The UK General Data Protection Regulation (UK GDPR) has been in force since January 2021, but many churches are still uncertain about what it actually requires of them. The good news: compliance for a typical UK church is manageable. The bad news: ignoring it entirely is not an option.

This guide cuts through the jargon and tells you what a typical UK church needs to do in practical terms.

Are churches covered by UK GDPR?

Yes. Any organisation that collects, stores or uses personal data about living individuals in the UK is covered. And churches hold a great deal of personal data: member names and addresses, giving records, children's information, pastoral notes and more.

What are the basics?

UK GDPR is built around six principles: lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality. In practice, this means only collect data you need, be clear about why you're collecting it, keep it accurate, don't keep it longer than necessary and keep it secure.

Legal basis for processing

You need a lawful basis for every type of data processing. For most churches, the relevant bases are Legitimate Interests (for routine member management), Contract (for people who've signed up to something) and Consent (for optional communications like email newsletters).

For children's data, parental consent is required. For special category data such as health information or religious beliefs, the bar is higher. Explicit consent or another specific exemption applies.

What you need to have in place

At a minimum, a UK church should have a Privacy Notice (explaining what data you collect and why, available to all members), a process for responding to Subject Access Requests (people can ask to see what data you hold about them), a way to handle deletion requests and basic data security such as strong passwords and not sharing databases via unencrypted email.

ChurchLinker provides tools for all of this: a customisable privacy notice template, built-in subject access request handling and granular consent tracking per member.

Do you need to register with the ICO?

Possibly. Most churches that process personal data beyond purely personal or household use need to pay the ICO's data protection fee (£40/year for small organisations). You can check and register at ico.org.uk. It's a small cost for a lot of protection.

The bottom line

UK GDPR compliance for a typical UK church is not as daunting as it sounds. The key steps are: write a simple privacy notice, get consent for your mailing lists, handle data requests when they come in and keep your member data secure. A good church management system like ChurchLinker makes most of this straightforward.

UK GDPR for Churches: What You Actually Need to Do