ChurchSuite's Ongoing Consent feature can help simplify the process of obtaining consent for those in the Address Book and Children modules, helping you comply with the UK Data Protection Act 2018 and EU General Data Protection Regulation 2018 (GDPR).
In this article
Overview of the consent workflow
Adding your privacy notice
Customising the My Consent form
Customising the consent request email
Sending consent requests to multiple people
Sending individual consent requests
Managing ongoing consent for those without an email address
Managing/reporting ongoing consents received and consent outstanding
Question: Before proceeding, is consent the correct lawful basis for us?
Please take time to read this support article carefully before sending consent requests. Consent is one of eight lawful bases for processing personal information under the GDPR. Consent is only appropriate if you can offer people real choice and control over how you will use their data, and if you want to build their trust and engagement. Where you are unable to offer a genuine choice, consent may not be appropriate. For example, if you would still process personal data because you have a legitimate interest or legal obligation, asking for consent is considered misleading and inherently unfair, and therefore not compliant with the GDPR. For UK organisations, further ICO guidance can be found here.
Important! Make sure you have an approved, compliant privacy notice suitable for your purposes before you send consent requests. If there's no privacy notice, people cannot fairly give consent.
GDPR consent is not necessarily the same as parental consent in the context of children and young people - while there is often overlap in the information you are requesting from parents. While some customisation of the consent request email and My Consent form is possible, the Ongoing Consent functionality may not best suit your full parental consent processes. The functionality described in this article is primarily intended for data protection consent under the GDPR. See our related support article for further information on Creating customisable Forms, which may be better suited for parental consent scenarios.
Overview of the consent workflow
The use of the My Consent functionality in this article is independent of using the member-facing My ChurchSuite and does not require your organisation or members to be using My ChurchSuite to send consent requests. The best compliance with the GDPR is when data subjects can manage their data, which is what My ChurchSuite is primarily designed for. Without access to My ChurchSuite data subjects will only be able to manage their data when they receive a consent request (explained in this article) or when submitting their personal information as a newcomer using the My Details form running at your Information Point through Connect, or when using the Address Book Embed. Therefore we encourage you to make My ChurchSuite available to those in your ChurchSuite database for best compliance - and to reduce some of the office administration when data subjects can manage their personal information.
You can send consent requests to individuals, groupings of people (perhaps in a Tag) or all contacts and children if you wish. This can be done from a contact's profile in the Address Book, a child's profile in the Children module, or the Communication section of the respective module.
Embedded in the consent request email is a personal link to the recipient's own My Consent form. The My Consent form lists all the personal data you hold for that person displayed in a partially-obfuscated (starred out) format. Internal-use 'legitimate interest' data like notes, key dates, tags and flows are not shown in the form although you will likely need to explain this type of processing in your organisation's privacy notice.
Contacts and their children can then easily review their personal information on the My Consent form - making corrections, adding missing information, or removing data they no longer wish you to process. They can also review their Privacy Settings (if My ChurchSuite access is enabled) and their Communication Options, before finally ticking the checkbox to confirm they have read your privacy notice and submit the completed form; or, they can request that their account be deleted from your ChurchSuite account. Your privacy notice should make the process clear for those invoking their right to be forgotten, but remember that the right to be forgotten is not the same as a request for their data to be deleted from ChurchSuite (this is further explained in the related support article).
Where the consent form response is submitted (and consent is given) any changes made on the form by the data subject are updated on their profile in ChurchSuite, with a change log added. A helpful 'Ongoing Consent' Key Date is added against the person's profile, and as a double consent confirmation, the data subject receives a Success email that includes a snapshot of the My Consent form they submitted. The sent success email is added to the person's Communication log and serves as further evidence of consent.
If a consent request recipient selects Delete account, an email is sent to your organisation's designated Data Protection contact (set in Administrator > Profile) so that you can follow your preferred internal pastoral and administrative workflows for removing data held on ChurchSuite - unless you have an overriding lawful basis for continuing to process some or all of their personal information. The 'delete account' request will never auto-delete a person - this can only be actioned by a User after review and due consideration of the request.
The process for obtaining ongoing consent from adult contacts and children is identical. Each data subject will receive a separate personalised consent request email and each individual has their own My Consent form. As part of the ChurchSuite consent form 'submission' workflow the data subject is required to type their name (like a digital signature); meaning that you will know whether the My Consent form was completed by the data subject or by a spouse/partner or a parent on behalf of their child. Do remember that children over the age of consent (13+ years under the EU GDPR) may be able to provide their own consent, or a parent or adult with parental responsibility may consent on the child's behalf. The name of the My Consent form's submitter is included in the 'consent' Key Date that is added, along with the date/time of consent, the IP address of the submitter and the consent method (i.e. the "My Consent" form, as opposed to a paper-based consent perhaps recorded by one of your Users). Where your organisation has multiple consent-gathering admin workflows - perhaps a paper-based system for those who don't have an email address - you may wish to make use of the Ongoing Consent key date for those processes too - in this way a single 'Ongoing Consent' key date instance will help you determine those that have or have not yet provided you with ongoing consent.
Where consent is your lawful basis for processing, for best compliance, and certainly when your organisation's processing purposes change, you can send an ongoing consent request form again at any time.
What's your legal basis for processing personal data?
Under the GDPR, there are eight lawful bases for processing personal data - consent is one basis - but this may not be the best or most appropriate basis depending on how you process information. As Data Controller your organisation's privacy notice will outline 1) the lawful basis/bases for processing the different types of personal data you hold, and 2) the purposes for processing. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with the initial purpose, unless your original lawful basis was consent. You will always need to gain new consent if your purposes change.
The GDPR imposes extensive accountability and transparency requirements for Data Controllers. You should therefore make sure you document your lawful basis/bases for processing so that you can demonstrate compliance (known as a Data Protection Impact Assessment). You must also inform data subjects upfront about your lawful bases for processing their data by including it in your Privacy Notice. Your privacy notice should be easily accessible every time people are asked to provide or submit personal information to your organisation. All ChurchSuite public-facing forms always make available your privacy notice and do not allow data submission through a form unless the data subject ticks to confirm they have read, understood and accept your privacy notice.
Adding your privacy notice
Your organisation's privacy notice will be made available on all public-facing forms where people will submit personal data, including visitor child check-in, event sign-up, small group embed sign-up, Donate, the Connect My Details form, the Address Book Embed form, and in My ChurchSuite - it's also included on the My Consent form. Remember, a data subject cannot be deemed to have fairly consented if your privacy notice was not available at the time they submitted their personal information. The privacy notice is added in the Administrator section of your ChurchSuite account, within the Profile area.
In the Data Protection section, you can add a Title, which displays on public-facing forms after the "I accept your [Title]" consent checkbox, along with some Help text to briefly explain why you require acceptance. You can then add the data protection Statement itself - essentially your privacy notice - which is shown in a pop-up window when someone clicks the "view privacy notice" link on a form they are completing. Once added, people will be unable to submit a form without first confirming they accept your privacy notice. A confirmation checkbox will not be present on any form until a Data Protection statement is added to ChurchSuite.
Save your changes before navigating away from the Profile page.
Customising the My Consent form
The My Consent form is very similar to the My Details page in My ChurchSuite that members use to manage their personal data (and that of their children in the My Children section there). The My Consent form respects the same settings as My ChurchSuite - if fields are editable in My ChurchSuite then they will also be editable on the My Consent form; similarly, if you have fields that are set as non-editable or not visible in My ChurchSuite they will not be editable or visible on the My Consent form.
Since best compliance with the GDPR is when a data subject can manage all their personal data, you may wish to review your My ChurchSuite settings for the Address Book and Children modules so that all fields for which you collect personal data are both visible and editable in My ChurchSuite and therefore visible and editable on the My Consent form too. Of course, any internal-use custom fields can be set not visible in My ChurchSuite, or you may wish to set them visible, but not editable. A good example may be a "membership status" custom field that you maintain for internal use that you select to be visible in My ChurchSuite, but you probably don't want this editable! Best compliance is to be as transparent as possible about the personal data you hold, perhaps by setting custom fields visible, even though the member cannot change the data themselves - in this way mistakes or incorrect data can more easily be identified and rectified (the "right to rectify" is also a data subject's right under the GDPR).
Scroll down the page to the Communication Message and Privacy Message section - click Edit to make changes. These two customisable messages display on the Communication and Privacy tabs in My ChurchSuite on the My Details and My Children sections - but they also surface on the My Consent form. Add a custom message to each section, ideally using language and terminology that is already familiar to your members and worded appropriately for both adults and children to easily understand.
Privacy options do not show on the child consent form; only for contacts that have Allow My ChurchSuite login enabled or who have any of their privacy options set as visible - only adult contacts can currently access My ChurchSuite.
Note: If you are not yet using My ChurchSuite you should either disable My ChurchSuite access in the Address Book Module Options or use the Communication Options report (in the Address Book module's Reports section) to set all the currently "visible" privacy options (name, email, address, phone, mobile) and the "Allow My ChurchSuite login" to off/not visible for all contacts.
Top Tip! Child consent
Do make sure that the language you use for these messages is clear and concise. Where you are relying on a child's consent, the GDPR expects the language to be easy for children to understand - they have the same rights as adults in respect of their personal data. This includes the right to access their personal data, the right to request rectification, the right to object to processing, and the right to have their personal data erased if they wish, so it's important that they clearly understand how their personal data is used and their rights. Their consent could be considered unfair or unlawfully obtained if the language is deemed too complex for them to understand.
