GDPR is one year old

GDPR is one year old – is your church on track?

This weekend marks the first anniversary of the introduction of the GDPR (General Data Protection Regulations) legislation. GDPR is one!

The Europe-wide legislation came into force on 25 May 2018, forcing churches, charities and businesses to think again about how they manage, store and destroy personal data along with introducing significant fines for data breaches.

Lawyers have seen a few different trends emerging over the last few months:

Subject Access Requests – people are now more aware that they can submit a request and with the legislation having ended the fees that were chargeable for them, the number of requests has soared.  It basically means that people can ask for a copy of any personal data you hold on them (electronic or hard copy) and it’s not just restricted to employees: church members, ex-employees or unsuccessful job applicants can also submit a request.  You have up to one month to respond and usually cannot charge any fee.

Recruitment – it’s not as easy as getting a job applicant’s consent to run background checks before they start working for you anymore.  Employers need to check if they have a ‘legitimate interest’ in running a check and whether it’s proportionate.

In the last year, we’ve also not really seen any big fines as a result of a breach of the legislation being issued to employers.  Interestingly, so far, the ICO (Information Commissioner’s Office, who enforce GDPR), has issued only 127 enforcement notices for something in the region of 10,000 data breaches in the UK and 59,000 breaches across the EU during 2018.

However, experts believe that as we go in to the second year, we’ll see more of a compliance crackdown.

We’ve not done anything yet – where can we start?

Firstly, if you have a Partnership or Membership agreement, update it to let your church members know what data you hold and for what purposes. Use your AGM to show every member what record you have for them, asking them to check it’s accurate and highlight any errors or changes they’d like to make, including giving them the option to remove them completely (making them aware what impact, if any, this may have).  If a member leaves the church, make sure you securely destroy their data.

It’s also worth completing a data audit. Do you need all the information you hold (electronic and paper copy) on job applicants, employees (ex and current), volunteers and church members? What do you use it for? Is it up to date? If you can’t justify keeping the data, delete it, securely.

At the same time, check how secure your data is. If you keep hard copies, who has access to them and how are they stored? If it’s in an online system, have you restricted access to those who actual need it? How is it kept up to date?

Do you have a website? Look at getting a Privacy Statement on your website. This tells visitors to the site what you use their data for and how you will treat it. The ICO has useful information on what you need to include but if you haven’t got one, don’t delay as it is a legal requirement to have one.

Here’s a useful FAQ for charities on GDPR from the ICO:

Who are Cornerstone Resources?

Based in South Manchester, Cornerstone Resources offer a complete HR service to businesses, charities and churches. With over 40 years combined experience in HR, we can offer you an enviable combination of professional expertise and a service based on integrity and honesty. Best of all, we can save you time and money. 

For more information on our offering, including cost effective Outsourced HR support, click here. For a no obligation quote, call us today on 07494 161169 or 07908 875146 or click the below button to email us.

Click here



Leave a Comment