By now you’ve probably heard about GDPR – the General Data Protection Regulation – that came into legislation in May of 2018. If you’ve not yet heard about it, you can read a good overview here.
If you’re anything like most organisations I’ve witnessed or spoken with about GDPR, you’ve probably taken some steps to protect yourself from the legislative requirements of GDPR – but you may still be struggling to fully understand what GDPR means for your organisation.
This blog post outlines 4 key details:
- What GDPR is.
- What you need to be doing to be GDPR compliant.
- What you might need to change about your data practices to ensure GDPR compliance.
- Why data management is about so much more than GDPR – and how it can help your organisation thrive.
Undoubtedly, the last point is of most importance from our perspective. GDPR compliance is important, but it’s only really the next step in the fairly short history of the digital revolution that we now live in because of the internet. While compliance is important, the practical management of your data – and the understanding how to utilise it for your benefit – is much more exciting.
What GDPR is
GDPR (The General Data Protection Regulation) is a law that was introduced by the European Parliament to determine the law relating to the collection and management of personal data.
GDPR determines the law around a variety of issues related to personal data – and has been inspired by the realisation that, with the digital age well and truly upon us, legislation is required to manage what can and can’t be done with users’ personal data.
What you need to be doing to be GDPR compliant
It’s worth clarifying that I’m not writing this article from a legal perspective – and legal counsel should always be sought when you’d like to ensure compliance with the law.
What I can offer, however, is a practical insight into how compliance with the GDPR regulation is really just a springboard into a more effective management of your existing structures and processes.
GDPR is often summarised by 7 key principles.
- Lawfulness, fairness and transparency
- Purpose limitation
- Data minimisation
- Accuracy
- Storage limitation
- Integrity and confidentiality (security)
- Accountability
With churches and charitable organisations specifically in mind, it’s worth thinking of how the administrative structures of your organisation works. Historically, many organisations have operated with good intentions, and on a volunteer basis. This often involves multiple volunteers running separate systems to collate and manage data. Ensuring compliance with GDPR in that manner is almost impossible – and it’s also not particularly practical.
One of the critical elements in ensuring compliance with GDPR is having a centralised database structure in place that supports the collation, management and disposal of personal information. As well as helping to ensure compliance with GDPR legislation, a centralised system will also allow you to ensure that you collate and manage the correct amount of personal information. It also means that you have access to data that will help influence your engagement with your audience – and vice versa!
What you might need to change about your data practices to ensure GDPR compliance.
As referenced above, churches and charitable organisations are often running on the goodwill of an army of volunteers. The needs of the GDPR requires a more coherent approach to managing data – and this should probably be built around a centralised database.
Some congregations are issuing forms to their congregation or supporters to get their permission to store data. While this is a useful measure, it seems like a very temporary solution that also requires a core level of personnel hours to help understand the system.
Many organisations are appointing a data controller to oversee their GDPR compliance – while that is a useful measure, it would also be sensible to consider the key information that you actually want to hold in the first place.
For example, basic information such as name, phone number and e-mail addresses may be useful to have – but have you considered what other information you could hold on a central database that would be useful to the operating functions of your church or organisation?
Having an e-mail address is useful – but being able to offer a variety of options relating to what information members may receive from you will allow you to send more specific emails to segmented groups only, with more information that may be relevant to them. That should help to engage users more specifically and reduce opt-outs of your email lists and increase engagement in key subjects that you’d like to communicate.
Mailchimp (and other similar services) will allow an opt in, opt out and sharing of e-mails at a recipient’s end. They will also provide compliance with legislation of services with GDPR as part of their offering – when used properly!
As a summary, it’s worth saying that many of the reasons that we now need legislation such as GDPR are down to the explosion of the digital age in which we now live. Those same changes that drove the need for legislation are also providing many of the solutions to fit the legal and practical needs of running your church/charity. It will require a culture shift along with practical implementation. It may not be easy – but it certainly offers more long-term benefits for those who are prepared to embrace the changes.
GDPR – Policy and Practice – you’ve got to do both!
Many organisations have rushed to implement a policy in relation to privacy and GDPR, but often the actual day-to-day practices of the organisation haven’t changed to reflect what the policy says. This is a dangerous mistake.
It’s your responsibility to ensure that people within your organisation understand that a new policy is in place, and that there are elements of your day-to-day organisation that will need to change in practice to reflect the policy. While this might be a frustrating process for some, it should always be communicated that the need to update your working practices is an opportunity to review whether or not what you are doing is working.
Why data management is about so much more than GDPR – and how it can help your organisation thrive.
GDPR legislation is meeting the needs of new laws to help protect data and to govern what can and can’t happen with users data.
If legal compliance is your only driving factor in how you collate and manage data, then the chances are that you are missing out on some of the key opportunities to engage with your members and supporters in the most comprehensive sense.
The digital age has brought around a lot of changes – and they are not changes that the church should be scared by. Technology has provided ways of engaging with a wider variety of people in a wider variety of places than ever before. It does, of course, have to be used and managed in an effective manner in order to realise those opportunities.
If you’ve taken steps to ensure legal compliance, that’s a useful first step. From there, I’d encourage you to consider some of the following:
- Why are you collating data?
- Who are you collating data from?
- How are different groups or individuals in your organisation collating or using data?
- What do you want to speak to your supporters about?
- What actions do you want them to take?
- Are you using technology to engage people as much as you could?
Websites you may wish to reference:
The Information Commisioners Office (ICO)
Privacy Policy Generator – https://www.privacypolicies.com/
Does this only apply to the UK – what about when Brexit happens?
No. GDPR applies throughout Europe including organisations who collect data from users in Europe.
Further legislation is now being introduced in other parts of the world that are similar to GDPR. The CCPA (California Consumer Protection Act) will come into force in July 2020. Other similar legislations are likely to follow.
What are the penalties for non compliance?
Heavy penalties have already been enforced in organisations found to be in breach of GDPR legislation. Penalties of approx 4% of an organisation’s turnover are currently being mentioned as the benchmark of penalty although this will vary with each penalty situation.
What about Website Cookies and Privacy Policies?
Separate legislation covers the need for all websites in Europe to have a cookies policy, outlining the cookies in use on each website and providing a user with the option to use a website with or without cookie functionality.
A privacy policy outlines what personal information you collect, how you collect it, what you use it for, how you keep it secure, whether you share it with third parties and any controls users have. All websites should have one and different services online such as https://www.privacypolicies.com/ should be able to help.
