GDPR - 4 little letters but what do they mean?


On 25th May 2018 the new European General Data Protection Regulation (GDPR) comes into force and all UK organisations that keep any type of personal data need to ensure that they are compliant with this regulation by this date. This includes all of our churches.

The GDPR replaces the existing law on data protection (the Data Protection Act 1998, DPA) and gives individuals more rights and protection in how their personal data is used by organisations. Churches must comply with its requirements, just like any other charity or organisation.


In our March mailing we’ll send you a link to a UCAN GDPR pack containing more detailed information for the church context. We’ll also signpost you to a number of places where you can access expert help if there is something out of the ordinary with your churches data protection requirements. But for now, do make sure that you’ve read through the basics on GDPR and that this is on the agenda of your PCC/Elders/Deacons meeting. If you haven’t already done so, begin an audit of what type of personal data your church holds and where and how it is being held.


  • Read over the basics of GDPR, below, to ensure that you are familiar with the key concepts. 
  • Ensure that your church leadership/PCC/Elders/Deacons are briefed on the basics of GDPR and are aware of their responsibilities under the act. There is a downloadable 2-page summary paper which may be helpful to circulate to your leadership body at this stage. 


  • Use a checklist so that you know exactly which steps are relevant for your church. A good checklist can be found here.
  • Conduct a data audit so that you know what type of personal data you are holding, what it is being used for and how it is being provided and stored. A good audit template can be found here.


Draft new privacy notices and consent forms as required and circulate these after being sure that returned consent forms will be kept securely. Examples of these can be found here and here


You can find more detailed guidance on GDPR at these sources:

  1. The Parish Resources website has brilliant coverage of GDPR and is a good place to start.  
  2. Check with your local Diocese or Circuit (if you are part of one) and see what resources they have developed to help you. For example, the Diocese of London has developed an excellent and comprehensive GDPR toolkit which can be accessed here
  3. ChurchSuite and iKnow are also websites that contain a wealth of clear and useful resources on GDPR.
  4. The Information Commissioner’s website has some very helpful and more detailed guidance.


As an organization that collects and holds personal data itself, UCAN also needs to comply with GDPR, so we’ll be sending you information about the personal data we hold on you, what we will and won’t use it for and how we keep it safe.  We’ll need to ask for your explicit consent to continue to use your information for mailings. So please don’t forget, when you receive something like this from UCAN, click onto the link and update your communication preferences in our secure database.


Without your tick we'll lose touch!

The Basics of GDPR – an overview

The General Data Protection Regulation (GDPR) is a Europe-wide data processing law coming into force on 25 May 2018. The UK government has affirmed that GDPR will be UK law – Brexit will not mean we don’t have to comply.

The GDPR requires organisations to clarify exactly what personal data is collected and why, how it is stored, how it is processed and what it is used for.

Explaining the jargon

Personal data is information about a living individual which is capable of identifying that individual.  

Processing is anything done with/to personal data, including storing it.

The data subject is the person about whom personal data are processed.

The data controller is the person or organisation who determines the how and what of data processing.

Underlying Principles

The law is complex, but there are a number of underlying principles, including that personal data:

  1. will be processed lawfully, fairly and transparently.
  2. is only used for a specific processing purpose that the data subject has been made aware of and no other, without further consent.
  3. collected on a data subject should be “adequate, relevant and limited.” i.e. only the minimum amount of data should be kept for specific processing.
  4. must be “accurate and where necessary kept up to date”
  5. should not be stored for longer than is necessary, and that storage is safe and secure.

Consent rights and accountability

From May 2018, people will need to give their consent before you send them marketing and communications. This will need to be clear and unambiguous – some form of positive action to ‘opt-in’. You may need to gather this consent if you do not already have it.

Data subjects have a number of rights, including that of knowing how data is used by the data controller, of knowing what data is held about them, of correcting any errors and generally the right ‘to be forgotten’. Your church will need to make provision for people to exercise these rights, including developing a Privacy Notice.

The GDPR also introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence.

