What do churches need to do about GDPR?

Published: Friday, April 27, 2018


The National Churches Trust has put together information to help churches with GDPR.

On 25 May 2018 the General Data Protection Regulation (GDPR) comes into force, replacing the existing Data Protection Act. The main principles are similar, but there is an increased need to be able to show compliance and accountability. GDPR gives individuals more rights and protection in how their personal data is used by organisations.

Due to the nature of their work, places of worship do hold data for many areas of their work – the electoral roll, regular congregants, Gift Aid, Friends groups, committees, youth work, and many more - and as such, as with all charities and organisations, it is important that the rules are understood and steps taken to ensure they are being followed.

As the deadline edges closer, there is a growing volume of advice and support available. A few of our top tips are below, along with a list of places you can go to for further information.

Some top tips:

  1. Keep a record of what actions you are taking to comply with GDPR. For example you could log and minute any meetings you have had to discuss GDPR, and keep a record of what training has been attended
  2. Conduct a data audit – identify what information you hold, where, why, how long you keep it for and who you share it with
  3. Ensure sensitive information is securely locked away – in filing cabinets, password protected computers etc
  4. Have a privacy notice available on your website and parish magazines, and be sure to let people know about it
  5. Make sure you have consents in place where necessary
  6. Know what steps you would take if there was a data breach
  7. Keep information you hold up to date. If details are out of date, remove them

Helpful further information and guidance is available from: