The impending General Data Protection Regulation (GDPR) has many organizations worried. Your church does not have to be one of them. This article addresses several steps you can take to follow these new laws. The good news is that these changes all positively impact your users’ experiences.
In case you missed it, last week I provided an overview of what the GDPR policy is. The primary focus is on the collection, use, storage, and transmission of personal data. Churches are not exempt from these laws. If you are not already in compliance, launch a project now and focus on these key areas.
Data collection audit
The first step is knowing where you are collecting data. As you conduct this audit, note what information you collect. A good starting place is all your landing pages. A typical follow-on action for a landing page is a web form. This may seem easy at first, but do not forget any third-party applications you used. This includes event scheduling applications like Eventbrite. Or it could be an email list service like MailChimp.
Update and enforce security policies
One of the best practices I can recommend is to create an offline place to store passwords. There are also plenty of password collection tools. These allow you to create and store complex passwords. Another way is a spreadsheet saved on a USB drive that you store in a safe place. Whatever your method is, you need all passwords to be different and to change them on a regular basis. In addition, consider security monitoring software. I use the WordFence plugin to alert me to logins and changes to my WordPress site.
Provide opt-out methods
Another area you need to consider is how to let your users make a graceful exit. They need to have an easy way to opt-out of your digital ministries. Be clear how it is to unsubscribe from email lists. If you use church management software, let them know how they can delete their account. For more ideas on this subject, see a previous article on making exits easy.
A large part of GDPR compliance is informing your users. Now that you made changes, do visitors know it? Do you have text that explains why you are collecting personal information? How is their data protected? What is the process for removing their data? Answer as many of these questions in the context of your data collection points. Add this information to your website instructions. A good solution is creating a separate page on your site that addresses all these concerns. That way your instructions can be shorter and include a link to your detailed page.
Do not forget to pray
Pray for guidance, wisdom, and a good memory. That memory is for all those areas you might have missed in the first step. You also may want to reach out to previous employees and volunteers. They may know of abandoned platforms you used in the past.
I published this article during the Easter weekend of 2018. You are quite busy, and may not want to jump into a new project. My timing is actually a coincidence, as I was just made aware of GDPR at my regular job. But you have less than two months. Review the importance of this with your leadership. Then begin the above checklist. Yet this may be a progressive project that has several steps. Work with each ministry and move them toward your goal. This will not only make you compliant with a new law. It reassures visitors that you care about their privacy.
Photo courtesy of Kostya Kisleyko