The General Data Protection Regulation (GDPR) has now replaced the previous law on data protection (the Data Protection Act 1998) and gives individuals more rights and protection in how their personal data is used by organisations.
Parishes must comply with its requirements, just like any other charity or organisation. On this page we cover:
What is GDPR
What is meant by personal data
Steps to take
Training and resources
What is the GDPR?
The General Data Protection Regulations (GDPR) replace the Data Protection Act (DPA 1998) in 2018.
While the GDPR contains all the same principles as the DPA, there are some additional requirements, in particular regarding the need to obtain proper consent to retain personal information about a living individual.
It is no longer acceptable to assume consent or ask individuals to opt out of having their details recorded by an organisation.
The regulations increase the rights of an individual in respect of how their data is kept and includes “the right to be forgotten”.
What is meant by personal data
Personal data is any information relating to an identifiable person who can be directly or indirectly identified in particular, by reference to an identifier.
This definition is more than what historically was understood as personal data and includes identification numbers, location data and on-line identifiers; this reflects the development of technology and the new methods of recording data. The DPA already applies to images including those recorded on CCTV systems.
There are also particular sections that deal with personal data of children.
Steps to take
The actions that parishes and other organisations need to take are:
- Identify what personal information is held.
- Appoint a person to be responsible for GDPR.
- Develop an implementation plan.
- Communicate to staff, volunteers, and those attending activities about GDPR.
Training and resources
We have compiled a number of sources of help to support parishes with their GDPR compliance:
- Rochester Diocese Parish Toolkit, along with a whole host of other resources including sample privacy statements and checklists to ensure you are ready for the changes.
- GDPR e-learning courses are available for anyone within the Church of England structure (dioceses, cathedrals, parishes and other CofE organisations).The courses, delivered by specialist training provider Me Learning, cost £10 + VAT per course.
- Frequently asked questions and answers
- Parish Resources - GDPR
- The Information Commissioner’s Office website
- GDPR and the Electoral Roll
If you have an enquiry relating to GDPR, or would like to make a subject access request, please email: gdpr@rochester.anglican.org