Ongoing consent

For customers processing personal data of UK or EU citizens ChurchSuite makes it really easy to obtain ongoing consent to process personal data of those in your Address Book and Children modules in compliance with the UK and EU General Data Protection Regulation 2018 (GDPR).

In this article

Overview of the consent workflow
Customising communication options
Adding your privacy notice
Customising the My Consent form
Customising the consent request email
Bulk-sending consent requests to multiple people
Sending a consent request to an individual
Managing ongoing consent where you don't have an email address
Managing/reporting ongoing consents received and consent outstanding

Before proceeding - is consent the correct lawful basis for us?

Please take time to read this support article carefully and thoroughly before sending consent requests. Consent is one of eight lawful bases for processing people's information under the GDPR. Consent is only appropriate if you can offer people real choice and control over how you will use their data, and if you want to build their trust and engagement. But if you cannot offer a genuine choice, consent may not be appropriate. For example, if you would still process their personal data without consent (e.g. because you have a legitimate interest or legal obligation basis), asking for consent is misleading and inherently unfair, and therefore not compliant with the GDPR. For UK organisations, further ICO guidance can be found here.

Also, make sure you have an approved, compliant privacy notice suitable for your purposes before you send any consent requests - if there's no privacy notice, how can people be deemed to have fairly consented? "GDPR consent" is not necessarily the same thing as "parental consent" for a children's ministry - while there is often overlap between the information you are soliciting from a data subject and a certain amount of customisation is possible, ChurchSuite's ongoing consent functionality may not suit your full "parental consent" processes. The functionality described in this article is primarily intended to 'data protection' consent under the GDPR.

Overview of the consent workflow

Use of the My Consent functionality in this article is independent of use the member-facing My ChurchSuite and does not require your organisation or members to be using My ChurchSuite in order to send consent requests. Obviously best compliance with the GDPR is when data subjects can manage their own personal data, which is what My ChurchSuite is primarily designed for. Without access to My ChurchSuite data subjects will only be able to manage their data when they receive a consent request (explained in this article) or when submitting their personal information as a newcomer using the My Details form running at your Information Point through Connect, or when using the Address Book Embed. We therefore encourage you to make My ChurchSuite available to those in your ChurchSuite database for best compliance - and to reduce some of the office administration when data subjects can manage their own personal information.

You can send consent requests to individuals, groupings of people (perhaps in a Tag) or to all contacts and children if you wish. This can be done from a contact's profile in the Address Book, a child's profile in the Children module, or from the Communication section of the respective module.

Embedded within the consent request email is a personal link to the recipient's own My Consent form. The My Consent form lists all the personal data you hold for that person displayed in a partially-obfuscated (starred out) format. Internal-use 'legitimate interest' data like notes, key dates, tags and flows are not shown in the form although you will likely need to explain this type of processing in your organisation's privacy notice.

Contacts and their children can then easily review their personal information on the My Consent form - making corrections, adding missing information, or removing data they no longer wish you to process. They can also review their privacy settings (if My ChurchSuite permissions are enabled) and their communication options before finally ticking a checkbox to confirm they have read, understood and accept your privacy notice, and then submit the completed consent form; or they can click to request that their account be deleted from ChurchSuite. Your privacy notice should make clear your expected admin processes for those who wish to invoke their 'right to be forgotten' - the 'right to be forgotten' is not the same as a request to 'delete their account from ChurchSuite' (this is further explained in the related support article). Please note, though, that the contact cannot alter the image held for them from the ongoing consent email; this is accessed via their My Details section in My ChurchSuite or, for their children, via My Children in My ChurchSuite

Where consent is given, all the changes made by the data subject on the My Consent form are updated to their profile in ChurchSuite and Changes logs are recorded. An 'Ongoing Consent' Key Date is added against the person, and as a "double consent confirmation" the data subject will receive a Success email that includes a snapshot of the My Consent form they submitted. That 'sent' success email is added to the Communication log of the person and serves as further evidence of consent.

If a consent request recipient selects Delete account, an email is sent to your organisation's designated Data Protection contact (set in Administrator > Profile) so that you can follow your preferred internal pastoral and administrative workflows for removing data held on ChurchSuite - unless you have an overriding lawful basis for continuing to process some or all of their personal information. The 'delete account' request will never auto-delete a person - this can only be actioned by a User after review and due consideration of the request.

