Case Study: Data Protection & GDPR

About the author...

Paul, and his wife Fiona, used to lead the Vineyard church in Bournemouth, UK. Paul now heads up customer support and training at ChurchSuite. In this article, he explores data protection compliance and how ChurchSuite's features help churches increase their compliance with the new EU GDPR changes that came into force on 25th May 2018.

A question we're often asked by churches is, "How can our use of ChurchSuite help us comply with Data Protection?" It's a great question, and it's especially reassuring to hear churches asking responsible questions and taking privacy and data protection compliance seriously. Of course, policies and procedures don't feel particularly "kingdom"; they're often perceived as a distraction from the more important "spiritual" matters like pastoral care and discipleship. I too have known the weight of seeming bureaucracy and red tape during my time in church leadership!

In reality, a data protection compliance breach could be potentially disastrous for a church, with huge reputational and financial consequences. As an organisation in the "people" business, a data protection issue in a church can result in people getting hurt, or even worse if safeguarding is compromised. Since the Information Commissioner's Office doesn't do routine inspections, the first time you'll likely know if you've got a problem is when there's been a complaint and your policies and procedures come under their scrutiny. The Data Protection Act 1998 (DPA) already imposes significant penalties for data protection compliance failures, non-compliance, and non-disclosure. The new EU General Data Protection Regulation (GDPR) penalties are even higher!

Of course, most of us are not legal experts so navigating the path of compliance seems far from straightforward. Hardly a week goes by without a story in the news of a bank or other corporate giant succumbing to a security attack resulting in a data breach. Fraudsters are becoming more and more elaborate in their attacks - brute force penetration attempts at the front door, but also highly sophisticated back door intrusion attempts through phishing scams. For those who don't know what "phishing" is, it's when you get an email purporting to be from someone important, like your bank, inviting you to take some seemingly harmless action like verifying your security details or sharing some personal data to confirm your identity. The unsuspecting recipient duly clicks the link in the email and submits the requested verification information, not realising that the email wasn't actually from a legitimate source. Now the fraudsters have all they need to enter by the front door - it's like leaving the key under the mat!

It's tempting to think that churches are low risk - after all, who'd be interested in the list of event sign-ups for the mid-week seniors' luncheon club run in the church hall? But personal data is incredibly valuable - it's currency, sold on the black market and used for unscrupulous means. Probably most fraudsters are not interested in your church, but they are very interested in the people that might be in your church, and you hold the keys to some of their contact details.

At the other end of the spectrum, an inadvertent breach of confidentiality by a well-meaning staff member can also constitute a breach of privacy - that printed report left lying on a staff member's desk picked up by the wrong person, a home address inadvertently given out over the telephone without permission, an email containing sensitive information sent to the wrong recipient by mistake, or worse, sent to the entire church!

As sophisticated as computer and internet security might be - and ChurchSuite has incredibly sophisticated security protocols and encryption of your data - what do we do about the naive or complacent staff member that saves passwords in their browsers, or leaves their phone or computer unlocked and unattended? This too is like leaving the front door key under the mat!

The UK government has confirmed that Britain's decision to leave the EU will not affect the commencement of the GDPR. In this article, I'll focus primarily on data protection and compliance as it relates to a church's use of ChurchSuite, however, it's important to remember that both the Data Protection Act 1998 (DPA) and the upcoming General Data Protection Regulation (GDPR) have a scope that goes beyond a church's use of ChurchSuite. For example, in the church that I used to lead, we had personal information on paper in lever-arch files, in filing cabinets, and documents held on various people's computers and devices - everything from spreadsheets to emails to text messages to social media. Data protection compliance applies to all these areas too!

To set some context, it may be helpful to ask, "Whose data is it?" If we believe that the data we hold on our systems belong to us then we are likely going to be resistant to GDPR - someone (the EU!) wants to mess with our toys! On the other hand, if we are 100% clear that each person's personal data belongs to that individual alone, and that we are custodians of their data, then we'll likely have a much healthier (and dare I say, gracious) response to GDPR. When we see ourselves as custodians, charged with a "trust" (just like if we were trusted to look after someone else's child), we'll likely want to do our very best when we receive, store and process people's personal data. I suspect we'll also be more ruthless about removing any data that we don't wish to hold within that trust.

Just to say too, that as much as Data Protection compliance is important to you (we hope!), it's one of our highest priorities at ChurchSuite. We have our policies and procedures that govern data security and the data held on our servers on your behalf. We have strict policies around data access i.e. to provide customer support to a question you're asking, and when troubleshooting issues or bugs. All account access, whether by your users or by the ChurchSuite team if "Support Access" is enabled, is logged and auditable.

