Mary McLeod, the Church’s Solicitor, answers some of the big questions surrounding this month’s change in data protection law.

FEATURE

CONGREGATIONS have become used to the existing law on data protection, which has been in force since 1998. This law is changing on May 25, when the General Data Protection Regulation (“GDPR”) comes into force. The Council of the European Union has said that “the processing of personal data should be designed to serve mankind” and with this lofty aim in view, the GDPR gives people more rights and protections in how their personal data is used by organisations.

What is changing?

The good news is that the GDPR is based on six data protection principles, which are broadly the same as under the current law, so there will be few changes in practice to how congregations handle personal data. But since the GDPR is much like aunts in the canon of P G Wodehouse, sooner or later, out pops the cloven hoof. This comes in the form of a new “accountability” principle, which requires anyone who is “processing” personal information (ie doing anything with it, including storing it) to demonstrate how they comply with the other six principles. This brings with it significant additional obligations. It means, for example, that congregations must audit their processing activities, document decisions about their various types of processing, put appropriate policies in place and take advantage of available training. There is a lot of material on the

Church website to help with this. It can be found on the “Resource” tab of the Law Department’s pages and includes:

• Data protection policy

• Data audit template

• Data retention policy

• Privacy Notice template

• Consent form

• Legitimate Interests Assessment template

• Data security breach management policy

• Subject access request policy

There is also detailed guidance on the GDPR and a set of FAQs. A webinar has been recorded and will be available on the Law Department’s Resource pages in April.

Is it necessary to get explicit consent for all data processing?

No. There are various legal bases for processing, one of which is where this is necessary for the purposes of the legitimate interests of the congregation. Consent as a basis for processing should only be relied on as a last resort, but there will be some circumstances where it is necessary eg including personal information in a congregational directory for circulation, or on a website.

What do congregations need to do now?

1 Appoint someone in the congregation to act as “lead” on data protection issues, read the available guidance and become familiar with what is involved to ensure compliance with the new law.

2 Using the data audit template, review what data is held, how it is stored, why it is held and what the legal basis for processing it is.

3 Referring to the styles available on the website, put appropriate policies in place, including Privacy Notices.

4 In the light of the guidance, decide whether you need to get explicit consent from some people before processing their personal data.

Do congregations need to register with the Information Commissioner’s Office (ICO)?

No. Full details have yet to be given but it is anticipated that the current system will remain in place and that each Presbytery will be able to pay one “umbrella” fee to the ICO to cover all congregations within its bounds.

What if we’re not ready by May 25?

Don’t panic! The ICO has said that they expect organisations to work towards compliance, and that if full compliance is not achieved by May 25 2018 they expect to see a plan for how this will be achieved within a reasonable timeframe after May.

Contact the Law Department at: lawdept@churchofscotland.org.uk for more information or visit their pages on the Church website.