The process for obtaining ongoing consent from adult contacts and children is identical. Each data subject will receive a separate personalised consent request email and each individual has their own My Consent form. As part of the ChurchSuite consent form 'submission' workflow the data subject is required to type their name (like a digital signature); meaning that you will know whether the My Consent form was completed by the data subject or by a spouse/partner or a parent on behalf of their child. Do remember that children over the age of consent (13+ years under the EU GDPR) may be able to provide their own consent, or a parent or adult with parental responsibility may consent on the child's behalf. The name of the My Consent form's submitter is included in the 'consent' Key Date that is added, along with the date/time of consent, the IP address of the submitter and the consent method (i.e. the "My Consent" form, as opposed to a paper-based consent perhaps recorded by one of your Users). Where your organisation has multiple consent-gathering admin workflows - perhaps a paper-based system for those who don't have an email address - you may wish to make use of the Ongoing Consent key date for those processes too - in this way a single 'Ongoing Consent' key date instance will help you determine those that have or have not yet provided you with ongoing consent.

Where consent is your lawful basis for processing, for best compliance, and certainly when your organisation's processing purposes change, you can send an ongoing consent request form again at any time.

Under the GDPR, there are eight lawful bases for processing personal data - consent is one basis - bur this may not be the best or most appropriate basis depending on how you process information. As Data Controller your organisation's privacy notice will outline 1) the lawful basis/bases for processing the different types of people's personal data, and 2) the purpose of the processing. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with the initial purpose, unless your original lawful basis was consent. You will always need to gain new consent if your purposes change.

The GDPR imposes extensive accountability and transparency requirements for Data Controllers. You should therefore make sure you clearly document your lawful basis/bases for processing so that you can demonstrate compliance (known as a Data Protection Impact Assessment). You must also inform data subjects upfront about your lawful bases for processing their personal data by including it in your Privacy Notice. Your privacy notice should be easily accessible every time people are asked to provide or submit personal information to your organisation. All ChurchSuite public-facing forms always make available your privacy notice and do not allow data submission through a form unless the data subject ticks to confirm they have read, understood and accept your privacy notice.

Customising communication options

As part of providing ongoing consent to process their personal information, those in your Address Book and Children modules are able to opt in/out of receiving general communications (emails and SMS) and rota reminders (emails and SMS). General communications are defined as all other communications sent by Users that are not rota reminders.

You can optionally enable two further communication options for Receive phone calls and Receive post in the Address Book and Children module options.

Types of email (and the lawful basis for processing)

General emails/SMS are considered any communication sent by a User of your admin-facing system from within ChurchSuite. If "Receive general emails/SMS?" is opted out, general emails/SMS are not sent to that person. It is not possible to add custom communication options for different types of general email communications - you could manage your different audiences using a custom field and smart tags, but email communication to those in tags will still always respect the "Receive general email?" communication preference.

System notification emails and confirmation emails are not considered general emails, and are therefore always sent and cannot be opted out of. These include:

  • Event and small group sign-up notifications
  • Flow overseer notifications
  • Booking type/resource overseer notifications
  • Address Book Embed and Connect "my details" notifications
  • 'Areas of interest' notifications
  • My ChurchSuite password reset emails
  • My ChurchSuite invitation emails
  • Consent request emails
  • Success emails

Users can view and manage a person's communication options from the Details tab their profile page in the Address Book or Children module...

...And members can manage their own communication options on the Communication page of the My Details and My Children sections within the member-facing My ChurchSuite...

...and also as part of reviewing and completing their My Consent form (see later in this article).

While ChurchSuite always respects each recipient's communication options, it is possible for a User to override those communication options when sending a message - perhaps where you have a compelling reason or another lawful basis for sending the communication without requiring consent. For example, expected bad weather resulting in an event being cancelled may be deemed a valid, lawful reason for not respecting communication settings to ensure everyone knows about that important cancellation notice (i.e. a Vital interests reason).

When overriding communication options (selecting Do not respect Communication settings) the User is required to provide a Reason - the override reason is included in the footer of sent email - "You received this message because [reason]" - see preview example below.

Adding your privacy notice

Your organisation's privacy notice, if added to ChurchSuite, will be made available on all ChurchSuite public-facing forms where people submit personal data - visitor child check-in, event sign-up, small group embed sign-up, Donate, the Connect > My Details form, the Address Book newcomer Embed form and in My ChurchSuite - it's also included on the My Consent form. Remember, a data subject cannot be deemed to have fairly consented if your privacy notice was not available at the time they submitted their personal information.