In many ways, the GDPR does not differ hugely from its predecessor (Data Protection Act 1988 – DPA) except in its more detailed definitions of:

  • the higher standard for clear, unambiguous consent required
  • the requirement of explicit over implied consent and option to withdraw consent
  • who holds responsibility
  • the requirement of proof to demonstrate how an organisation is fulfilling the regulations

Lawful data processing

Under the GDPR, the conditions for lawful processing of data are:

  • Consent of the data subject
  • Processing is necessary for the performance of a contract with the data subject or to take steps
  • Processing is necessary for compliance with a legal obligation
  • Processing is necessary to protect the vital interests of a data subject or another person
  • Processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller
  • Processing is necessary for the purposes of legitimate interests* pursued by the controller or a third party, except where such interests are overridden by the interests, rights or freedoms of the data subject

Where none of the other five lawful bases for processing data apply, explicit consent is required. If an organization cannot prove explicit consent from a data subject, they would need to explain in detail what they believe the lawful basis for processing is in their case. In the case of churches this would likely be legitimate interest, but the responsibility would be on the data controller to be confident that such a basis would stand up in court.

As a church, you may well need to gain consent from some data subjects. Remember though that there will still be some data processing you can do as part of normal church management that doesn’t need specific consent for that particular action – for  example for purely administrative purposes in the church context Section 9(2)d may apply to some personal data*.

*Section 9(2)d is a special processing basis which allows religious (amongst others) not-for-profit bodies to process data provided the processing relates only to members or former members (or those who have regular contact with it in connection with those purposes) and provided there is no disclosure to a third party without consent.

The place to start is to audit what personal data your church is holding and for each type decide on the lawful basis you are using for processing that data. If no other lawful basis applies then you will need explicit, opt-in consent and be able to produce paperwork showing that you have it. If you do not currently have this in place then you need to update/create your privacy notices and consent forms and send these to everyone you want to continue to process personal data on.

News from Local Groups

Worcester Group

We last met on Wednesday 18th October, when we were hosted by Martyn Walley, at Wood Green Evangelical Church.

As we usually do, we shared lunch together, and enjoyed catching up with each other’s news, as well as welcoming a new member to the group.  We had a helpful discussion about a number of issues we come up against, both locally and more widely, as well as starting to think about GDPR, which no doubt will come up again as a topic next time we meet!  We finished with prayer, and as many of us hadn’t been to Wood Green before, with a tour around the church and its facilities.

We are next meeting on Wednesday 7th February, at Worcester Baptist Church, Sansome Walk, at 12.30pm.  If any other administrators in the area would like to join us, we’d love to see you there – do get in touch!

Alison Moore and Liz Wilson

Oxfordshire Group

We held our very first local group meeting on 27th September 2017 at the Barn’s Café in Abingdon, which is part of Christ Church Abingdon. The location was accessible for most people with the added advantage that we could order delicious sandwiches!  13 administrators came to the lunch meeting and we had several apologies due to holidays etc, so it was a very encouraging start to the group.

We shared a little with each other about the work we do as administrators, which varied greatly in terms of hours worked and roles undertaken.  Then we used John Truscott’s “Administrator Types”, based on Winnie the Pooh characters, to look at the different qualities and skills we bring to our jobs.  It was a fun exercise but also helped us to recognise how unique we all are.

We also talked about what we would like to get from the group and made suggestions about topics that we could cover in future meetings as well as letting those who didn’t know about UCAN membership and the wealth of resources available to members.

Since our first meeting we have set up a closed Facebook Group for administrators to ask questions and share ideas.  We are hoping to meet once a term and the next meeting is planned for March 2018.

Karen Stoddart and Vicky Johnston

The first official meeting of the South Yorkshire Group will take place on Tuesday 20th February at 12.30pm.  Hosted by Sally Davies they will be meeting at the Wilson Carlile Centre, Cavendish Street, Sheffield S3 7RZ in the Café area.  If you are in the area do come along and support the South Yorkshire group as it gets up and running. 

