The General Data Protection Regulation (GDPR) and the Data Protection Act 2018 (which enshrines GDPR into UK law), are now in force. You may be coming to the end of all those emails telling you how much everybody cares about your data but the real question is, what has really changed and what do you need to do (or continue doing) now?
What has changed?
In short GDPR is now the law and you need to continue working on compliance with the current law rather than preparing for a future date. As a Connexional Church we are making sure we carry on working together to do what we can to protect privacy and keep information safe. Non-compliance can be serious, not only is it a breach of the law, but it puts at risk the privacy of members, ministers, adherents and all those whose personal data the Church holds. However, in practice, as emphasised by the Information Commissioner’s Office (ICO) the 25th May 2018 was not a watershed moment and the ICO are not suddenly imposing fines for minor infringements. As stated by Elizabeth Denham, the Information Commissioner, in an interview with the BBC on 18th April 2018, the ICO are not looking for perfection but for commitment. The Methodist Church is demonstrating its commitment through the toolkit of guidance, policies, templates, forms and training (Toolkit) produced by the data protection working party (Working Party). For Managing Trustees the main change as of 25th May 2018 is that the Church now has an overarching Data Protection Policy and associated policies and guidelines as well as template record keeping resources and guidance to help Managing Trustees protect personal information. There is also a Privacy Notice setting out how the Church uses personal information. Use the resources that have been specifically prepared for Managing Trustees.
What do we do now?
If as a volunteer or employee in the Methodist Church you use or have access to personal information, you are responsible for ensuring that such information is handled in accordance with data protection legislation. Now is a good opportunity to take stock of where your Local Church, Circuit and District is on the road to GDPR compliance. Whether your Local Church, Circuit or District is well down the road to compliance or at the beginning of the journey, refer back to the updated 9 Steps for Managing Trustees to Take to Comply with GDPR and use the resources in the Toolkit to help you to continue (or begin) to work towards compliance and keep data safe.
Post 25th May 2018:
- For an overview of the data protection responsibilities of those handling personal information within the Methodist Church, read and ensure those who handle personal information in your Local Church, Circuit or District read the Data Protection Responsibilities in a Nutshell.
- Carry out the data mapping exercise if you have not done this already.
- Read the updated 9 Steps for Methodist Managing Trustees to Take Now to Comply with GDPR and take the steps. These continue to be relevant and set out a clear path to follow towards compliance and to keep complying.
- Digest the Data Protection Policy (an overarching “policy” or “rulebook”), the Data Security Policy and the Breach Policy (Interim), review your local procedures and ensure that the policies and practical guidelines on keeping personal information safe are put in place.
- Familiarise yourself with the Privacy Notice and the lawful bases (legal reasons) to be relied upon depending on how personal information is being used by the Church as set out in the Annex to the Privacy Notice.
- Download the Privacy Notice from the TMCP website, display a copy publicly on your noticeboard and ensure you provide individuals with links to it as necessary by email and from your Local Church, Circuit and District websites.
- Check that somebody from your Circuit or District has been able to attend one of the face-to-face data protection training sessions provided by the Working Party; look out for upcoming training events and watch the data protection training webinars as these are released on TMCP’s website. The next training event is on 13th July 2018 in Plymouth. See the article Don’t Miss Out! – GDPR Training in the South West.
Most of all, post 25th May 2018 we need to keep doing what we have already started to do and help those Local Churches, Circuits and Districts who may be nearer the start of their journey than others.
What is there to help us comply?
The Toolkit has been prepared to give Managing Trustees the resources they need to comply with GDPR and the Data Protection Act 2018. The Toolkit was circulated to District Chairs, Synod Secretaries, Superintendents, District Property Secretaries (and those Data Champions who had made themselves known to the Working Party) on 25th May 2018 with the intention that the documents would work their way through to people with responsibility for data protection in Districts, Circuits and Local Churches. A list of the content with links is provided on the updated Data Protection Page. Further templates and documents are being produced for the Toolkit along with new FAQs and we will keep you updated through the News Hub.
If you have not already signed up to receive notifications of new articles published on TMCP’s website you can do so by looking out for the “Stay updated” banner which appears at the foot of each webpage, inserting your contact email address and confirming you would like to receive notifications when you receive a welcome email from TMCP.
If you have any questions please contact dataprotection@tmcp.org.uk on general data protection issues or dataprotection@methodistchurch.org.uk for queries specifically relating to safeguarding or complaints and discipline matters. We are reviewing the enquiries received and will continue to add to the existing frequently asked questions so that everybody can benefit from the practical points that you have raised with us.