Switching to the Consent Options tab click Edit to add your own custom content to each field/section, ideally using language and terminology that is already familiar to your members - begin by customising the consent form Title and the [Welcome] Message that shows on the form Header.
Continuing down the Consent Options optionally customise the Consent Form's Footer message and the Success message. You can also add a Success Email by first creating a Preset email (in Administrator > Presets). ChurchSuite will append a snapshot of the submitted My Consent form to your preset email. If no preset success email is created, ChurchSuite will send the form snapshot as a standalone confirmation email. The 'From' address in the ChurchSuite-generated email will be your organisation's designated Data Protection contact (set in Administrator > Profile), but if you create a Preset success email, you can specify the 'From' address.
The Footer Message is shown like this on the My Consent form.
The Success Message displays on the screen when someone submits their details.
Customising the consent request email
The ongoing consent process begins with sending a Consent Request email. There are two Preset emails - one for Address Book contacts and one for children in your Children module. You can customise the two preset emails to include language and terminology that best suits your context. Make sure that the language used within the child consent request email is plain, clear, concise and easy for them to understand, otherwise, your consent request may not be deemed compliant!
Top Tip! Avoiding common mistakes with consent requests
You must only send consent requests using the process outlined later in this article. If you attempt to send a consent request outside of the process described the unique consent form link will not be correctly generated and embedded into the email, resulting in recipients being unable to respond.
For child consent requests sent to a parent and/or child, these must be sent through the Children module from the child's profile page or the Communication section of the Children module - 'child name' merge fields (e.g. ::child_name:: and ::child_first_name::) will not work outside of the 'system' child consent request Preset.
Head into the Administrator area of ChurchSuite and click the Presets section. For each of the two consent request presets - Consent Request and Consent Request (Child) - select Edit from the Action menu on the right-hand side of the page.
You can customise the Preset email content, including embedding links (perhaps to privacy information on your website) or attaching files. It's important that the ::my_consent_link:: merge field is always present in one form or another in the Consent Request preset - it's this merge field that becomes the unique My Consent form link when the preset is sent from your ChurchSuite account to each recipient. You can include it directly in the body of the email, or the merge field can be used as the hyperlink for a piece of text.
Click Save Changes before navigating away from the Presets section.
Sending consent requests to multiple people
The process of bulk-sending Consent Requests is the same for contacts and children. For children, you will have the option to send the request to the child, the linked parent (the main/linked parent and additional contact), or to all parents (which includes the linked partner/spouse of the linked parent).
Head into the respective module's Communication section and select the contacts or children you want to send the consent request email to. For example, you may have existing tags for various groupings of people in your ChurchSuite modules.
Next, locate the Consent box at the bottom of the page and click Send consent requests.
The Consent Request is previewed before sending, along with a list of recipients. Click Send email to complete the process.
Note: The consent requests are sent regardless of a recipient's communication options - you do not need consent to send a consent request!
Sending individual consent requests
You can send individual Consent Requests for contact or child from their profile page in the Address Book or Children module, using the Send consent request option on the Communicate drop-down button. After confirming, the consent request is sent immediately and is logged in their Communication log.
Note: The consent request is sent regardless of a recipient's communication options - you do not need consent to send a consent request!
Managing ongoing consent for those without an email address
The ::my_consent_link:: merge field used in the Consent Request preset email (explained above) can be used in an SMS message, meaning that you can send consent requests by SMS, perhaps for those who don't have an email address but who do have a mobile number.
A note about SMS consent requests
It is not possible to send an SMS consent request through the Children module to parents - child consent requests can only be sent to the child's mobile field. If you attempt to send an SMS child consent request to a parent, the consent request merge field link will be for the parent, not the child!
Sending an SMS through ChurchSuite requires the completion of an integration with one of the supported SMS providers appropriate for your region/country e.g. Textlocal, Twilio or BulkSMS - see our separate support articles for completing the appropriate integration.
The ::my_consent_link:: merge field, when added to an SMS, will translate into a clickable My Consent form URL of approximately 100+ characters, meaning that an SMS consent request SMS may exceed the 160-character limit of a single SMS credit, especially if you add a personal message accompanying the merge field.
And for contacts and children where neither an email address nor mobile is held, you might consider using the Full Details report to produce a printed summary of each person's personal data that can then be posted to the individual, perhaps in duplicate with a covering letter and your privacy notice, asking them to review and return one copy signed and dated and indicating any changes and their consent.
The Full Details report is located in the Data Cleansing section of the respective Address Book and Children module reports sections...
You can identify people without email addresses and mobile numbers using a Smart Tag, perhaps with conditions as follows (which matches people with a missing email address and a missing mobile telephone number)...
