For churches processing personal data of EU citizens, ChurchSuite makes it really easy to gain ongoing consent to process personal data of those in your Address Book and Children module, in compliance with the EU General Data Protection Regulation 2018 (GDPR).
In this article
Overview of the consent workflow
Customising your church's communication preferences
Adding your church's privacy notice
Customising the My Consent form
Customising the My Consent request preset email
Sending the My Consent form to multiple people
Sending the My Consent form to an individual
Managing ongoing consent where you don't have an email address
Managing/reporting ongoing consents received and consent outstanding
Before proceeding - is consent the correct lawful basis?
Please take time to read this support article carefully and thoroughly before sending consent requests. Consent is one of six lawful bases for processing people's information under the GDPR. Consent is only appropriate if you can offer people real choice and control over how you will use their data, and if you want to build their trust and engagement. But if you cannot offer a genuine choice, consent may not be appropriate. For example, if you would still process the personal data without consent (e.g. because you have a legitimate interest basis), asking for consent is misleading and inherently unfair, and therefore not compliant with the GDPR. For UK organisations, ICO guidance can be found here. Make sure you have an approved, compliant privacy notice suitable for your purposes before you send any consent requests - if there's no privacy notice, how can people be deemed to have fairly consented! GDPR consent is not necessarily the same thing as parental consent for children ministry - while there is often overlap between the information you are soliciting and a certain amount of customisation is possible, ChurchSuite's ongoing consent functionality may not suit your full "parental consent" processes.
Overview of the consent workflow
Use of the My Consent functionality is independent of the member-facing My ChurchSuite and does not require a church to be using My ChurchSuite in order to send consent requests. Obviously best compliance with the GDPR is when data subjects can manage their own personal data, which is what My ChurchSuite is primarily designed for. Without access to My ChurchSuite data subjects may only be able to manage their data when they receive a consent form, or access a My Details page through Connect running at your church information desk.
From a contact's profile in the Address Book, or a child's profile in the Children module, or from the Communication section of those modules, you can send a secure digital consent request to an individual or group of people; or even to all contacts and children.
Embedded within the consent request email is a personal link to their "My Consent" form. The My Consent form includes all the personal data you hold about that person, displayed in a partially-obfuscated (starred out) format. Internal-use 'legitimate interest' data like notes, key dates, tags and flows are not included in the form, although you may need to explain this type of processing in your privacy notice.
Church members and their children can then easily review their data on the My Consent form - making corrections, adding missing information, or removing data they no longer wish you to hold. They can also review their privacy settings (if My ChurchSuite permissions are enabled) and their communication options before finally ticking a checkbox to confirm they have "read, understood and accept your privacy notice", and then submit their consent; or they can click to request that their account be deleted from ChurchSuite. Your privacy notice should make clear your expected processes for the "right to be forgotten", so that a data subject can easily invoke that right - the right to be forgotten is not the same as a request to delete their account on ChurchSuite (this is further explained in the related support article).
Where consent is given, all the changes made by the data subject on the My Consent form are updated to their profile in ChurchSuite and changes logs are recorded. An "Ongoing Consent" Key Date is added against the person. As a "double consent confirmation", the data subject will receive a 'success' email that includes a snapshot of the My Consent form and the data consented for each field at the time of submission. That 'sent' confirmation is added to the communication log of the person and serves as your evidence of consent.
If the 'delete account' option is clicked, an email is sent to the church's Data Protection contact (set in Administrator > Profile) so that you can follow your preferred pastoral and administrative workflows for removing data held on ChurchSuite - subject to no other overriding lawful basis for continuing to process some or all of their personal information. The 'delete account' request will never auto-delete a person - this must be actioned by a user.
The process for obtaining ongoing consent from adult contacts and children is identical. Each data subject will receive a separate, personalised consent email and each individual has their own My Consent form. As part of the consent form workflow, the data subject is required to type their name; meaning that you will know whether the My Consent form was completed by the data subject or by a spouse/partner, or a parent on behalf of their child. Do remember that subject to certain conditions, children over the age of consent (14 years) may be able to provide their own consent, or a parent or adult with parent responsibility may consent on the child's behalf. The name of the submitter is included in the Key Date, along with the date/time of consent, the IP address of the submitter and the consent method (i.e. "My Consent"). Where your church has multiple consent-gathering workflows, you may wish to make use of the "Ongoing Consent" key date for those processes too - in this way a single key date instance will help you determine those that have or have not yet consented.
