What is GDPR? Does it apply to me?
The General Data Protection Regulation (GDPR) is a regulation in EU law on data protection and privacy in the European Union (EU) and the European Economic Area (EEA).
According to the GDPR, unless a data subject has provided informed consent to data processing for one or more purposes, personal data may not be processed unless there is at least one legal basis to do so. The following is a list of lawful purposes outlined in Article 6:
- (a) If the data subject has given consent to the processing of his or her personal data;
- (b) To fulfill contractual obligations with a data subject, or for tasks at the request of a data subject who is in the process of entering into a contract;
- (c) To comply with a data controller’s legal obligations;
- (d) To protect the vital interests of a data subject or another individual;
- (e) To perform a task in the public interest or in official authority;
- (f) For the legitimate interests of a data controller or a third party, unless these interests are overridden by interests of the data subject or her or his rights according to the Charter of Fundamental Rights (especially in the case of children).
The church admin plugin and therefore your website holds personal data – names, addresses, emails, phone numbers, children’s data, and the ability people by email and SMS.
To comply with the GDPR:
- You will need to keep records as to how the permission was given.
- You can only keep the information for as long as it is operationally needed.
- You’ll also need to think about what other personal data you keep on paper and online and make sure it is secure.
- Some big changes have been made to the plugin to make sure it is compliant.
Church Admin now has…
• A PDF to report what data is stored for a household (people can make a “Subject Access Request” for free from 25th May 2018)
• Communication preferences on the register screen (explicit permission for email, sms, phone and mail)
• Two way Mailchimp synchronization
• A printable PDF form for each household explaining what data is held, confirming permissions with space for signatures of all people over 16 years old in the household.
• All shortcodes/Gutenberg blocks require a login if they may display personal data. If you are not in the EU, you can add loggedin=FALSE if you want it open.
1) Make sure you have an SSL certificate on your site – example: https://your.website
2) Make sure all church admin shortcodes that reveal personal data (mainly the address list) are only viewable on logged in pages.
If you live outside of the EU and EEA, the General Data Protection Regulation does not apply to you. However, we do recommend that you consider adhering to it of your own volition.