An international ministry needs to follow international regulations. This includes the General Data Protection Regulation (GDPR). Starting on 25 May 2018, European countries are clamping down on privacy issues. Here is a brief overview of what these new regulations are. Also, I mention a few ways this will impact your church.
Many smaller churches likely only deal with local members. As I mentioned in a previous article, their privacy is a concern. Yet you step into a larger arena once you collect user information from another country. The international scope of the internet is its biggest benefit. This worldwide platform is unlike any in history. Yet we are always figuring out how to properly wield the power it provides. As lawmakers attempt to keep pace, we must do our part. Here is an overview of the latest regulations around collecting personal information.
What Data is Affected?
Personal data is the primary concern of this legislation. If you store information about your users, this impacts you. The following is a list of what the GDPR considers personal information:
- Social Security numbers
- Email addresses
- Banking information
- Social media posts
- Medical information
- IP addresses
What does the GDPR say?
The GDPR consists of eight major principles. Organizations must show how they follow each of them. Below is a summary. Yet you can find more information on their official website.
- Fair and Lawful: Have a good and legitimate reason for collecting the information.
- Purposes: Be clear with why you are collecting the information.
- Adequacy: Collect only the minimum amount of data needed for those purposes.
- Accuracy: If necessary, keep that personal information up to date.
- Retention: Determine and disclose how long you need to keep this information.
- Rights: Users can know what information you have, can opt out of direct marketing, and can ask to have their data permanently destroyed.
- Security: It is the organization's responsibility to safeguard this personal information.
- International: If you collect this data, you may not transfer it to a country outside of the European Economic Area that does not have similar protections.
How to Prepare for GDPR
I realized this article has already become pretty long. I decided at this point to move some content to a follow-on article. I will cover specific action items for common digital platform areas. But before you can fix a single thing, you need to know where those problems could exist. Yet again I will ask you do the "A" word. Yes, you need to audit your data. Luckily, most data gathering occurs on pages with web forms. Yet your scope increases a lot if you have accounts or profiles associated with your church. Volunteer scheduling applications, donation collection, and newsletter management are all common spaces to look. Audit them to see what data you collect, and what instructional text you have in those areas. Lastly, put together a list of all the ways you store that information.
I would start with a meeting that involves your pastoral, technology, and marketing leadership. I realize that the person reading this may be all three roles. But if not, everyone needs to understand the gravity and reasoning behind these laws. Review the types of data, and the principles you should follow with them. Next, conduct the inventory I mentioned in the previous section. Get your church ready to fix the problems I am sure you will find. Then pray for guidance and read my upcoming article. There I will list common problems I expect you will find, and prescribe measures to fix them. Thank you for reading, and I look forward to talking again soon!
Photo courtesy of Peter Skadberg
Thanks to KnowHowNonProfit for their great article on GDPR.