Where consent is your legal basis for processing (and for best compliance, and certainly when your church's processing purposes change) you can send the ongoing consent form again at any time.
What's your legal basis for processing personal data?
Under the GDPR, there are six lawful bases for processing personal data - "consent" is one basis and may not be the best or most appropriate basis depending on how you process information. As Data Controller your church's privacy notice will outline 1) the lawful basis/bases for processing the different types of people's personal data, and 2) the purpose of the processing. If your purposes change, you may be able to continue processing under the original lawful basis if your new purpose is compatible with your initial purpose, unless your original lawful basis was consent. This means that you will need to gain new consent if your purposes change.
The GDPR imposes comprehensive accountability and transparency requirements for Controllers. You should therefore make sure you clearly document your lawful basis for processing so that you can demonstrate compliance. You must also inform people upfront about your lawful basis for processing their personal data by including it in privacy notices. Your privacy notice should be easily accessible every time people are asked to provide/submit personal information. All ChurchSuite forms do not allow submissions unless the data subject click to confirm they have read, understood and accepted your privacy notice.
Customising your church's communication options
As part of providing ongoing consent to process their personal information, church members are able to opt in/out of receiving general communications (emails and SMS) and rota reminders (emails and SMS). General communications are defined simply as all other church communications that are not rota reminders.
You can optionally enable two further communication options for Receive phone calls and Receive post in the Address Book and Children module options.
Types of email (and the lawful basis for processing)
General emails/SMS are considered any communication sent by a User of your admin-facing system from within ChurchSuite. If "Receive general emails/SMS?" is opted out, general emails/SMS are not sent to that person. It is not possible to add custom communication options for different types of general email communications - you could manage your different audiences using a custom field and smart tags, but email communication to those in tags will still always respect the "Receive general email?" communication preference.
System notification emails and confirmation emails are not considered general emails, and are therefore always sent and cannot be opted out of. These include:
- Event and small group sign-up notifications
- Flow overseer notifications
- Booking type/resource overseer notifications
- Address Book Embed and Connect "my details" notifications
- 'Areas of interest' notifications
- My ChurchSuite password reset emails
- My ChurchSuite invitation emails
- Consent request emails
- Success emails
Users can view and manage a person's communication options from their profile page in the Address Book or Children module...
And church members can manage their own communication options at any time from the My Details and My Children sections within the member-facing My ChurchSuite...
...and also as part of completing their Ongoing Consent form (see section later in this article).
While ChurchSuite ordinarily "respects" each recipient's communication options, it's also possible for a user to override the communication options when sending an email or SMS - perhaps where you have a compelling reason or another lawful basis for sending the communication without consent. For example, expected bad weather resulting in a church service being cancelled may be deemed a valid, lawful reason for not respecting communication settings to ensure everyone knows that important cancellation notice.
When overriding communication settings, the user is required to provide a "reason" - the override reason is included in the footer of sent emails - "You received this message because [reason]" - see preview example below.
Adding your church's privacy notice
Your church's privacy notice will be included on all ChurchSuite public-facing forms where people submit personal data - visitor child check-in, event sign-up, small group embed sign-up, Donate, the Connect > My Details form, the Address Book newcomer embed form and My ChurchSuite - it's also included on the My Consent form. Remember, a data subject cannot be deemed to have fairly consented if your privacy notice was not available at the time of submission!
Your privacy notice is added in the Administrator section of your ChurchSuite account, within the Profile area.
In the Data Protection section (see above) you can add a Title, which displays on public facing forms after the "I have read, understand and accept your [Title]" consent checkbox, and the data protection Statement - essentially your privacy notice - which is shown in a pop-up window when someone clicks the "view privacy notice" link on a form/page they are completing. Once your privacy notice is added to ChurchSuite, people will not be able to submit a form without first confirming they accept your privacy notice. A confirmation checkbox will not be present on any form unless a Data Protection statement has been added to ChurchSuite first.