Your privacy notice is added in the Administrator section of your ChurchSuite account, within the Profile area.

In the Data Protection section (see above) you can add a Title, which displays on public facing forms after the "I accept your [Title]" consent checkbox, along with some Help text to briefly explain why you require a person's consent. You can then add the data protection Statement itself - essentially your privacy notice - which is shown in a pop up window when someone clicks the "view privacy notice" link on a form/page they are completing. Once your privacy notice is added to ChurchSuite, people will not be able to submit a form without first confirming they accept your privacy notice. A confirmation checkbox will not be present on any form unless a Data Protection statement has been added to ChurchSuite first.

Save your changes before navigating away from the Profile page.

Customising the My Consent form

The My Consent form is very similar to the My Details page in My ChurchSuite that members use to manage their personal data (and that of their children in the My Children section there). The My Consent form respects the same settings as My ChurchSuite - if fields are editable in My ChurchSuite then they will also be editable on the My Consent form; similarly, if you have fields that are set as non-editable or not visible in My ChurchSuite they will not be editable or visible on the My Consent form.

Since best compliance with the GDPR is when a data subject is able to manage all their own personal data, you may wish to review your My ChurchSuite settings for the Address Book and Children modules so that all fields for which you collect personal data are both visible and editable in My ChurchSuite, and therefore visible and editable on the My Consent form too. Of course any internal-use custom fields can be set 'not visible' in My ChurchSuite, or you may wish to set them 'visible, but not editable'. A good example may be a "membership status" custom field that you maintain for internal use that you select be visible in My ChurchSuite, but you probably don't want this editable! Best compliance is to be as transparent as possible about the personal data you hold, perhaps by setting custom fields visible, even though the member cannot change the data themselves - in this way mistakes or incorrect data can more easily be identified and rectified (the "right to rectify" is also a data subject's right under the GDPR).

Scroll down the My ChurchSuite Options page to the Communication Message and Privacy Message section - click Edit to make changes. These two customisable messages display on the Communication and Privacy tabs in My ChurchSuite on the My Details and My Children sections - but they also surface on the My Consent form. Add your own custom message to each section, ideally using language and terminology that are already familiar to your members and worded appropriately for both adults and children to easily understand.

Privacy options do not show on the child consent form; only for contacts who have Allow My ChurchSuite login enabled or who have any of their privacy options set as visible - only adult contacts can currently access My ChurchSuite.

Note: If your are not yet using My ChurchSuite you should either disable My ChurchSuite access in the Address Book Module Options or use the Communication Options report (in the Address Book module's Reports section) to set all the currently "visible" privacy options (name, email, address, phone, mobile) and the "Allow My ChurchSuite login" to off/not visible for all contacts.

A note about child consent

Make sure that the language you use for these messages is clear and concise. Where you are relying on a child's consent, the GDPR expects your messages to be easy for them to understand - children have the same rights as adults to their personal data. This includes the right to access their personal data; request rectification; object to processing and have their personal data erased; so it's important that they are able to easily understand what will happen to their personal data and what rights they have - their consent may not be considered fair or lawfully obtained if the language is deemed too complex for them to understand.

Switching to the Consent Options tab click Edit to add your own custom content to each field/section, ideally using language and terminology that are already familiar to your members - begin by customising the consent form Title and the [Welcome] Message that shows on the form Header.

Continuing down the Consent Options optionally customise Consent Form's Footer message and the Success message. You can also add a Success Email by first creating a Preset email (in Administrator > Presets). ChurchSuite will append a snapshot of the submitted My Consent form to your preset email. If no preset success email is created, ChurchSuite will send the form snapshot as a standalone confirmation email. The 'From' address in the ChurchSuite-generated email will be your organisation's designated Data Protection contact (set in Administrator > Profile), but if you create a Preset success email, you can specify the 'From' address.

The Footer Message displays like this on the form...

...and the Success Message displays on the screen when someone submits their details.

Customising the consent request email

The ongoing consent process begins with sending a Consent Request email. There are two 'system' Preset emails - one for contacts in your Address Book and one for children in your Children module. You can customise these two emails to include language and terminology that best suits your context. Make sure that the language used within the child consent request email especially is plain, clear, concise and easy for them to understand - otherwise your consent request may not be deemed compliant!

