CHURCHES around the country face a looming deadline to comply with new data regulations that come into effect on 25 May.
There are fewer than 80 days until the EU’s General Data Protection Regulation (GDPR) becomes law. It has an impact on every parish, as well as the national Church.
GDPR replaces existing data-protection laws with more stringent regulations that give individuals more rights over the use of their personal data. There is an onus on every voluntary organisation, which includes parish churches, to become more accountable with regard to the data that they keep, and also more transparent in storing and using that data.
The Director of Libraries and Archives for the Church of England, Declan Kelly, has been leading the task of organising the transfer to the new regulation. He said on Tuesday that the Church was “telling people not to panic about this, because you are probably doing a lot already” in terms of managing data.
Implementing GDPR was “do-able” and “not scary”, Mr Kelly said. He acknowledged, however, that there were those who were “quite rightly concerned about the fact that this is a lot of work”.
Most dioceses have put on training days to help parishes prepare for the rule changes that are two months away.
The Canterbury diocesan director of communications, Anna Drew, said that her diocese had a “moral responsibility” to help churches to comply with the new regulations.
The Priest-in-Charge of St James’s, West End, near Southampton, the Revd Thomas Wharton, said that members of his PCC had been on training days, which had been excellent, and that churches had been working together to become compliant with the new regulations.
The diocese of Oxford’s director of communications, Steven Buckley, said that 17 courses offered by the diocese were fully booked, and that parishes had shown a high level of interest in learning more about the new regulations.
Mrs Drew said that, while it was “not a big leap” from the Data Protection Act to GDPR, parishes were worried by the amount of work that they needed to do. The “key thing [for parishes] is to show you are doing everything to be compliant”, she said.
Mr Wharton said that he first became aware of the new regulations last year, and appointed a PCC member to be data-protection officer. In the early stages, he “did not know quite where to turn”, but, “in the last year, there has been much more of a directive” from the national Church and the diocese of Winchester.
It had been “quite a massive task” to sort out the data for the parish, despite having a regular congregation of about 150. “Large churches have more data, but it is the smaller churches who find it more difficult. . . We are all surprised at how much data we have got.”
Mr Kelly said that the Church was already very careful with data protection; so the challenge should not be too big. “Given that we are already careful about data, the Information Commissioner [ICO] will be chasing big organisations that are playing fast and loose with data, or companies who have lost people’s data.”
GDPR was “about avoiding harm to individuals by misusing data”. Mr Kelly urged PCCs to consider: “If this was my data, would I be happy with how it is being treated?”
The ICO had issued fines in fewer than one per cent of their investigations last year: consent was not needed for every piece of data, and it was a myth that it all needed to be fully completed by 25 May.
Churches “have to get there [sort out their data protection] in a reasonable amount of time”, and the work should be “building on existing data-protection, which is something the Church was already doing well”.
Dioceses, such as Portsmouth and Norwich, have released guides, while the Parish Resources site has published FAQs and a help sheet for PCCs.
Nevertheless, there has been some bafflement among lay people that the Bishops’ effort has been on compliance with the new legislation rather than amending it to reduce the burden on unpaid volunteers in parishes and other small organisations, particularly given that the legislation’s primary target had been abuses by large corporations.
In a letter in the Church Times this week, a churchwarden in London diocese, Mark Stimpson, who praises the training that he received at a diocesan GDPR workshop, complains none the less: “The GDPR Bill has already had three readings in the House of Lords, but, as far as I am aware, not a single bishop has raised serious concerns about the impact that it will have on the voluntary sector. . .
“The bishops in the House of Lords should have been unflinching in their opposition to this Bill. . . Either they do not realise the impact that it will have on volunteers in their parishes, or they do not care.”