Data Protection and the GDPR
From 25 May 2018 data protection law changed significantly with the introduction of the General Data Protection Regulation (GDPR). The purpose of this page is to assist clergy and parish officers in their compliance with data protection legislation.
If you are seeking information on how the diocese complies with data protection legislation, please visit this page - Data Protection and Privacy
All parishes process personal data. 'Processing' is a term which covers all possible uses of personal data, obtaining, sharing, storing, deleting etc. Personal data should be processed in accordance with the principles which are set out in the GDPR.
To assist PCCs to adhere to these principles it is recommended that each Parochial Church Council (PCC) have a Data Protection Policy, Privacy Notice and Written Procedures. It is also recommended that they appoint someone or a small group to lead on Data Protection issues and consider how the PCC complies with the law. Even though PCCs are not obliged to have a Data Protection Officer they will need someone to oversee the work and assist with compliance. There are two template policies listed below which are based on templates offered by the National Church. Please bear in mind that they are only templates and therefore consideration needs to be given as to what is appropriate in each context. If adopted each PCC would be responsible for reviewing their own documents and keeping them up to date.
- Template Data Protection Policy
This offers a general template policy for the whole area of Data Protection
- Template Individual Rights Policy
This is a template policy specifically aimed at data subject rights and how the organisation deals with rights requests.
Should the PCC need to conduct a Data Protection Impact Assessment (DPIA) please use the template offered by the ICO which can be downloaded here
The National Church have prepared very useful guidance to help PCCs in their compliance with the GDPR. This contains samples and templates for some documents which will be required under the GDPR.
Please refer to this website from time to time as the material on it is being updated periodically.
Data Controllers need to pay an annual fee to the ICO, unless they are exempt. There is an online self assessment, which may help to determine whether data controller is exempt - ICO self-assessment
The ICO website also contains helpful guidance on complying with Data Protection law.
Slides from the Area Data Protection Training events can be downloaded here.
Over time, PCCs acquire a great deal of records. The National Church have prepared guidance on retention of these files - Keep or Bin?.