ChurchSuite also has elaborate monitoring systems to watch the health and security of each church's account - for example, if too many failed login attempts and the IP address is blocked - we'll know about it first!

At a more practical level, we're ultimately committed to providing churches with a useful ministry tool that enables the kingdom; so we're constantly developing new features and functionality to meet the changing needs of churches, including functionality that lends itself to data protection best practice and compliance. Indeed the new GDPR has prompted us to re-assess all of ChurchSuite's systems and, where appropriate, to introduce new features to help churches in their compliance. We'll cover some of ChurchSuite's "helps" throughout this case study.

So let's begin...

Is GDPR relevant to my Church?

The simple answer is 'yes'. The GDPR applies to both ‘controllers’ and ‘processors’ of data. The definitions are broadly the same as under the DPA – the controller (the church) says how and why personal or sensitive data is processed, and a processor (ChurchSuite) acts on the controller's behalf to carry out processing within the controller's purposes.

Processors in the context of your use of ChurchSuite will include third parties like your external bookkeeper who may carry out certain admin tasks on behalf of your church.

What data is covered by GDPR?

Like the DPA, the GDPR applies primarily to personal data, but it also governs the processing of 'sensitive data', which ordinarily is restricted, but is permitted by religious organisations.

The GDPR’s definitions are much more detailed - much has changed since 1998 in terms of the type of data churches hold, the uses of data, and the methods of storage and transmission. For example, GDPR suggests that even information such as an online identifier like an IP address can now be considered personal data. As you may know, your admin-facing ChurchSuite system logs the IP address of users when they access ChurchSuite and My ChurchSuite - this is part of our security reporting so that you can identify logins from unrecognised IP addresses or devices.

What is the legal basis for processing personal data?

A key feature of GDPR is that churches must have a lawful basis for processing (which includes storing) personal information, and if challenged, be able to justify that basis. Of all the legal bases provided for by GDPR, most churches will rely on the "consent" of the data subject. Additionally, in regards to 'sensitive' data, Article 9 Para 1 says that, "Processing of personal data revealing... [among other things] religious beliefs... is ordinarily prohibited", however, under an exclusion provided in Article 9 Para 2(d), churches (not for profit bodies with a religious aim) are permitted to process sensitive data when it is carried out in the course of its legitimate interests with appropriate safeguards and on condition that the processing relates solely to...

• the members or former members of the church,
• or to persons who have regular contact with it in connection with its purposes,
• ...and that the personal data is not disclosed outside that body without the consent of the data subjects.

This may be good news for some churches. As an alternative to consent, there may be a compelling case for legitimate interest. For example, for maintaining an official membership or electoral roll, and maintaining group lists and rotas. However, if you do plan to further process data beyond legitimate interests, you will likely need another legal basis for processing for that purpose - most likely the explicit, opted-in consent of the data subject.

Under the GDPR there are eight legal bases for processing. No one basis is better than any other. Consent is only appropriate if you can offer people real choice and control over how you will use their data, and want to build their trust and engagement. But if you cannot offer a genuine choice, consent is not appropriate. If you would still process the personal data without consent (e.g. because you have a legitimate interest basis), asking for consent is misleading and inherently unfair, and therefore not compliant with the GDPR.

Ultimately it's for the Data Controller to choose the most appropriate basis/bases for each of their purposes. Therefore "consent" may not be appropriate in every case. For example, you wouldn't likely need to obtain "consent" to share the names of individuals on the Coffee rota or Worship rota with other church members. In this instance, the information is shared with others "to carry out a service to other church members" and so this will likely qualify as a reasonable legitimate interest. Of course, if you intended to communicate about church events to rota members, this non-rota-related processing may not be considered "legitimate interest" (unless the events were rota team or training-related), in which case you might need another basis.

Where churches are processing personal data for children, and where consent is your lawful basis for processing, the GDPR, only children aged 13 or over can provide their consent. For children under this age, you need to get consent from whoever holds parental responsibility for the child. Where churches offer services for children, e.g. free/pay events open to sign-up by children, your privacy notice should be specially written in a clear, plain way that a child will understand.

The key GDPR principles

At the heart of the GDPR are seven key principles - that personal data shall be...

