What the GDPR update means for churches

You've probably seen the acronym GDPR floating around lately. If not, it's the General Data Protection Regulation. Most companies are frantically updating their privacy policies, communicating with their audiences to make sure they know their data is safe, and working with lawyers to help them understand the new regulations. If you've felt lost, well, you're not alone. It can be quite confusing to digest and understand how or if it applies to your church. And while we are not a law firm and cannot give legal advice, we can give you a (very) basic overview of what GDPR is and what your church might need to do to comply. 


GDPR is a privacy update in effect for anyone living in, or doing work in, the European Union. After reading many articles, and thanks to HubSpot, we were able to boil down the update to three major areas: 

  1. Cookies
    What's the update: Under the GDPR, visitors need to be given notice that you’re using cookies on your website (in a language that they can understand) and need to consent to being tracked by cookies.

    What to do: You may want to update your website to include a cookies opt-in. 
  2. Lawful basis
    What's the update: Under the GDPR, you need to have a legal reason and permission to use someone’s data. You need lawful basis both to process (e.g. store data in your church management system or provide an ebook they requested) and to communicate (e.g. send an announcement email). 

    What to do: If you feel like you don’t have lawful basis, consider creating subscription types, updating your existing database with those subscription types and setting up your forms to establish lawful basis and permission moving forward.
  3. Deletion
    What's the update: Under the GDPR, your contacts can request that you give them a copy of all the personal data you have about them or delete/modify it.

    What to do: If you're thinking about GDPR compliance, consider adding that language to your privacy policy and setting up processes for complying with deletion requests.

The reality is that your church is probably not selling goods or services. But most of you do collect data, so it's good to be aware of what's going on. You've probably noticed that a lot of organizations are sending privacy policy emails updating their audiences. We don't necessarily think your church needs to do that. But if you're feeling uneasy about it and want to make sure you're covered, we've put together a simple email template you can use. 

Email Template

Subject: GDPR Privacy Policy Updates 

At _______, your privacy is important to us. We also want you to understand how we use information that we receive from you. As a result, we’ve recently updated our Privacy Policy to comply with the European General Data Protection Regulation (GDPR). You can read that updated policy here (LINK).

By continuing to interact with _______, you acknowledge and accept the current terms of our updated Privacy Policy, effective May 25, 2018.

If you have any questions about this policy, please feel free to contact us at (ADD GENERAL EMAIL ADDRESS).

Thank you for being a part of our church family! We appreciate you!

And there you have it! We hope you feel a little less overwhelmed, but if you want to learn more and dig deeper check out this article from HubSpot.