Save your changes before navigating away from the Profile page.
Customising the My Consent form
The My Consent form is very similar to the "My Details" page that church members use to manage their personal data in My ChurchSuite (and that of their children in the My Children section there). The My Consent form follows the exact same settings as My ChurchSuite - if fields are editable in My ChurchSuite then they will also be editable on the My Consent form; similarly, if you have fields that are set as non-editable, they will not be editable on the My Consent form.
Since best compliance with the GDPR is when a data subject is able to manage all their own personal data, you may wish to review your My ChurchSuite options for the Address Book and Children modules, so that all fields for which you collect personal data are both visible and editable in My ChurchSuite, and therefore visible and editable on the My Consent form too. Of course any internal-use custom fields can be set 'not visible' in My ChurchSuite, or you may wish to set them 'visible, but not editable'. A good example may be a "membership status" custom field, which you maintain for internal use and may make visible in My ChurchSuite, but you probably don't want this editable! Best compliance is to be as transparent as possible about the personal data you hold, perhaps by setting custom fields visible, even though the church member cannot change the data themselves - in this way mistakes or incorrect data can more easily be identified and rectified (the "right to rectify" is also a data subject's right under the GDPR).
To customise the My Consent form - and having reviewed your optional, visible and editable fields - head into the Address Book module settings and locate the My ChurchSuite Options tab...
Scroll down the My ChurchSuite Options page to the Communication Message and Privacy Message section (it's after the Custom Fields section).
These two customisable messages display on the Communication and Privacy tabs in My ChurchSuite (on the My Details section and the My Children section) - but they also display on the My Consent form (see next screen shot). Add your own custom message to each section, ideally using language and terminology that are already familiar to your church members and appropriate for adults and children.
The privacy options do not show on the child consent form; only for contacts who have "Allow My ChurchSuite login" enabled, or who have any of their privacy options set as visible.
Note: If your church is not yet using My ChurchSuite, you should either disable My ChurchSuite access in the Address Book Module Options, or use the Address Book > Reports > Communication Options report to set all the "visible" privacy options (name, email, address, phone, mobile) and the "Allow My ChurchSuite login" to off/not visible for all contacts.
A note about child consent
Make sure that the language you use for these messages is clear and concise. Where you are relying on a child's consent, the GDPR expects your messages to be easy for them to understand - children have the same rights as adults over their personal data. This includes the right to access their personal data; request rectification; object to processing and have their personal data erased; so it's important that they are able to understand what will happen to their personal data, and what rights they have - their consent may not be considered fair or lawfully obtained if the language is too complex for them to understand.
Continue down the My ChurchSuite Options page to the Ongoing Consent section to customise the content of each section of the form. Add your own custom content to each field/section, ideally using language and terminology that are already familiar to your church members.
The Page Title and Welcome Message display at the top of the My Consent form...
The Consent Message displays in the consent section at the end of the form...
...and the Success Message displays on the screen when someone submits their details.
You can add a Success Email too, by first creating a Preset email in Administrator > Presets. ChurchSuite will append a snapshot of the submitted My Consent form to your preset email. If no preset success email is created, ChurchSuite will simply send the form snapshot as a standalone confirmation email. The 'From' address in the ChurchSuite-generated email will show your church's designated Data Protection contact (set in Administrator > Profile). If you create a preset success email, you can specify the 'From' address.
Remember to save your changes to your My ChurchSuite Options before navigating away from the page.
Customising the Consent Request preset email
The ongoing consent process begins with sending the Consent Request preset email. There are two "system" presets - one for contacts in your Address Book and one for children in your Children module. You can easily customise these two emails to include language and terminology that best suits your church context. Make sure that the language used within the child consent request email is plain, clear, concise and easy for them to understand - your request may not be considered compliant if it is not!