1. processed lawfully, fairly and in a transparent manner about individuals;
2. collected for specified, explicit and legitimate purposes and not further processed in a manner that's incompatible with those purposes; further processing for archiving purposes in the public interest or historical research or statistical purposes shall not be considered to be incompatible with the initial purposes;
3. adequate, relevant and limited to what is necessary for the purposes for which they are processed;
4. accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that's inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay;
5. kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, historical research or statistical purposes subject to the implementation of the appropriate measures required by the GDPR to safeguard the rights and freedoms of individuals (more on this later);
6. processed in a manner that ensures appropriate security of the personal data, including protection against unauthorised or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organisational measures (this also covers secure access to data).
7. the subject of accountability - i.e. the controller shall be responsible for, and be able to demonstrate, compliance with the principles (this is a brand new principle)

Let's explore each of these principles in more detail in the context of your church's use of ChurchSuite...

1. Lawfulness, fairness and transparency

Churches should provide people with information about their personal data processing in a concise, transparent and intelligible manner, which is easily accessible, distinct from other undertakings between the church and the person, using clear and plain language.

Transparency is achieved by keeping the individual informed and this should be done before data is collected and where any subsequent changes are made. It's important to remember that some data isn't always collected directly from individuals, but may be derived from other sources, or observed by tracking. For example, small group attendance and event attendance record keeping would fall under this definition, so churches should make it clear to people that this 'observed' tracking is being recorded about them. The GDPR has a mandatory list of the information that should be given to individuals where data is obtained directly from them, but also where it is obtained indirectly. How you let individuals know about what you are doing will depend both on your methods of communication and your target audience.

The UK's ICO recently updated its Code of Practice on privacy notices, transparency and control to assist with compliance under the GDPR. A traditional privacy policy on a website may fit the bill, but the more complex the use of the data, especially in churches, the more creative and thorough you will need to be. Whatever processes you introduce for compliance, these are needed not only to aid transparency but also to give the people in your church Address Book genuine control and choice, which is essential to fair processing. Pages of small print that people will never read are much less likely to qualify!

2. Collected for specified, explicit and legitimate purposes

Processing personal data is only permissible if and to the extent that it's compliant with the original purpose for which data was collected. Processing “for another purpose” later on requires a further consent.

For example, someone outside your database who signs up for your Alpha Course should not subsequently find themselves being added to your Address Book and end up on your mailing list, or the recipient of follow-up event promotions, without their prior agreement. The only exception to this requirement is where that “other purpose” is “compatible” with the original purpose and is clearly communicated at the point of signing up.

This is open to interpretation, so your church should be able to demonstrate a clear link between the "original purpose" and any subsequent "other purpose". Our suggestion would be to be as clear as possible about possible other purposes at the point someone is signing up for your Alpha Course, and seek consent at the time people are submitting their details (with a genuine default choice to opt-in, not out, of those other purposes) - one way to achieve could be through the use of the custom questions that you can add to event sign-up.

3. Adequate, relevant and limited to what is necessary

This principle suggests that churches should ensure that only personal data that is necessary for the church's specific purposes is processed. This principle is all about the amount of personal data collected, the extent of processing, the period of retention and accessibility.

Churches need to make sure that they collect enough data to achieve their purposes, but not more than is needed. If you don't need to know people's employer, job title, former name, or work telephone number then probably best to not record that information unless people choose to add that information voluntarily, perhaps through My ChurchSuite.

Taking stock #5...

1. Are you using My ChurchSuite, the member-facing platform? For those in your church who do have login access to My ChurchSuite, this is a great way of empowering individuals to take personal responsibility for maintaining their information. My ChurchSuite could therefore be a significant step towards greater GDPR compliance in your church, as people can have a real choice about the extent of personal information they choose to share with your church (as long as you allow the fields to be editable!). Importantly, they can manage their privacy settings and communication preferences, giving them choice over what contact details are shared with other church members within My ChurchSuite e.g. fellow rota members, fellow small group members etc, and what communication methods they are happy to receive from you.

2. Review the standard, optional and custom fields in use in your Address Book and Children module (in the module settings). Does your use of these fields of data fall sufficiently within the "purposes" stated in your Data Protection policy? For example, a custom field for membership status will probably fit neatly within your policy "purposes", but what about any custom fields you've created for more sensitive information like internal safeguarding fields or pastoral flags etc, which people may not be aware you're maintaining?

4. Accurate and kept up to date

Personal data must be accurate and kept up to date – this will be familiar from the EU Data Protection Directive out of which the Data Protection Act was written, and which will be replaced by the GDPR. The basic rule of thumb is that inaccurate or outdated data should be deleted or corrected. This principle should be a significant priority for churches as data controllers; to take, as the Act says, "every reasonable step" to comply.