Common mistakes with consent requests

You must only send (bulk and individual) consent requests using the method outlined in the following sections of this article. If you attempt to send a consent request by any other method, or if you create your own Preset consent request, the unique consent form link will not be correctly generated and embedded into the email and the process will fail.

For child consent requests sent to a parent and/or child, these must be sent through the Children module from the child's profile page or from the Communication section of the Children module - 'child name' merge fields (e.g. ::child_name:: and ::child_first_name::) will not work outside of the 'system' child consent request Preset.

Head into the Administrator area of ChurchSuite and click the Presets section. For each of the two consent request presets - Consent Request and Consent Request (Child) - select Edit from the Action menu on the right hand side of the page.

You can customise the Preset email content, including embedding links (perhaps to privacy information on your website), or attaching files. It's important that the ::my_consent_link:: merge field is always present in one form or another in the Consent Request preset - it's this merge field that becomes the unique My Consent form link when the preset is sent from your ChurchSuite account to each recipient. You can include it directly in the body of the email, or the merge field can be used as the hyperlink for a piece of text.

Click Save Changes before navigating away from the Presets section.

Bulk-sending consent requests to multiple people

The process of bulk-sending Consent Request emails is the same for contacts and children. For children you will have the option to send the request to the child, the [primary] parent (the main/linked parent and additional contact) or all parents (which includes the linked partner/spouse of the main/linked parent).

Head into the respective module's Communication section and select the contacts or children you want to send the consent request email to. For example, you might have Tags of people so that you can work in batches or groupings of people.

Next, locate the Consent box at the bottom of the page and click Send consent requests.

The Consent Request is previewed prior to sending, along with a list of recipients. Click Send email to complete the process.

The sent consent request is recorded in the Communication log of each recipient's profile page. Consent requests are sent regardless of a contact's communication options i.e. you do not need consent to send a consent request!

Sending a consent request to an individual

To send a Consent Request to an individual contact or child, locate the person's profile page within the Address Book or Children module and select Send consent request from the Communicate drop-down button. After confirming, the consent request email is sent immediately and is logged in the person's Communication log at the bottom of their profile page.

Managing ongoing consent where you don't have an email address

The ::my_consent_link:: merge field that is used in the Consent Request preset email (explained above) can also be used within an SMS message; meaning that you can easily send consent requests by SMS to those for whom you don't have an email address but do have a mobile number.

A note about SMS consent requests.

It is not possible to send an SMS consent request through the Children module to parents - child consent requests can only be sent to the child mobile field. If you attempt to send an SMS child consent request to a parent, the consent request merge field link will be for the parent, not the child!

Sending SMSs through ChurchSuite requires completion of an integration with one of our supported SMS providers appropriate for your region/country e.g. Textlocal, Twilio or BulkSMS - see our separate support articles for completing the appropriate integration.

Note: The ::my_consent_link:: merge field, when added to an SMS, will translate into a clickable My Consent form URL of approximately 100 characters, meaning that a consent request SMS may exceed the 160 character limit of a single SMS credit, especially if you add a personal message accompanying the merge field.

For contacts and children where neither an email address or mobile are held, you might consider using the Full Details report to produce a printed summary of each person's personal data that can then be posted to the individual, perhaps in duplicate with a covering letter and your privacy notice, asking them to review and return one copy signed and dated indicating and changes and their consent.

The Full Details report is located in the Data Cleansing section of the respective Address Book and Children module reports sections...

You can easily identify people without email addresses and mobile numbers using a simple Smart Tag, perhaps with conditions as follows (which match for a blank email and mobile field)...

...and then use that Smart Tag to filter the Full Details report for just those without email addresses and mobiles.

You can also use the same Smart Tag to produce address labels for envelopes (in Communication > Labels/Envelopes). Notice also the option to Log in Communication, enabling you to log the sending manual Consent Requests in the Communication log of each person you're producing labels for.

As each manual consent form is returned you can add an 'Ongoing Consent' key date against the contact or child...

You might also scan and upload the consent form to a secure online file storage solution like Dropbox, iCloud or GoogleDocs and add a link to the consent file as a Note against the person in your Address Book or Children module. Clicking these links will open the scanned consent form to view.

