GDPR compliance guide
UK GDPR doesn't need to be overwhelming. ChurchLinker builds compliance into the platform so you can focus on ministry, not paperwork.
How ChurchLinker handles UK GDPR
Your role and our role
Under UK GDPR, your church is the Data Controller: you decide what personal data is collected and why. ChurchLinker is the Data Processor: we process that data on your behalf, following your instructions. This distinction matters: your church is responsible for having a lawful basis to collect the data (e.g. legitimate interests for pastoral care, or consent for marketing emails). We're responsible for keeping it secure and processing it only as instructed.
Lawful bases for church data
Most church data is held under Legitimate Interests (for pastoral care and administration) or Contract (e.g. employment records). Marketing and communication data typically requires Consent. ChurchLinker's consent management system makes it easy to record, track and honour consent for each communication channel per person.
Where data is stored
All ChurchLinker data is stored within the European Economic Area (EEA), on AWS infrastructure in the London region (eu-west-2). Data never leaves the EEA. Backups are encrypted using AES-256 and retained for 30 days.
Data Processing Agreement (DPA)
A signed Data Processing Agreement is available to all paid plan customers. It sets out ChurchLinker's obligations as a Data Processor, including security measures, sub-processor details, breach notification timescales and data deletion on contract termination. Email dataprotection@churchlinker.com to request yours; we send it within one business day.
Managing consent
Consent types in ChurchLinker
Each person in ChurchLinker has individual consent records for: Email communications, SMS communications, WhatsApp communications, photo and media use and third-party data sharing. Consent is tracked separately for each channel; a person might consent to email but not SMS.
Recording consent
From a person's record, go to the Privacy tab to view and update consent. Record how consent was given (written form, verbal, online form), the date and any notes. This creates an auditable consent history. When consent is withdrawn, ChurchLinker automatically suppresses future communications on that channel.
Bulk consent management
If you've collected consent via a sign-up form, paper forms or a previous system, you can upload consent records in bulk using the CSV import tool under Settings → Import → Consent Records. Contact our support team if you need help with the format.
Online consent forms
ChurchLinker's member portal includes a consent preferences page where members can view and update their own consent choices. Direct members there when they first join, or include a link in your welcome email. This reduces your admin burden and gives members control over their data, which is best practice under UK GDPR.
Handling a Subject Access Request (SAR)
What is a SAR?
Under UK GDPR, any individual has the right to request a copy of all personal data your church holds about them. This is called a Subject Access Request. You must respond within one calendar month. ChurchLinker makes this straightforward.
Generating a SAR report
Go to People → find the person → Actions → Generate SAR Report. ChurchLinker produces a comprehensive, human-readable report in seconds covering: personal details, consent records, donation history, group memberships, event attendance, communications received, pastoral notes (access-gated to Administrators) and the full audit log for their record. Export it as a PDF and send it to the requester.
Members can also self-serve
A member doesn't need to email you. From their profile in the mobile app or web portal they can tap Download my data and get a ZIP of every record we hold on them, instantly, no admin approval needed. The download is audit-logged so you can prove who requested what and when. This route satisfies the Art. 15 access right without any work from the church team.
What to include in your SAR response
Along with the ChurchLinker report, your response should confirm: who is the Data Controller (your church), the purposes for which their data is processed, the legal basis for processing, any third parties their data is shared with and how long their data will be retained. We provide a template letter you can adapt.
Charging for a SAR
Most SARs must be responded to free of charge. You can only charge a reasonable fee if the request is manifestly unfounded or excessive. If in doubt, contact the ICO or seek legal advice.
Right to erasure (deleting a person's data)
When the right to erasure applies
Individuals can request that their personal data be deleted. For churches, this right is not absolute; you may be able to retain some data for legal or contractual reasons (e.g. giving records for Gift Aid audit purposes). However, you must erase personal identifying information where no overriding legitimate interest applies.
Anonymising a record in ChurchLinker
Rather than deleting records outright (which would break giving history, attendance stats and other aggregate data), ChurchLinker uses anonymisation. Go to People → find the person → Actions → Anonymise Record. This replaces all personal identifiers (name, email, phone, address) with anonymised placeholders, while retaining the statistical data (donation amounts, attendance counts) needed for accounts and reporting. The person is removed from all communications and no longer appears in member-facing lists.
Members can file an erasure request themselves
From the member app or web portal, on /member/profile, there's a 'Right to be forgotten' card. The member fills in an optional reason and submits. The request lands in your admin queue at /dashboard/settings/data-requests with a clear 'Approve & erase / Decline with reason' choice. Approval runs the same anonymisation helper described above; decline requires a documented reason which is shown back to the member (so they retain the ICO complaint route). The full request + decision audit trail is preserved.
Hard deletion
If a complete deletion is required and appropriate, go to People → find the person → Actions → Delete Record. This permanently removes all data associated with the person, including giving history. This action is irreversible; a confirmation is required. Consider anonymisation first in most cases.
Documenting your response
After processing an erasure request, ChurchLinker logs the action in the audit trail with the date, the admin who actioned it and the type of action taken. This gives you a record of compliance that you can refer to if challenged.
Children's data
Special category data
Children's data is not in itself 'special category data' under UK GDPR, but it is subject to additional safeguards. ChurchLinker restricts access to children's records: only users with Administrator or designated safeguarding roles can view children's medical notes, allergies and emergency contact details.
Photo and media consent
ChurchLinker includes a dedicated Photo/Media consent field on children's records, separate from the parent's communication consent. This must be specifically collected and recorded for children. Never use images of children in church communications without a recorded consent.
Children's check-in and safeguarding
ChurchLinker's children's check-in system generates a unique QR code and collection code for each session. Only adults presenting the collection code can collect a child. This simple system significantly reduces safeguarding risk at busy Sunday sessions.
📋 Need a Data Processing Agreement?
Email dataprotection@churchlinker.com with your church name and charity registration number. We'll send a signed DPA within one business day. It's free for all paid plan customers.
Read our full GDPR commitment →