Common mistakes with consent requests
You must only send bulk and individual consent requests using the method outlined in the following sections of this article. If you attempt to send the consent request by any other method, or if you create your own Preset consent request (e.g. by duplicating a Preset), the unique consent form link will not be correctly generated and embedded into the email and the process will fail.
For child consent requests sent to a parent and/or child, these must be sent through the Children module from the child's profile page or from the Communication section of the Children's module - child name merge fields (e.g. ::child_name:: and ::child_first_name::) will not work outside of a child consent request email preset.
Head into the Administrator area of ChurchSuite and click the Presets section. For each of the two consent request presets, select Edit from the action cog on the right hand side of the page.
You can customise the email content, including embedding links (perhaps to privacy information on your website), or attaching files. It's important that the ::my_consent_link:: merge field is always present in the Consent Request preset - it's this merge field that becomes the unique My Consent form link when the preset is sent from your ChurchSuite account to each recipient.
Save any changes you make before navigating away from the Presets section.
Sending the My Consent form to multiple people
The process of bulk-sending the Consent Request email is the same for contacts and children. For children you will have the option to send the request to the child, the primary parent (the main/linked parent) or all parents (which includes the linked partner/spouse of the main/linked parent).
Head into the respective module's Communication section and select the contacts or children you want to send the consent request email to. You might, for example, have Tags of people, so that you can work in batches or groupings of people.
Next, locate the Consent box at the end of the page and click Send consent requests.
The 'sent' consent request is recorded in the Communication log in the Recent Activity section of each person's profile page.
Sending the My Consent form to an individual
To send a consent request to an individual contact or child, locate the person's profile page within the Address Book or Children module and select Send consent request from the Communicate drop-down button. After confirming, the consent request email is sent immediately and is logged in the person's Communication log in the Recent Activity section at the bottom of their profile page.
Managing ongoing consent where you don't have an email address
The ::my_consent_link:: merge field that is used in the Consent Request preset email (see above) can also be used within an SMS message; meaning that you can easily send consent requests by SMS to those for whom you do not have an email address, but do have a mobile number.
A note about SMS consent requests.
It is not possible to send an SMS consent request through the Children module to parents - only child consent requests can be sent to the child. If you attempt to send an SMS child consent request to a parent, the consent request merge field link will be for the parent, not the child!
Sending SMSs through ChurchSuite requires completion of an integration with one of our supported SMS providers appropriate for your region/country e.g. Textlocal, Twilio or BulkSMS - see our separate support articles for completing the appropriate integration.
Note: The ::my_consent_link:: merge field, when sent, will translate into a clickable consent form URL of approximately 100 characters, meaning that each sent consent request SMS may exceed the 160 character limit of a single SMS credit, especially if you add a personal message accompanying the merge field.
For contacts and children where neither an email address or mobile are held, you might use the Full Details report to produce a printed summary of each person's personal data that can then be posted to the individual, perhaps in duplicate with a covering letter and your privacy notice, asking them to review and return one copy signed and dated indicating their consent.
The Full Details report is located in the Data Cleansing reports section of the Address Book and Children module...
You can easily identify people without email addresses and mobile numbers using a simple Smart Tag, perhaps with conditions as follows (which match for a blank email and mobile field)...
...and then use that Smart Tag to filter the Full Details report for just those without email addresses and mobiles.
You can also use the same Smart Tag to produce address labels for envelopes (in Communication > Labels/Envelopes). Notice also the option to Log in Communication, enabling you to log the manual sending of Consent Forms in the Recent Activity > Communication log of each person you're posting to.
...Then, as each manual consent form is returned, you can add an Ongoing Consent key date against the contact or child...
You might also scan and upload the consent form to a secure online file storage solution like Dropbox, iCloud or GoogleDocs; and add a link to the consent file as a Note against the person in your Address Book or Children module. Clicking these links will open the scanned consent form to view.
As a further suggestion you may find it helpful to set the Ongoing Consent key date to be automatically added for newcomers who submit their personal data using the Connect > My Details and the Address Book Embed form. In this way, you'll always be able to use the "Ongoing Consent" key date as a way to identify those already in ChurchSuite, and those being added to ChurchSuite in the future, who have (or haven't) provided consent (see next section). Here's how to configure the key date for those two features...
