1. The General Data Protection Regulation GDPR parish workshop

2. GDPR – to cover What is the GDPR? What does it mean to parishes?
What changes will it bring?
How should parishes make these happen?
Q&A and opportunity for discussion

3. GDPR – What is the GDPR?
The General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU).

4. GDPR – Effective date

5. GDPR – who knows what?
With the introduction of the GDPR, we are dealing with a developing situation
ICO* are still shaping it & working on guidance
The lawyers are still working out what parts of it mean in practical terms
* ICO is the Information Commissioner’s Office

6. GDPR – key definitions
Personal data is information about a living individual which is capable of identifying that individual. E.g. name, address, IP address.
Processing is anything done with/to personal data, including storing it.

7. GDPR – key definitions
Data subject is the person about whom data is processed.
Data controller is the person or organisation who determines the how and what of data processing. (In a parish, this is usually the PCC or parish priest).

8. GDPR – Data protection principles
used lawfully, fairly and with transparency
collected and used for specified, explicit and legitimate purposes
used in a way that is adequate, relevant and not excessive
accurate, and kept up to date where necessary

9. GDPR – Data protection principles
kept for no longer than is necessary, for the purposes for having the data
used and kept in a way that ensures security and protection
Being able to demonstrate compliance with all of the principles (‘accountability’)

10. GDPR – What the GDPR means for us
A cultural shift in our approach to data protection.
Need to be more conscious of and intentional about data protection than before.

11. The General Data Protection Regulation Overview of Key Changes

12. GDPR – Overview of Key Changes
Accountability – we must be able to demonstrate our compliance as well as be compliant.
We must know what personal data we hold, and be able to account for it.
Gone are the days when you can have something in a cupboard that you don’t know about; in a partially deleted file you may or may not know exists or in a data cloud somewhere…

13. GDPR – Overview of Key Changes
2. Changes to Privacy Notices (also called Data Protection Notices)
GDPR requires more detail and more specific application of the notice. Parishes have 2 Privacy Notices.
3. Lawful basis and consent for processing activity.
Now need to identify the lawful (or legal) basis (there are 6) for processing activity. Consent is one.

14. GDPR – Overview of Key Changes
4. Data Breaches
Breaches must be identified, recorded and in more cases reported to the ICO, within 72 hours.
Mechanisms needed to handle these.
5. Increased Individual Rights
Includes new shorter response time to ‘Subject Access Requests’. 1month (used to be 40 days).

15. GDPR – Overview of Key Changes
Everyone will need to be more aware and consider:-
Is what I am doing in accordance with the Data Protection principles?
Am I upholding the terms of the Privacy Notice?
If a person were to ask to see what we are holding on them, is there anything I would wish I had done differently, or that I would find hard to justify?

16. The General Data Protection Regulation Key changes in more Detail

17. GDPR - Key Changes in more detail
Next we will consider
How these key areas will impact on parishes?
What parishes need to do to comply?

18. The General Data Protection Regulation Data Audit and Recording

19. GDPR – Data Audit and Recording
Who is involved in a Data audit?
All of the key data users coming under the ‘data controller’, i.e. the PCC. So, in parishes, that will include the parish clergy, PCC officers, staff and volunteers.
Are we in the Diocese the only ones who this concerns?
No, all organisations (charities, businesses etc.) in the UK and EEA are affected.

20. GDPR – Data Audit and Recording
Why is it necessary?
The GDPR requires us to know what data we are holding about people that we deal with, informing them what we have, why, and reassuring them that their data is secure.
We are also required to be able to give a report at any time, e.g. to our Trustees, the data protection authorities.
What happens if we don’t do it?
Not knowing what you have is ‘dangerous’, as you can’t control it or account for it.
NB – An organisation was fined when data it didn’t know it had was wrongfully accessed and used.

21. GDPR – Data Audit and Recording
Data audit and recording begins with the following questions…

22. GDPR – Data Audit and Recording
You need to be asking…
What personal data do we hold?
Where is it being held (including all electronic, (incl. mobile) and paper based locations)?
Where has the data come from?

23. GDPR – Data Audit and Recording
What is the data being used for?
Who has access to the data, and for what reason?
Which 3rd parties is the data shared with, how, and with what clearance?

24. GDPR – Data Audit and Recording
Further action - you may need to
Identify a key place for data
Move data to different location or device
Take steps to improve data security
Delete certain data
Check whether a Data Privacy Impact Assessment (DPIA) is required

25. The General Data Protection Regulation Data Breaches
We now turn to: Data Breaches

26. GDPR – What is a data breach?
A personal data breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed.

27. GDPR – Data breaches
Data breaches caused by the transmission of s are amongst the most prevalent.
/and or attachments being sent to
the wrong person (or several people).
Paper files being accessed by unauthorized persons.
Loss or theft of a laptop or memory
stick.

28. GDPR – Data breaches Confidential waste not disposed of correctly.
Confidential data left on top of printers/photocopiers
Computer screens left with personal data on view.
Intruder penetrating the computer
Systems.

