Q: Should my ministry be concerned about the General Data Protection Regulation (GDPR)?

A: Ministries located within the European Union (EU) that were required to protect the privacy and data of EU citizens through compliance with the EU Data Protection Directive may need to modify their practices to meet the heightened requirements of the GDPR. Ministries located outside of the EU may also have new data protection responsibilities when interacting with EU individuals. Learn more about the regulation and how it could impact your ministry’s data-collection activities.

 

The GDPR Explained

The GDPR is a new EU regulation designed to protect the privacy of citizens of the EU. Compared to the EU’s previous privacy regulation, the Data Protection Directive, the GDPR aims to give EU individuals better control of their private information in the modern digital world. The GDPR regulates the use and processing of personal data of individuals located within the EU. Personal data includes any information that can directly or indirectly identify an individual. This includes, but is not limited to, names, identification numbers, location data, or online identifiers such as an email address or IP address.

Organizations that have an established location within the EU must comply with GDPR regulations. Organizations without an established business within the EU are also required to comply with the GDPR when using or processing an EU individual’s personal data in order to:

  • offer goods or services to the EU individual, or

  • monitor the individual’s behavior.

For more information on the GDPR’s applicability and requirements, visit the official European Commission website. The United Kingdom’s Information Commissioner’s Office has also published a helpful guide.

Key Concepts of the GDPR

The GDPR sets standards for how organizations may retrieve, use, store, transfer, and dispose of the private information of EU individuals. A couple of these standards are briefly summarized below.

  1. Consent

Like previous privacy regulations, the GDPR allows an organization to collect personal data from an EU individual after obtaining consent from the individual. However, organizations may need to revise their practices to meet the GDPR’s more strict definition of consent.

For consent to be valid under the GDPR, organizations must receive explicit approval from the EU individual. This means the individual must "opt-in" to sharing his or her personal data with the organization. A pre-checked opt-in box likely is not permissible under the new regulation.

Additionally, organizations must provide EU individuals with a right to withdraw their consent at any time. The method for withdrawing consent must be as easy as it is to give consent.

  1. Individual Rights

Under the GDPR, EU individuals have a right to know details about an organization’s use of their data. This may include which types of personal data will be collected, how the data will be used, and additional entities with whom the organization may share the data. This may require a review of your ministry’s online privacy policies and terms of use to ensure that visitors are provided with adequate information regarding data collection and use.

The GDPR also gives EU individuals more control over the use of their personal data. For example, an EU individual may request that an organization delete all his or her personal data once the purpose it was collected for has been fulfilled.

How the GDPR May Apply to Ministries

Ministries that consistently provide goods or services to EU individuals and obtain personal data in the process may be subject to the GDPR. Many ministries collect personal information when offering services through their website such as prayer requests, sermon downloads, online giving, or email newsletter subscriptions.

The GDPR recognizes that hosting a website that is accessible to individuals in the EU does not by itself mean that an organization is offering its services to EU individuals. The GDPR notes that an organization may be subject to the GDPR if the website:

  • Uses the language or currency of an EU member state.

  • Allows goods or services to be purchased in that other language.

  • Specifically mentions the EU or individuals located in the EU.

A ministry may also have new obligations under the GDPR if the ministry monitors the behavior of individuals while they are in the EU. A ministry may be monitoring individuals if the ministry’s website tracks personal data about visitors and further processes the data to analyze or predict behavior, personal preferences, and attitudes.

If your ministry offers products or services to others through the ministry’s website or tracks visitor data using internet cookies or other means, contact a locally licensed attorney and ask whether the features of the ministry’s website may create new obligations under the GDPR.

How Can I Determine Whether GDPR Applies to My Ministry?

The information provided here is only a brief introduction to the GDPR. The GDPR will affect some ministries more than others. Because it may be difficult to discern whether your ministry is gathering personal data of EU individuals, we recommend ministries review their data collection practices for all individuals that interact with the ministry or its website.

  1. Find the sources. Determine who your ministry obtains personal data from, and how your ministry collects that information. Identify unique areas of concern for your ministry. Do your ministry’s records contain personal information about foreign missionaries or other international individuals? Does your ministry’s website use cookies or other tracking services to collect visitor data? Identifying your ministry’s data sources is a crucial step toward determining whether the GDPR applies to your ministry.

  2. Seek attorney input. After reviewing your ministry’s data collection practices, contact a local attorney to determine whether the GDPR applies to your particular ministry, and what steps your ministry should take to comply.

Privacy Is Important for All Ministries

Although the GDPR specifically protects the privacy rights of EU individuals, ministry leaders should consider and protect the privacy rights of individuals from any country, including the United States. A local attorney can help your ministry determine the federal, state, and local privacy laws and regulations that apply to your ministry’s operations.

Ministry leaders can limit their risk of a privacy lawsuit by ensuring private information is shared only with ministry staff members on a "need to know" basis. Whether private information is stored in a hard copy document or an electronic format, leaders will want to ensure that the ministry has appropriate safeguards to secure this information, such as placing it in a locked cabinet or encrypting and password- protecting electronic documents.

 

 

*Important information: Brotherhood Mutual is pleased to provide Legal Assist as a complimentary resource. The services we offer through Legal Assist are intended to provide general legal information to our current and prospective policyholders.

The information we provide is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. Accordingly, no attorney/client relationship is created through Legal Assist, and no legal advice will be provided. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.