Head into the Address Book module settings and click on the Connect Options tab. In the Tags/Key Dates/Flows section, you can select to add the "Ongoing Consent" key date when a new contact is created through the My Details form...
...and then click into the Embed Options tab, and in the Tags/Key Dates/Flows section, you can select to add the "Ongoing Consent" key date when a new contact is created through the Address Book Embed form...
Managing ongoing consents received and outstanding
It's helpful to see, at any given time, where there are outstanding consent requests; especially if your processing purposes change and you need to reach out to those in your database to solicit updated consent. For those who complete and submit the My Consent form, several things happen in ChurchSuite that can be used to help you keep on top of 'granted' and 'outstanding' consent.
1. An "Ongoing Consent" Key Date is added.
2. When a person completes and submits their My Consent form, a record of the data subject's confirmation email is added to their Communication log. The confirmation includes a snapshot of the consent form as at the date/time of submission and serves both as evidence of consent but also a double check for the data subject i.e. they too will have a record of the data they consented to.
3. Any changes made on the My Consent form are recorded in the Changes log. Changes made by data subjects, either in My ChurchSuite or My Consent, cannot be undone i.e. there is no "Undo [changes]" option to reverse the data subject's consent.
If you're using the workflows outlined in this article, an "Ongoing Consent" Key Date is being added each time a consent is added for contacts and children. You can easily use this "Ongoing Consent" Key Date as a condition in Smart Tags to identify those who have consented (in this example, have consented in the last 3 years)...
...and those whose consent is missing or outstanding (in this example, have not consented in the last 3 years) - note the red cross rather than the green tick changes the tag from matching people that "DO have..." to match people that "DO NOT have..."...
Each contact or child will then have one or other of the above Smart Tags visible on their profile page - the example below has given their consent in the last 3 years. Your Data Protection policy will dictate how often you seek updated consent.
The Key Dates report and Key Dates Missing report can easily be filtered by the "Ongoing Consent" key date to quickly identify those who have consented and those whose consent is still outstanding. You can just as easily communicate direct from the report results, perhaps to send a reminder.
Do we really have to delete data if we don't have consent?
If no lawful basis applies to your processing, your processing will be unlawful and in breach of the first GDPR principle. Individuals also have the right to have personal data erased which has been processed unlawfully. There are also potential scary fines!
Your privacy notice will make clear the purpose for processing each type of data you hold and the legal basis you have for that processing. Remember, processing includes the storage of personal data, not just the things your church does with it e.g. marketing communications. While consent is an appropriate basis for processing, others bases, such as legitimate interests, may be more appropriate and easier to administer. It will be difficult to simply swap your basis for processing in the absence of consent not being forthcoming. Even if a different basis could have applied from the start, retrospectively switching lawful basis is likely to be inherently unfair to the individual and lead to breaches of accountability and transparency requirements. Churches therefore need to get their legal basis right from the start!
For churches, it's important to consider to what extent the "legitimate interest" basis applies to some or all of the types of data you hold - it's not helpful (and is confusing to the data subject) to ask for consent where legitimate interest or legal obligation might be more appropriate! Your privacy notice should explain the different bases and types of processing for each basis. For example, you may prefer to consider legitimate interest as your lawful basis if you wish to keep control over the processing and take responsibility for demonstrating that it is in line with people’s reasonable expectations and wouldn’t have an unwarranted impact on them. On the other hand, if you prefer to give individuals full control over and responsibility for their data (including the ability to change their mind as to whether it can continue to be processed), you may want to consider relying on individuals’ consent. For each category of personal data you process, make sure your privacy notice clearly states the lawful basis for processing. For example, you may not need to ask consent to send rota reminder communications if you consider there's a "team serving legitimate interest" that warrants sending reminders. On the other hand if you plan to use their rota reminder email address for church marketing, you may need consent for that purpose. Without a legal basis for processing, the GDPR is clear that you should immediately cease processing their data, which includes storing that data.