system. This is to help with the 'right to be forgotten'. If this request is made the administrator will be notified and they will be able to log in and complete the process in the admin area to completely remove the user from all ChurchBox systems.

Security and Vulnerabilities

All our services run through SSL ensuring your data is encrypted as it travels over the net. We also run a suite of penetration tests on our servers and services ensuring they are protected against vulnerabilities such as SQL injection, CSRF and privilege escalation. See our Security page to see how we protect your data.

Read more about Security

Data Protection by design

All features of ChurchBox have been built with privacy in mind. By default, members have to opt in to be shown in the Church Directory and even then they can choose what information is shared. A members email address is hidden where possible and forms are provided for inter-member communication. These small features are there to ensure a members information isn't leaked out where it shouldn't be.

Policies, policies, policies

As a data controller, you should have a Data Processing contract with your data processor. You can download your Data Processing Agreement from your ChurchBox instance in the Admin Area. It will also be provided in your welcome email. You can also view our Data Privacy and Cookie Policy here and can view our Data Protection Policy here.

Accurate and Up to date

Personal data must be accurate and kept up to date. Organisations should have a process for ensuring this. This can be handled automatically in ChurchBox with the click of a button. Check out our video for how to check your members Details

Watch Video

Recommended Actions

Although we can't specifically advise on exactly what you need to do to be compliant with GDPR, here are some suggestion that you may find useful:

  1. Create a sub-committee of trustees responsible for all aspects of risk within the operations of the charity, and to consider whether one person should be designated to be the lead person responsible for data protection
  2. Form a team to assess the impact of the GDPR, collect all necessary information, and implement all the policies, procedures and responsibilities required to meet its requirements
  3. Read the “ICO Guide to GDPR” here
  4. Read the ICO “GDPR: 12 Steps to take now” and follow the advice by clicking here
  5. Create all the necessary policies, procedures, roles & responsibilities for your church
  6. Identify ‘real-world’ scenarios and review your new data protection system
  7. Consider registering with the ICO

ChurchBox: Church Administration powered by Church123

ChurchBox © Copyright 2011 - 2024   |   Contact Us