5. Kept for no longer than is necessary

The DPA and GDPR state that once you no longer need personal data for the purpose for which it was originally collected, you should delete it unless you have other grounds for retaining it. This means there should be a regular review process in place with methodical cleansing of your Address Book, Children module and Giving modules. In my experience, church leaders are 'hoarders'! They like to keep people on the system indefinitely, long after they've left the church - often for not very persuasive reasons.

There are several ways you might identify inactive contacts in your database. Using Smart Tags you may be able to create a set of conditions to match people who fall below a certain level of engagement - for example, to identify those "not in a small group, not serving, not giving, do/don't have certain key dates, custom fields or tags, not logged in to My ChurchSuite for a certain time". Are these candidates for archiving or even deleting?

Data informs decisions, data doesn't determine decisions, so you should use the results carefully and consider how reliable the underlying data is that's generating your smart tag results. In the first instance, you may wish to reach out to the resulting people to establish where they are at and then decide whether they should be archived or deleted.

A discipling church will already be good at using their ChurchSuite data to monitor engagement levels - as a pastor I was keen to move people on in discipleship. But equally important are those becoming disengaged and slipping out of fellowship. We'll want to pursue them to an extent, but is there an appropriate time when we have to accept that they've gone, and either archive or delete their personal data?

One suggestion is to look at your children's group attendance - a great indicator of whether families are still attending, or whether they're slipping out of the community. Changes in small group attendance, serving patterns or giving patterns, event signup and event check-in attendance data can also be used to provide helpful insights into people's engagement.

6. Appropriate security of the personal data

Personal data must be protected against unauthorised access using appropriate organisational and technical measures. This goes to the heart of protecting the privacy of individuals. Data controllers and processors need to assess risk, implement appropriate security for the data concerned and, crucially, check regularly that it is up to date and working effectively.

We do encourage you to familiarise yourself with ChurchSuite's security protocols. Of course, no system can ever promise to be 100% secure, as I said at the start of this article. However, with your data encrypted at rest and during transmission, the risk of personal data being compromised is highly unlikely. But what about your church's internal security measures? In my experience, internal weaknesses are the greatest area of risk, especially with so many potential users and the turnover of volunteers/users. And let's be honest, not everyone is a computer geek like me(!) - most people probably have little understanding of computer security.

7. Accountability

The final principle under the GDPR states that data controllers must be able to demonstrate compliance with the other principles.

This is a brand-new requirement and is basically about being accountable. It's not enough to comply, you have to be seen to be complying and be able to demonstrate it under scrutiny. The range of processes that churches have in place to demonstrate compliance will vary from church to church but may include:

• assessing current practice and developing a data privacy governance structure, which may include appointing a designated Data Protection Officer whose role includes regular data audits and enforcement of policies and procedures appropriate to your church;
• creating a personal data inventory - some of your question responses from this article are about 'taking inventory';
• implementing, updating and communicating your privacy notice at every opportunity (see later);
• obtaining appropriate consent(s) and documenting/logging at every opportunity;
• using appropriate organisational and technical measures to ensure compliance with the data protection principles;
• using Privacy Impact Assessments (not covered in this case study, but referenced in the ICO website guidance);
• creating a breach reporting mechanism and communicating that clearly in your church's data protection policy, and
• educating and training your users so that they have the right knowledge and information.

New rights for individuals

The GDPR establishes some important new rights for individuals (data subjects) and strengthens some of the existing rights that currently exist under the DPA. The GDPR now provides the following rights for individuals:

