GDPR – Frequently asked questions


When we ask for consent for our Communicant’s Roll, do we need to ask for any other consents?

The consent form for inclusion of an individual on the Communicants’ Roll should includes a consent for name and contact details to be shared with the diocese and the General Synod office


We have a number of children who have been admitted to communion – does the Communicants Roll refer to members age 16+ ?  

If children are on the Roll then they do need to be included in consent giving. The basic rule is that children aged 12 or over can sign for themselves, for those under that age, parents should sign.


Do we need to remove from our website and church magazine any/and or all telephone numbers and/or e-mail addresses?

Putting such information on a website amounts to disclosure to a third party so – yes.  Since the church magazine is likely to be available for anyone who might visit the church, it would be wiser to treat that also as disclosure to a third party.


If we are collecting names and addresses in our Visitor’s Book, is there an issue with leaving the book out in the church and storing full ones in our vestry?

If the visitors book is used purely as a kind of historical record of those who have visited the church, some kind of notice should be placed in or close to the Book so that when someone enters their details, they can see that the visitors book is maintained to keep a record of visitors to the church and is held for historical purposes in perpetuity. If it is used as a basis of future contact with visitors, for the church to follow them up with future invitations, information etc, then a consent form is needed.


Do we still need to get consent forms if we use a service like Mailchimp for distributing our monthly newsletter etc. to members outwith our own membership?

If people are signing up themselves to receive the newsletter they are, in effect, giving their consent. It would, however, be good practice to include the usual “unsubscribe” particulars at the end of all such newsletters.


Can we still stream church services, or put pictures of church attendees on our website?

Yes. However, you will need to carefully consider whether or not your should gain permission from the subjects first


We have a church directory and everyone has a copy. Do we need to stop doing this?

It is NOT recommended that you routinely give everyone access to large amounts of personal data. However, where you do rely on directories for phone trees or similar, consider the format you are using. It may be more secure to hold it in cloud-based software and give people access to that, than to print a copy out which could easily be left out on a coffee table or even on the bus.


Some of our ex-members may still have data on their computers. What should we do about this?

When people leave the church, you should make a reasonable effort to retrieve any printed or computer-held records to which they may have access. When you first make this information available, consider asking recipients to sign an agreement stating that they will return the information should they leave the church.


Can we use disclaimers on forms or in signage around the church instead of getting consent?

The short answer is: no. This is because a disclaimer does not give Data Subjects the opportunity to give explicit, opt-in consent. You may also find yourself contravening the GDPR stipulation that you should “avoid making consent a precondition of service” i.e. telling people that they have to give consent if they want to be part of the church.


What do we do if someone declines consent? What if they don’t respond at all?

If they decline consent, and you do not have another lawful basis for holding or processing their data, then you should delete them from your records. If they don’t respond at all, and you have made reasonable efforts to contact them, then you should also delete their records. Remember, this only applies if consent is the appropriate lawful basis.


Back to VESTRIES page