August 6, 2018
I know what you’re thinking. You’ve received numerous emails over the past few months about General Data Protection Regulation (GDPR) and you are sick of hearing about it. But what exactly is it and how is the church affected?
What is GDPR?
GDPR stands for the General Data Protection Regulation, and was passed by the European Union to provide their citizens with more control over their personal data and what those they’ve given their personal data to can do with it. In many ways, it could stand for Golden Data Protection Rule; as one with a biblical worldview could sum up GDPR as the Golden Rule of Data, treating others data the same way you want your data treated.
The law also provides a few specific provisions for EU citizens.
First, what is considered personal data is defined.
Second, EU citizens can request their data be completely removed or can only be used for certain purposes. (For example, you can contact me using my data but you cannot send me ads using my data.)
Third, organizations operating in the EU have to report any data breaches within 72 hours.
How does this impact churches?
GDPR requires a few things that I would hope churches around the globe are already doing:
- If your data is breached, you report it within 72 hours. Even without GDPR, every church should have a data breach plan and procedure in place and want to be open and honest when mistakes happen. The church is the last place that should try to cover it up for weeks or months.
- If a user wants you to remove them from your database, you remove them. Even without GDPR, every church should have a procedure to remove a record from their database if someone does not want any of their information stored with your organization.
- If a user wants you to email them prayer requests but nothing else, you honor that request. Even without GDPR, you should be able to send folks what they want and not require them to get everything you send out. There is a difference between sending out prayer request and fundraising requests: do you allow folks to determine how you use their data?
If your church or ministry does not have a data access and management policy, then get one. Even a basic policy and procedure for how you handle user data and requests they make is important and shows that you’ve thought about it and care about it.
- This is not an IT issue nor should this be dumped on the IT team. While IT clearly has a role in data management they should not be the decision makers. GDPR requires organizations that operate in the EU to have a privacy compliance officer. This can be a new employee or a role added to an existing employee. While churches and ministries may not need a privacy compliance officer the concept of having someone constantly checking to make sure you are being good stewards of data and coordinating that across ministry and church departments and silos is valid.
- Get legal counsel. If you do operate in the EU or are concerned you might it would be wise to consult with a licensed attorney with experience in this area. Don’t try to figure it out on your own. The EU is intent on enforcing GDPR and no church or church ministry should want to be on their radar.
The Golden Rule comes from Matthew 7:12 and Luke 6:31. “Do unto others as you would have them do unto you.” This applies to how individuals relate to each other in person and online, and also to how organizations treat each other and those they serve. Whether we are talking about money, data, time, or talent the Golden Rule is more than just a rule or ideology from long ago, it is the Word of God.
Source: Ministry Tech