General Data Protection Regulations (GDPR) 2018

Just like any other charity or organisation, all parishes must comply with the new General Data Protection Regulation (GDPR) which replaces the 1998 Data Protection Act and takes effect from 25 May 2018.


The new regulations give individuals more rights and protection over how their personal data is used by organisations.

For personal data to be stored legally, each individual must give their consent which must be “affirmative and unambiguous”

The legislation establishes seven basic principles for the storage of personal data.

Read the GDPR toolkit produced by St Asaph Diocese




What is personal data?

  • names and addresses
  • email addresses
  • telephone numbers
  • dates of birth
  • IP addresses and cookie identifiers

To whom does it apply?

  • members/complainants
  • clergy
  • office holders
  • volunteers
  • staff & former staff
  • job applicants
  • donors
  • sub-contractors

When/where does it apply?

  • registers of baptisms, marriages and funerals
  • information re news, events, activities, services etc
  • fundraising
  • Gift Aid
  • Website
  • social media
  • surveys
  • engaging sob-contractors

What are the principles?

Data can only be held

  • fairly and lawfully
  • for a specific purpose with a valid legal basis
  • if its relevant and adequate – the minimum that is needed
  • if it’s accurate and up to date
  • for as long as necessary
  • if it is secure
  • if its retention is accountable

Policies and procedures will be need to demonstrate the adherence to each principle

The national Church of England Parish Resources website has a page of advice, guidance, templates and a checklist to help parishes comply with the new regulations.

There are two guides:

The checklist covers the actions outlined in the guides, to help PCCs monitor progress.

Carrying out a data audit is recommended as the amount of personal data your parish stores and processes may surprise you.  Parish Resources has a template data audit document along with some helpful hints to get you started.

Parishes will also need to make sure they have consent to communicate with those on its mailing lists. you will need to have consent before you send marketing or fundraising communications to people, which includes general information about the activities of the parish, services and other events. Download our simple form

Parishes will also need to produce a Privacy Notice.  If you have a website, it’s good practice to make this available online.  A Sample Privacy Notice can be found here which can be amended and adopted.  Guidance on how you can write your own Privacy Notice is also available.

Finally however, there will be some data processing done as part of normal church management which you will not need to gain specific consent for, for example holding lists of group members etc.  This is covered by a special condition under the GDPR for religious not-for-profit bodies, provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.