The GDPR is a new EU regulation designed to protect the privacy of citizens of the EU. Compared to the EU’s previous privacy regulation, the Data Protection Directive, the GDPR aims to give EU individuals better control of their private information in the modern digital world. The GDPR regulates the use and processing of personal data of individuals located within the EU. Personal data includes any information that can directly or indirectly identify an individual. This includes, but is not limited to, names, identification numbers, location data, or online identifiers such as an email address or IP address.
Organizations that have an established location within the EU must comply with GDPR regulations. Organizations without an established business within the EU are also required to comply with the GDPR when using or processing an EU individual’s personal data in order to:
offer goods or services to the EU individual, or
monitor the individual’s behavior.
For more information on the GDPR’s applicability and requirements, visit the official European Commission website. The United Kingdom’s Information Commissioner’s Office has also published a helpful guide.
The GDPR sets standards for how organizations may retrieve, use, store, transfer, and dispose of the private information of EU individuals. A couple of these standards are briefly summarized below.
Like previous privacy regulations, the GDPR allows an organization to collect personal data from an EU individual after obtaining consent from the individual. However, organizations may need to revise their practices to meet the GDPR’s more strict definition of consent.
For consent to be valid under the GDPR, organizations must receive explicit approval from the EU individual. This means the individual must "opt-in" to sharing his or her personal data with the organization. A pre-checked opt-in box likely is not permissible under the new regulation.
Additionally, organizations must provide EU individuals with a right to withdraw their consent at any time. The method for withdrawing consent must be as easy as it is to give consent.
The GDPR also gives EU individuals more control over the use of their personal data. For example, an EU individual may request that an organization delete all his or her personal data once the purpose it was collected for has been fulfilled.
Ministries that consistently provide goods or services to EU individuals and obtain personal data in the process may be subject to the GDPR. Many ministries collect personal information when offering services through their website such as prayer requests, sermon downloads, online giving, or email newsletter subscriptions.
The GDPR recognizes that hosting a website that is accessible to individuals in the EU does not by itself mean that an organization is offering its services to EU individuals. The GDPR notes that an organization may be subject to the GDPR if the website:
Uses the language or currency of an EU member state.
Allows goods or services to be purchased in that other language.
Specifically mentions the EU or individuals located in the EU.
A ministry may also have new obligations under the GDPR if the ministry monitors the behavior of individuals while they are in the EU. A ministry may be monitoring individuals if the ministry’s website tracks personal data about visitors and further processes the data to analyze or predict behavior, personal preferences, and attitudes.
If your ministry offers products or services to others through the ministry’s website or tracks visitor data using internet cookies or other means, contact a locally licensed attorney and ask whether the features of the ministry’s website may create new obligations under the GDPR.
The information provided here is only a brief introduction to the GDPR. The GDPR will affect some ministries more than others. Because it may be difficult to discern whether your ministry is gathering personal data of EU individuals, we recommend ministries review their data collection practices for all individuals that interact with the ministry or its website.
Seek attorney input. After reviewing your ministry’s data collection practices, contact a local attorney to determine whether the GDPR applies to your particular ministry, and what steps your ministry should take to comply.
Although the GDPR specifically protects the privacy rights of EU individuals, ministry leaders should consider and protect the privacy rights of individuals from any country, including the United States. A local attorney can help your ministry determine the federal, state, and local privacy laws and regulations that apply to your ministry’s operations.
Ministry leaders can limit their risk of a privacy lawsuit by ensuring private information is shared only with ministry staff members on a "need to know" basis. Whether private information is stored in a hard copy document or an electronic format, leaders will want to ensure that the ministry has appropriate safeguards to secure this information, such as placing it in a locked cabinet or encrypting and password- protecting electronic documents.
*Important information: Brotherhood Mutual is pleased to provide Legal Assist as a complimentary resource. The services we offer through Legal Assist are intended to provide general legal information to our current and prospective policyholders.
The information we provide is intended to be helpful, but it does not constitute legal advice and is not a substitute for the advice from a licensed attorney in your area. Accordingly, no attorney/client relationship is created through Legal Assist, and no legal advice will be provided. We strongly encourage you to regularly consult with a local attorney as part of your risk management program.
Thank you for your interest in Brotherhood Mutual. We appreciate the opportunity to provide your church or other ministry with an insurance quote and will reply to your request as soon as possible.
Text to follow...