1. The right to be informed - The right to be informed encompasses your church's obligation to provide fair processing information, typically through a Privacy Notice. It emphasises the need for transparency over how you use people's personal data.
2. The right of access - You must provide, on request, a copy of the personal information you hold free of charge. The removal of the £10 subject access fee is a significant change from the existing rules under the DPA. You also have less time to comply with a subject access request under the GDPR. The information must be provided without delay and at the latest within one month of receipt of a request.
3. The right to rectification - Individuals are entitled to have personal data rectified if it is inaccurate or incomplete.
4. The right to erasure - The right to erasure is also known as the right to be forgotten. The broad principle underpinning this right is to enable an individual to request the entire deletion or removal of all personal data where there is no compelling reason for its continued processing. The right to erasure does not provide an absolute right to be forgotten, but individuals have a right to have personal data erased and to prevent processing in specific circumstances:
   1. Where the personal data is no longer necessary about the purpose for which it was originally collected/processed.
   2. When the individual withdraws consent.
   3. When the individual objects to the processing and there is no overriding legitimate interest in continuing the processing.
5. The right to restrict processing - Under the DPA, individuals have a right to ‘block’ or suppress the processing of personal data. The restriction of processing under the GDPR is similar. When processing is restricted, you are permitted to store the personal data, but not further process it. You can retain just enough information about the individual to ensure that the restriction is respected in future.
6. The right to data portability - The right to data portability allows individuals to obtain and reuse their personal data for their purposes across different online services. It allows them to move, copy or transfer personal data easily from one IT environment to another safely and securely, without hindrance to usability. To fulfil this, you must be able to provide their personal data in a structured, commonly used open format or machine-readable form. "Open formats" include CSV files. "Machine-readable" means that the information is structured so that software can extract specific elements of the data, thereby enabling other organisations to use the data.
7. The right to object - Individuals have the right to object to direct marketing (including profiling) and processing for purposes of historical research and statistics. The GDPR defines "profiling" as any form of automated processing intended to evaluate certain personal aspects of an individual, in particular, to analyse or predict their economic situation, health, personal preferences, reliability, behaviour, location or movements. You may wish to review your use of Smart Tags, which some churches may use for profiling purposes - a good question to ask is "how would you feel if you knew you were in that smart tag?"
8. Rights about automated decision-making and profiling - The GDPR provides safeguards for individuals against the risk that a potentially damaging decision is taken without human intervention. These rights work in a similar way to existing rights under the DPA. You should identify whether any of your church's processing operations constitute automated decision-making and consider whether you need to update your procedures to deal with the requirements of the GDPR. A Smart Tag does not in itself constitute automated profiling, but a Smart Tag may be used in a way to make decisions or determinations about someone based on the presence or absence of matching criteria.

Privacy Notices

The GDPR uses the term ‘Privacy Notice’ to describe all the privacy information that you make available to individuals when you collect information about them. The Information Commissioner's Office (ICO) has produced a helpful document about the Code.

Essentially, if consent is your lawful basis for processing, you need to consider how you will gain and record individuals’ consent if required. There's a fundamental difference between telling a person how you’re going to use their personal information and getting their consent. If your consent mechanism consists solely of an “I agree” box with no supporting information then users are unlikely to be fully informed and the consent will not be considered valid.

When relying on consent, your method of obtaining it should be displayed clearly and prominently, and ask individuals to positively opt-in. In addition, if you are processing information for a range of purposes you should explain the different ways you will use their information, and provide a clear and simple way for them to indicate they agree to different types of processing. In other words, people should not be forced to agree to several types of processing just because your privacy notice only includes an option to agree or disagree with everything! People may wish to consent to their information being used for one purpose but not another.

A good example is providing an event sign-up question where people can select to opt into being added to your Address Book. The best compliance would be that they are treated as opted-out as the default and that they are invited to opt-in as a choice. It may also be helpful to get in the habit of using language such as, "by submitting your details in this online form, you consent to... If you do not wish this... do not submit your details" on public-facing forms such as event sign-up, newcomer connect, online giving etc.

If you're relying on "legitimate interest" as your lawful basis, you should still communicate your privacy notice to those already in your database, and arguably, let them know what information they do have so that this can be reviewed and updated. In this scenario though, having stated your basis is a legitimate interest, you should confuse the data subject by asking for their consent to your privacy notice or the data you hold.

How can ChurchSuite help towards compliance with the GDPR?

The following recommended resources can provide further help with Data Protection and GDPR:

• The ICO (Information Commissioner's Office) website. They also have a GDPR reform section, that has comprehensive coverage of GDPR with regular updates as each consultation takes place.
• Your local UCAN Administrator's network.
• The Evangelical Alliance.
• Legal/professional advice from a Data Protection and/or charity expert - you may have people in your church who can help, or you may need to instruct someone professionally to advise your church. There are some great charity/governance consultants out there that will guide trustees and church teams.
• Overseers or the governing body for your church's affiliation, denomination or stream.
• Other churches in your local area or network.

In addition, between now and the introduction of GDPR, we're committed to developing additional functionality to help you towards greater compliance in your use of ChurchSuite. We're not responsible for your church's compliance (sorry!), but we can give you additional tools and workflows to assist you with compliance and consent. Check out the related "ChurchSuite and GDPR" article for the latest updates.

What next?

We hope the above commentary is helpful as you evaluate your church's compliance with the GDPR. We'll add to and update this case study as new information becomes known. But if you have any questions or suggestions, as always, please do get in touch with the ChurchSuite support team and we'll do our best to help. Email support@churchsuite.com