As a further suggestion you may find it helpful to set the 'Ongoing Consent' key date to be automatically added for newcomers who submit their personal data using the Connect > My Details and the Address Book Embed forms. In this way, you'll always be able to use the 'Ongoing Consent' key date as a way to identify those already in ChurchSuite and those being added to ChurchSuite in the future who have (or haven't) provided ongoing consent (see next section). Here's how to configure the key date for those two features...

Head into the Address Book module (and Children module) settings and click on the Connect Options tab. In the Tags/Key Dates/Flows settings section, click Edit and select to add the 'Ongoing Consent' key date when a new contact is created through the My Details form...

...and then click into the Embed Options tab, and in the Tags/Key Dates/Flows settings section, click Edit and select to add the 'Ongoing Consent' key date when a new contact is created through the Address Book Embed form...

Managing ongoing consents received and outstanding

It's helpful to see at any time where there are outstanding consent requests; especially if your processing purposes change and you need to reach out to those in your database to solicit updated consent. For those who complete and submit the My Consent form, several things happen in ChurchSuite that can be used to help you keep on top of 'granted' and 'outstanding' consents.

1. An 'Ongoing Consent' Key Date is added - viewable from the Key Dates tab on a Contact's profile page.

2. When a person completes and submits their My Consent form a record of the data subject's confirmation email is added to their Communication log. The confirmation includes a snapshot of the consent form as at the date/time of submission and serves both as evidence of the consent given, but also a double check for the data subject i.e. they too will have a record of the data they consented to.

3. Any changes to personal information made on the My Consent form is recorded in each person's Changes log. Changes made by data subjects in My ChurchSuite or My Consent cannot be 'undone' i.e. there is no "Undo [changes]" option to reverse the data subject's consent.

If you're using the admin workflows outlined in this article, an 'Ongoing Consent' Key Date is added each time consent is granted for contacts and children. You can therefore easily use this 'Ongoing Consent' Key Date as a condition in Smart Tags to identify those who have consented (in this example, have consented in the last 3 years)...

...and those whose consent is missing or outstanding (in this example, have not consented in the last 3 years) - note the red cross rather than the green tick changes the Tag from matching people that "DO have..." to match people that "DO NOT have..."...

Each contact or child will then have one or other of the above Smart Tags visible on their profile page - the example below has given their consent in the last 3 years and has a Consent Granted tag showing on their profile. Your Data Protection policy will dictate how often you seek updated consent.

The Key Dates report and Key Dates Missing report can easily be filtered by the 'Ongoing Consent' key date to quickly identify those who have consented and those whose consent is still outstanding. You can just as easily communicate direct from the report's results, perhaps to send a reminder.

Do we really have to delete data if we don't have consent?

If no lawful basis applies to your processing, your processing may be unlawful and in breach of the first GDPR principle. Individuals (data subjects) also have the right to have personal data erased which has been processed unlawfully. There are also potential scary fines for non-compliance!

Your privacy notice will make clear the purpose for processing of each type of data you hold and the lawful basis you have for that processing. Remember, processing includes the storage of personal data, not just the things your organisation does with it e.g. marketing communications. While consent is one basis for processing, others bases such as legitimate interest may be more appropriate and easier to administer. It will be difficult to swap your basis for processing in the absence of consent not being forthcoming. Even if a different basis could have applied from the start, retrospectively switching lawful bases is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements. Organisations therefore need to get their lawful basis for processing right from the start!

For churches particularly it's important to consider to what extent the legitimate interest basis applies to some or all of the types of data you hold - it's not helpful (and is confusing to the data subject) to ask for consent where legitimate interest or legal obligation might be more appropriate! Your privacy notice should explain the different bases and types of processing for each basis. For example, you may prefer to consider legitimate interest as your lawful basis if you wish to keep control over data processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent.

For each category of personal data you process, make sure that your privacy notice clearly states the lawful basis for processing. For example, you may not need to ask consent to send rota reminder communications if you consider there's a "team serving legitimate interest" that warrants sending reminders - especially since rota members can easily opt out of receiving rota reminders if they become an annoyance or are unwanted. On the other hand if you plan to use their rota reminder email address for church marketing, you may need consent for that purpose. Without a legal basis for processing, the GDPR is clear that you should immediately cease processing their data, which includes storing that data.

Still need help? Contact ChurchSuite Contact ChurchSuite