29. GDPR – Document and Report
Under GDPR:-
Not all personal data breaches have to be reported. However, it is mandatory for the data controller (i.e. the PCC) to ensure that a personal data breach is reported to the ICO if it is likely to result in a risk to a person’s rights and freedoms. A record must be kept of data breaches, together with a report on the breach.
Where a personal data breach has to be reported to the ICO, this must be done without undue delay, and not later than 72 hours after becoming aware of a breach.

30. GDPR – avoidance To avoid data breaches
Pause and check the recipient address before ‘send’ – watch out for ‘autocomplete’.
Use BCC (blind carbon copy) if the recipients should not be seeing each other’s addresses. To fail to do so will cause a breach.
Consider the nature of any attachment to the
Secure locking of cupboards and office areas.
Be aware of computer screens, e.g. in the vestry, and of papers left unattended in open areas.
Ensure adequate computer security is in place.

31. GDPR – in the event of a data breach
Immediately recall the (if applicable). Even if the is not recalled, this has the benefit of signalling to the unintended recipient that the has been sent in error.
Contact the lead Data Protection person for the parish, and also gather key people around for their input/judgement.
The lead Data Protection person will ask for details of what happened, and any action taken.
He/she will give you instructions which you should carry out straight away, unless told otherwise.
5. Keep the lead Data Protection person informed of updates.

32. The General Data Protection Regulation Individuals’ Rights
Now we turn to Subject Access Requests

33. Individuals’ Rights 1. To be informed 2. To access data 3
Individuals’ Rights To be informed 2. To access data 3. To rectify mistakes 4. To have data erased (‘be forgotten’) 5. To restrict processing 6. To make data portable 7. To object to processing 8. To object to automated decision-making

34. GDPR – Subject Access Requests (SAR)
The 2nd of the listed rights which individuals have, is to access their personal data to see what is being held, and to check the lawfulness of the use, and accuracy of the data.
The Data controller has 1 month from the receipt of a SAR to comply. (used to be 40 days).
No charge (used to be £10 admin fee).
SARs to most parishes have been infrequent to date. Informed opinion is that SARs may increase.

35. GDPR – Subject Access Requests (SAR)
What to do if a SAR is received. 1. Recognition of the receipt of Subject Access Request. 2. Having recognised that you have received a SAR (or if in any doubt), get in touch without delay with the Data Protection Compliance Officer for your parish. 3. Take action to ensure the request is responded to within one month.

36. The General Data Protection Regulation Privacy Notices and Consent
Now we turn to Privacy Notices

37. GDPR – Privacy Notices and Consent
What are these and what do they involve?
Individuals continue to have a right to be informed about the processing of their data. This is through a privacy/data protection notice.
Under the GDPR parishes must send (or give a link to) a Privacy notice to all individuals whose data is being processed (including data being stored).

38. GDPR – Privacy Notices and Consent
Privacy Notices are now lengthy and must include:-
Purpose and lawful basis for processing
Third parties to whom their data will be transferred
Data retention periods or criteria used to determine retention period e.g. whilst in employment
Individuals’ right to lodge a complaint with the ICO
Data controllers must uphold what is stated in their Privacy Notices.

39. GDPR – Privacy Notices and Consent
Parishes have 2 Privacy notices:
Role holders in the parish (e.g. PCC members, Safeguarding officers)
Non-role holders (i.e. a general privacy notice, for everyone else).
Key difference - Role holders privacy notice reflects the role holders’ data being passed, without their consent being required, to the diocesan and bishops offices, to enable and support the role holders in carrying out their role.
No response is required to privacy notices. They contain everything a parish needs. They don’t need to be signed. They must be made available, e.g. on parish website, put up on the notice board
Also to be invited to give their ‘consent’ to use their data where required.

40. GDPR – Privacy Notices and Consent
The GDPR brings increased requirements around the need to obtain consent.
Parishes need the consent of ordinary churchgoers and electoral roll members to whom the PCC wishes to send e.g. newsletters, or information about church activities.
This should be made known e.g. at APCM, church services, and forms (with link to Privacy Notice) included in welcome packs, and at back of church.
Consent must be capable of being freely given (by ‘opt-in’ not ‘opt-out’ method) and easily withdrawn.
Parental/guardian consent is needed for children under 13 (in accordance with a UK Bill; the GDPR actually states 16)
A record of consent given must be retained.

41. The General Data Protection Regulation Contracts
Now we turn to policies on data protection

42. GDPR – Contracts The GDPR requires that a parish
Updates its contracts to ensure they are GDPR compliant e.g. remove reference to consent in employee contract templates
Recognises when others are processing its personal data; ensure they do so securely
Consider how data processors, e.g. digital service, payroll or pension providers are selected
Ensure there is a written contract in place which imposes GDPR obligations; clear liabilities

43. GDPR – Contracts
Obligations placed on data processors require that those processing the parish’s data:
Does so under the parish’s instruction
Ensures confidentiality
Keeps the parish’s personal data secure