GDPR Privacy Statement

 A brief introduction to the General Data Protection Regulation (GDPR)

The GDPR will impose significant new burdens on organisations across Europe, including a substantial amount of additional reporting requirements and increased fines and penalties. The UK Government has made clear that after Brexit the UK will continue to adopt a similar standard for data protection as set out in the GDPR.

This Toolkit contains a checklist which covers the actions outlined within it to help you monitor progress. It may be helpful to start by carrying out a data audit - you may be surprised at just how much personal data is stored and processed around the parish. A template questionnaire to help you do this can be found in Appendix 3.


One of the big changes in the law is you may need to obtain consent from those whose data you store or use. This will apply in most cases to members of the church community (such as ordinary church goers) but not to personal data which is processed in connection with a person’s role in the church (even where the role is voluntary). Those with roles cannot give valid consent because consent has to be freely given, and can be withdrawn at any stage. This is not compatible with the situation in which a person must give consent in order to be appointed, and in which any later withdrawal of the consent would leave the parish in an impossible situation.

The jargon explained:


Personal data is information about a living individual which is

capable of identifying that individual. E.g. names, email addresses, photos.


Processing is anything done with/to personal data, including storing it.


The data subject is the person about whom personal data isprocessed.


The data controller is the person or organisation who determines the how and what of data processing. In a parish this is usually the PCC or Incumbent.

You will need to produce two types of Privacy Notice:


one for church goers and members (a ‘General Privacy Notice’) and one for role holders such as churchwardens, PCC members, volunteers (such as Sunday school teachers) and clergy (a ‘Role Holders Privacy Notice’). If you have a website, it is good practice to make the General Privacy Notice available online so people can access it. We provide a sample of both Privacy Notices in this GDPR Toolkit in Appendix 5. You can amend and adapt the templates to produce your own Privacy Notices. 


The General Privacy Notice should be issued to members of the church with whom youcommunicate regularly – perhaps by sending a newsletter or asking for donations. It is important that you collect signed copies of the Consent Form which goes with the General Privacy Notice. If you have an interactive website, you may also be able to collect this consent electronically, so long as the Privacy Notice is clearly made available and the data subject has elected to give consent, such as by expressly ticking a checkbox. The Role Holders Privacy Notice does not need to be signed but should be issued to anyone holding a role in your parish (even if voluntary) to make them aware of the processing that may take place.


Finally, whilst you may rely on consent for most of your communications, there will be some data processing you will want to do as part of normal church management for which you will not need to gain specific consent for that particular action - holding lists of group members, for example. This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.

Read Full GDPR
Share by: