GDPR Compliance

How ChurchDatabase helps your church comply with UK data protection law

ChurchDatabase is fully GDPR and UK Data Protection Act 2018 compliant. We've built our platform with privacy by design and provide tools to help your church meet its data protection obligations.

1. What is GDPR?

The General Data Protection Regulation (GDPR) and UK Data Protection Act 2018 are laws that protect personal data. As a church, you must comply when processing personal information about your members, visitors, and staff.

2. Your Responsibilities as a Church

2.1 Data Controller

Your church is the data controller - you decide how and why personal data is processed. You are responsible for:

  • Ensuring lawful processing of personal data
  • Obtaining proper consent where required
  • Maintaining accurate records
  • Protecting data security
  • Respecting individuals' rights
  • Reporting data breaches (if they occur)

2.2 Data Processor

ChurchDatabase is your data processor - we process data on your behalf according to your instructions. We provide the tools, but you maintain control.

3. How ChurchDatabase Helps You Comply

3.1 Lawful Basis for Processing

ChurchDatabase helps you document the lawful basis for processing each type of data:

  • Consent: Tools for obtaining and recording consent
  • Legitimate Interests: Templates for legitimate interest assessments
  • Contract: Automated processing for employment contracts
  • Legal Obligation: Built-in compliance for Gift Aid and financial reporting

3.2 Data Subject Rights

We provide tools to help you fulfill data subject rights:

  • Right to Access: Export member data in machine-readable format
  • Right to Rectification: Easy data editing and correction
  • Right to Erasure: One-click member deletion with audit trail
  • Right to Restrict Processing: Flags and permissions controls
  • Right to Data Portability: Export data in CSV, JSON, or PDF
  • Right to Object: Opt-out management for communications

3.3 Consent Management

  • Record when and how consent was obtained
  • Track what consent covers
  • Easy withdrawal of consent
  • Age-appropriate consent for children
  • Consent renewal reminders

3.4 Data Minimization

  • Collect only necessary data
  • Set retention periods for different data types
  • Automatic deletion after retention period
  • Regular data audit reports

3.5 Security Measures

  • 256-bit encryption for data in transit
  • AES-256 encryption for data at rest
  • Role-based access controls
  • Two-factor authentication
  • Regular security audits
  • ISO 27001 certified infrastructure

3.6 Breach Notification

  • Automated breach detection
  • Immediate notification to church administrators
  • Breach impact assessment tools
  • ICO reporting templates

4. Data Processing Agreement (DPA)

As required by GDPR, we provide a Data Processing Agreement that:

  • Defines our roles and responsibilities
  • Ensures data is processed only per your instructions
  • Maintains confidentiality
  • Implements appropriate security measures
  • Assists with data subject rights requests
  • Deletes or returns data upon termination

Get Your DPA: Your Data Processing Agreement is available in your account settings or by emailing dpo@churchdatabase.co.uk

5. Special Category Data

Churches often process special category data (e.g., religious beliefs, health information). ChurchDatabase helps you:

  • Identify special category data
  • Document lawful basis for processing
  • Apply extra security measures
  • Limit access to authorized personnel only
  • Conduct Data Protection Impact Assessments (DPIAs)

6. Children's Data

Enhanced protections for children's data:

  • Parental consent requirements for under-13s
  • Safeguarding flags and restrictions
  • Limited data collection for children
  • Automatic age-up procedures
  • DBS check tracking for those working with children

7. Privacy by Design and Default

ChurchDatabase is built with privacy at its core:

  • Minimum data collection by default
  • Privacy-preserving default settings
  • Pseudonymization where possible
  • Regular privacy audits
  • Privacy impact assessments for new features

8. Record Keeping

We help you maintain required records:

  • Record of Processing Activities (ROPA)
  • Consent records
  • Data breach log
  • Data subject rights requests log
  • DPIAs and LIAs

9. Training and Support

We provide:

  • GDPR training materials for church staff
  • Regular compliance updates
  • Data protection helpdesk
  • Templates for privacy notices and policies
  • Best practice guides

10. International Data Transfers

Your data stays in the UK:

  • UK-based data centres only
  • No transfers outside UK/EEA without your consent
  • Adequate safeguards if transfers are necessary
  • Transparency about any sub-processors

11. Regular Audits

We conduct:

  • Annual third-party security audits
  • Quarterly compliance reviews
  • Penetration testing
  • SOC 2 Type II certification

12. ICO Registration

Most churches need to register with the Information Commissioner's Office (ICO). We can help:

  • Determine if you need to register
  • Provide documentation for registration
  • Maintain compliance after registration

ICO Registration: Visit ico.org.uk to check if your church needs to register and to complete the process (currently £40/year for most churches).

13. Contact Our DPO

For GDPR questions or to exercise data rights:

Data Protection Officer
Email: dpo@churchdatabase.co.uk
Address: ChurchDatabase Ltd, Data Protection Officer, 123 Church Street, London, EC1A 1BB

14. Useful Resources