...and then use that Smart Tag to filter the Full Details report for just those without email addresses and mobiles.
You can use the same Smart Tag to produce address labels for envelopes (in Communication > Labels/Envelopes). Notice also the option to Log in Communication, enabling you to log the manual sending of Consent Requests in the Communication log of each person you're producing labels for.
As each manually-sent consent form is returned you can add an 'Ongoing Consent' key date against the person...
You might also scan and upload their paper consent form to a secure online file storage solution like Dropbox, iCloud or GoogleDocs, and add a link to the scanned consent file as a Note against the person's profile.
As a further suggestion, you may find it helpful to set the 'Ongoing Consent' key date to be automatically added for newcomers who submit their personal data using the Connect > My Details and the Address Book Embed forms. In this way, you'll always be able to use the 'Ongoing Consent' key date as a way to identify those already in ChurchSuite and those being added to ChurchSuite in the future who have (or haven't) provided ongoing consent (see next section). Here's how to configure the key date for those two features...
Head into the Address Book module (and Children module) settings and click on the Connect Options tab. In the Tags/Key Dates/Flows settings section, click Edit and select to add the 'Ongoing Consent' key date when a new contact is created through the My Details form...
...and then click into the Embed Options tab, and in the Tags/Key Dates/Flows settings section, click Edit and select to add the 'Ongoing Consent' key date when a new contact is created through the Address Book Embed form...
Managing ongoing consents received and outstanding
It's helpful to see at any time where there are outstanding consent requests; especially if your processing purposes change and you need to reach out to those in your database to solicit updated consent. For those who complete and submit the My Consent form, several things happen in ChurchSuite that can be used to help you keep on top of 'granted' and 'outstanding' consents.
1. An 'Ongoing Consent' Key Date is added - viewable from the Key Dates tab on a Contact's profile page.
2. When a person completes and submits their My Consent form a record of the data subject's confirmation email is added to their Communication log. The confirmation includes a snapshot of the consent form at the date/time of submission and serves both as evidence of the consent given, and also a double check for the data subject i.e. they too will have a record of the data they consented to.
3. Any changes to personal information made on the My Consent form are recorded in each person's Changes log.
If you're using the admin workflows outlined in this article, an 'Ongoing Consent' Key Date is added each time consent is granted for contacts and children. You can therefore easily use this 'Ongoing Consent' Key Date as a condition in Smart Tags to identify those who have consented (in this example, have consented in the last 3 years)...
...and those whose consent is missing or outstanding (in this example, have not consented in the last 3 years) - note the red cross rather than the green tick changes the Tag from matching people that "DO have..." to match people that "DO NOT have..."...
Each contact or child will then have one or other of the above Smart Tags visible on their profile page - the example below has given their consent in the last 3 years and has a Consent Granted tag showing on their profile. Your Data Protection policy will dictate how often you seek updated consent.
The Key Dates report and Key Dates Missing report can easily be filtered by the 'Ongoing Consent' key date to quickly identify those who have consented and those whose consent is still outstanding. You can just as easily communicate directly from the report's results, perhaps to send a reminder.
Do we have to delete data if we don't hold consent?
If no lawful basis applies to your processing, your processing may be unlawful and in breach of the first GDPR principle. Individuals (data subjects) also have the right to have personal data erased which has been processed unlawfully. There are also potential scary fines for non-compliance!
Your privacy notice will make clear the purpose for processing each type of data you hold and the lawful basis you have for that processing. Remember, processing includes the storage of personal data, not just the things your organisation does with it e.g. marketing communications. While consent is one basis for processing, other bases such as legitimate interest may be more appropriate and easier to administer. It will be difficult to swap your basis for processing in the absence of consent not being forthcoming. Even if a different basis could have been applied from the start, retrospectively switching lawful bases is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements. Organisations, therefore, need to get their lawful basis for processing right from the start!
For churches particularly it's important to consider to what extent the legitimate interest basis applies to some or all of the types of data you hold - it's not helpful (and is confusing to the data subject) to ask for consent where legitimate interest or legal obligation might be more appropriate! Your privacy notice should explain the different bases and types of processing for each basis. For example, you may prefer to consider legitimate interest as your lawful basis if you wish to keep control over data processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control and responsibility for their data (including the ability to change their minds as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.
For each category of personal data you process, make sure that your privacy notice clearly states the lawful basis for processing. For example, you may not need to ask consent to send rota reminder communications if you consider there's a "team serving legitimate interest" that warrants sending reminders - especially since rota members can easily opt-out of receiving rota reminders if they become an annoyance or are unwanted. On the other hand, if you plan to use their rota reminder email address for church marketing, you may need consent for that purpose. Without a legal basis for processing, the GDPR is clear that you should immediately cease processing their data, which includes storing that data.