I know what you’re thinking. You’ve received numerous emails over the past few months about General Data Protection Regulation (GDPR) and you are sick of hearing about it. Seeing GDPR one more time makes you want to scream. I’m with you. I’ve gotten emails about GDPR from companies that I have no record of ever interacting with, and I’m a geek so I keep track.
As I’ve traveled around the past few months since GDPR went into effect on May 25, 2018, I’ve been amazed at the number of questions folks are asking about it and the astonishing lack of available information, especially as GDPR relates to churches and ministries. In an attempt to narrow the knowledge gap here is my best effort to tackle the GDPR issue, specifically how it relates to churches and ministries. Please note, I’m not an attorney (I don’t even play one on TV), so while I’ve done my research it is always good to ask your legal counsel to sign off on any plans or changes you may have or plan to implement in response to GDPR. A data removal service can also be implemented if necessary.
What Is GDPR?
GDPR stands for the General Data Protection Regulation, and was passed by the European Union to provide their citizens with more control over their personal data and what those they’ve given their personal data to can do with it. In many ways, it could stand for Golden Data Protection Rule; as one with a biblical worldview could sum up GDPR as the Golden Rule of Data, treating others data the same way you want your data treated.
The law also provides a few specific provisions for EU citizens.
First, what is considered personal data is defined.
Second, EU citizens can request their data be completely removed or can only be used for certain purposes. (For example, you can contact me using my data but you cannot send me ads using my data.)
Third, organizations operating in the EU have to report any data breaches within 72 hours.
As you read the GDPR regulations you can understand why it was written. It took Equifax weeks to notify the world that they had been hacked. GDPR addresses that. Your data on Facebook makes you the product, not the customer and you have no control over what Facebook does with your data. GDPR addresses that.
How Does This Affect Those Not In the European Union?
This is the biggest question surrounding GDPR, and one that the entire planet is struggling to understand. The European Union has 500 million citizens, so they have the ability to push their agenda a bit. The challenge for organizations that operate worldwide is that the EU has set the strictest of standards, so do you operate with multiple policies concerning data collection and use based on where the individual lives or do you work off GDPR since that ensures the most people will be covered by your policies? If you don’t fully understand that you aren’t alone.
In response, some U.S. companies have stopped operating in the EU until they can figure this out. The issue is that although you are a U.S. company, you operate in the EU and are storing data for EU citizens. GDPR states how you should do that.
Enforcement
This is where the world of international law gets complicated. While GDPR tells you how you can/should store and use the information of its citizens it cannot be enforced on organizations that do not have a physical presence in the EU. Let’s take Facebook for example; they have a large, lucrative presence in the EU. They have data centers there, offices, and people — the whole ball of wax. As such the EU is able to enforce GDPR because of Facebook as a physical presence there. In other words, there is a location that can be seized, personnel that can be arrested, and executives that can be taken to court.
For organizations that do not have a physical presence in the EU, this does not apply. Since there is no office or data center or person you can hold accountable the EU is not able to enforce their laws on those outside the EU, for example, in North America. That’s how international borders work.
Blah, Blah, Blah, How Does This Impact Churches?
If you’ve skimmed the first part of this, that’s fine, but this is the part where you should pay attention: at its heart, the GDPR legislation is about being a good steward of data. While data can mean a lot of things (from name, address phone number, to t-shirt size, and food allergies) it is important for us to remember that in the church world data means people and people means souls. We did not need GDPR to tell us to be good stewards of the people our ministries serve.
The Bible tells us to be good stewards (1 Corinthians 4:2), the Bible also tells us to obey the authority (Romans 13), including governments, placed over us. In this case, it seems the EU government is telling those who operate in the EU to do what the Bible says and to be good stewards of data.
GDPR requires a few things that I would hope churches around the globe are already doing:
- If your data is breached, you report it within 72 hours. Even without GDPR, every church should have a data breach plan and procedure in place and want to be open and honest when mistakes happen. The church is the last place that should try to cover it up for weeks or months.
- If a user wants you to remove them from your database, you remove them. Even without GDPR, every church should have a procedure to remove a record from their database if someone does not want any of their information stored with your organization.
- If a user wants you to email them prayer requests but nothing else, you honor that request. Even without GDPR, you should be able to send folks what they want and not require them to get everything you send out. There is a difference between sending out prayer request and fundraising requests: do you allow folks to determine how you use their data?
What About Financial Data?
I’m sure by now some of you are wondering about financial data. What happens when someone gives you money and then wants to be totally removed? In the US, you are required to keep a record of that financial transaction for 7 years. Even without GDPR, if someone wants to be removed, but they’ve given you money, do you have a procedure to remove them while still keeping the financial record for 7 years and then removing them completely when the 7 years are up?
As most churches don’t have a physical presence in the EU there isn’t an issue here but what happens if you do have a presence in the EU and someone from the EU gave you money and then wanted to be removed from your database? The principle is to apply donor intent; they don’t want to be in your database so you treat them as if they weren’t there by removing everything you can until such time as you can remove their record entirely.
While there may be a lot of legal and international law issues at play here I believe the core concept is not a legal one but one of ministry integrity. We should not have needed GDPR to tell us how to care for the data those we minister to have entrusted to us.
Next Steps
- If your church or ministry does not have a data access and management policy, then get one. Even a basic policy and procedure for how you handle user data and requests they make is important and shows that you’ve thought about it and care about it.
- This is not an IT issue nor should this be dumped on the IT team. While IT clearly has a role in data management they should not be the decision makers. GDPR requires organizations that operate in the EU to have a privacy compliance officer. This can be a new employee or a role added to an existing employee. While churches and ministries may not need a privacy compliance officer the concept of having someone constantly checking to make sure you are being good stewards of data and coordinating that across ministry and church departments and silos is valid.
- Get legal counsel. If you do operate in the EU or are concerned you might it would be wise to consult with a licensed attorney with experience in this area. Don’t try to figure it out on your own. The EU is intent on enforcing GDPR and no church or church ministry should want to be on their radar.
The Golden Rule comes from Matthew 7:12 and Luke 6:31. “Do unto others as you would have them do unto you.” This applies to how individuals relate to each other in person and online, and also to how organizations treat each other and those they serve. Whether we are talking about money, data, time, or talent the Golden Rule is more than just a rule or ideology from long ago, it is the Word of God.
