Data Protection and our churches
Many of you will be aware that new Data Protection Regulations, GDPR, are coming into force in May 2018.
This will have profound implications for the way many charities work, especially those who have large mailing lists for fundraising purposes.
Churches will need to work out what they need to change as a result of the new legislation, and a useful source of information is the website of the Information Commissioner’s Office, https://ico.org.uk.
There is a huge amount of information on that site, including a long summary of the new regulations.
A good place to start for churches and other charities is their five top tips for charities, which are reproduced here. We’ll update you as and when we receive any more specific guidelines for churches, but we believe that if you follow these top tips you’ll be most of the way to complying with the new guidelines:
ICO Top Five DP Tips for Charities
1. Tell people what you are doing with their data
People should know what you are doing with their information and who it will be shared with. This is a legal requirement (as well as established best practice) so it is important you are open and honest with people about how their data will be used.
2. Make sure your staff are adequately trained
New employees must receive data protection training to explain how they should store and handle personal information. Refresher training should be provided at regular intervals for existing staff.
3. Use strong passwords
There is no point protecting the personal information you hold with a password if that password is easy to guess. All passwords should contain upper and lower case letters, a number and ideally a symbol. This will help to keep your information secure from would-be thieves.
4. Encrypt all portable devices
Make sure all portable devices – such as memory sticks and laptops – used to store personal information are encrypted.
5. Only keep people’s information for as long as necessary
Make sure your organisation has established retention periods in place and set up a process for deleting personal information once it is no longer required.
Other ICO resources and guidance
A wide range of other resources and guidance are available on the ICO website relating to current DP requirements, including charity specific guidance. You can also access GDPR material (not yet charity specific) including toolkits, self-assessment tools and ‘myth-busting’