By Eric Seiberling
Over the past several months, the news has been full of stories about GDPR, identity theft, fraud and privacy concerns. Both the European Union and individual states like California have enacted legislation mandating that organizations protect personal data.
With these privacy initiatives, the burden of protection is on the organizations storing the data (including nonprofits).
Your church cannot ignore these changes designed to protect individuals’ information or claim ignorance. There will be significant penalties for being non-compliant. It doesn’t matter whether the information is paper-based or electronic. If you keep any records of personal information (even on an attendance pad), you need to protect and manage them.
The bottom line: If your organization collects or processes personal information of any type, you must safeguard it and comply with the regulations.
Don’t panic.
There are a number of steps that you can take to protect people’s information and safeguard the church.
Step #1: Conduct an information inventory across your church (members, staff and volunteers) and ministry participants. Start by surveying the leaders and members of your church as to the information they manage. United Methodist Communications has built a sample survey that you can use as a starting point. Build a survey that works for your ministry and then share it with everyone. To produce the survey, you may want to use an online survey tool to help you facilitate things.
Step #2: Gather the physical church records. Churches often have membership records and other personal information scattered across different closets, file cabinets and attendance books. Conduct a systematic search throughout the building and centralize records. Document what records are being kept, where they are stored and how they are secured. Consider moving all file cabinets to a single room that can be locked, preferably with even the cabinets locked.
Step #3: Do a comprehensive electronic audit. Computers, cloud backups and flash drives are the “bottomless closets” of the 21st century. Audit all staff computers, backups, emails and record-keeping systems for member records. Be sure to check your email database and website as well as Google Drive, Dropbox and other software tools. Add those to your inventory list. Make certain the data is password protected and encrypted. (Here is a guide for encrypting Microsoft Office applications, the primary tool for holding church data.)
Step #4: Purge data you no longer need. The General Commission on Archives and Historyprovides guidelines on what documents you are required to retain and how to manage them. They also offer basic guidelines for managing and preserving electronic records. In general, keep what’s needed to:
Keep meeting records and other documentation as long as it’s useful; then get rid of it — whether it’s paper or electronic. The upside: reducing your total volume of data will help you find the information you need more easily.
Ensure that people who need to manage personally identifiable information (such as email and phone lists) keep it secure with a strong password and store it on a church computer, Google Drive or Dropbox. Confirm that those who no longer need access have deleted the data and emptied their recycle bin.
Step #5: Take steps to protect the data you want to keep. Here are few steps a church can take to protect personal data without breaking the bank.
Step #6: Ask for permission. Anytime you gather personal data, be clear as to how you intend to use the data your church collects. We often collect registration information for events or at Sunday worship. Consider adding a check box for people to indicate how they would like the church to contact them (text message, email, etc.). Remember: Make sure you provide a way for people to opt out of any church communications.
Step #7: Create a privacy and data policy. What’s your church’s data privacy policy? What data does the church need to retain and for how long? How should data be stored? What’s the church’s password policy? Be clear as to what data you collect. Be transparent about how data will be used and with whom it will be shared. Build a website privacy policy from these examples and resources. Also take a look at UMCom’s article on web privacy for additional considerations. Use this information to create a short handout explaining the policy and a checklist of what to remember.
Step #8: Take steps to keep the church data safe. This is not a one-time event. Your church needs to take a basic steps to:
This roadmap provides general guidance and good practices for churches to follow. It provides a strong foundation, but consider consulting with an expert to ensure your church complies with any international, federal, state and local regulations.