The Surry + Senior Manager group will meet on 1st February at Christ Church Woking.  For more details please contact Brian Howells. 

Congratulations to our distant learning students

Five students on our distant learning module, The Work of a Church Administrator,  have completed the whole course.  Well done to:

Debbie Marsh, Administrator of the Minster Church of St. Andrew Plymouth

Cathy Walters, Church Administrator of St. Mary's Wythall, Birmingham

Angela Davies, Administrator of Mickleover Methodist Circuit

Linda Tudor, Parish Administrator of Holy Trinity, Chester

Val Simpkins, Development Worker for the Beakon Mission Partnership, Doncaster

Congratulations to them all on a great achievement!

If you are interested in taking the course please do get in touch.  John Truscott continues to oversee the course which is run in association with St. John's School of Mission, Nottingham. More details are available from

There are currently over 30 students and four tutors involved in the course.  

What kind of Church Administrator are you anyway?

When I first started in church administration, lots of people, after the usual polite congratulations for the new job, paused and then asked me, ‘but what are you actually going to do?’  It was, as I was to find out, a good question!  As most of the administrators reading this will know, no two days are the same and it is a rare week indeed when you do not find yourself doing something that most definitely is not on your job description.

In response to those enquiries, I found myself using analogies to describe my role and, over the years, have found these helpful when working with administrators, ministers and church congregations who are trying to understand the key aspects of their administrators’ job and purpose.

I now offer them to you and please consider whether any or several of the below describes your role, and if so, what you might need to watch out for.  Maybe you could use this as the basis of a role review discussion with your minister or line manager?

The Bulldog

Your job is to protect the minister / other staff from those in the congregation, neighbourhood or elsewhere who are always clamouring for attention, answers etc.

Be careful that those you guard actually want and need to be protected.  An overzealous bulldog can be a dangerous thing for both its owner and the public who meet it!

The Conductor

Your job is to make sure everything fits together, everyone knows their part, where they should be, when and what they should be doing.

Be careful that you give space for that special person who often plays flat and off the beat, but nonetheless has a tune God wants them to perform.

Oil can

Your job is keep the wheels of the church in motion, checking for places it may be getting stuck and applying a little judicious oil to get things started again

Be careful that you do not spend all your time fixing problems without also looking for why they may be occurring in the first place.  Sometimes the church may actually need a mechanic.

Tea lady (or man)

Your job is to provide tea and a sympathetic ear to church and community members who pop into the office as a warm comfortable place to talk and sometimes moan

Be careful not to confuse accessibility with ability or gifting.  Are you the best person for this and is this the best use of your time just because people know where to find you?

Jack of all trades

Your job is to be the church’s ‘go to’ fixer.  You can be relied on to have a go, after all, who else will do it?

Be careful that you are not, by leaping to the rescue, getting distracted from the mundane, but important stuff that is waiting on your desk.

First mate

Your job feels like it is to be the minister’s ‘enforcer’.  You make sure things get done and everything is ‘shipshape and Bristol fashion’ in the church.

Be careful to communicate really well with your minister about what is really essential and what would just be nice if it were possible.  Messy church can also be good….


Your job is basically to take the blame for everything that goes wrong, particularly when it is not your fault or it is out of anyone’s control.

Be careful of your own mental and physical wellbeing.  Do this too often and it will take a toll on you and your family.  Who is also praising and affirming you?


Your job is to know everything about everything and everyone.  If in doubt, people know where to come for answers

Be careful of buses.  If you fell under one would all that knowledge, experience and information disappear? Write it down!

UCAN Members dived in together!

We've teamed up with our friends at ChurchSuite to provide every member with online access straight into the heart of the UCAN network.

We sent a personal invitation to every member church across the network, to set up a password and be able to connect in.

(Did you miss your invite? - e-mail for a replacement)

You can log in direct via the link on the new website and download the ChurchSuite App direct to your Android or Apple device from your device's store. If you're already familiar with the ChurchSuite interface, your app will allow you to seamlessly switch between your own church's interface and ours.

Once inside, you'll find all sorts of goodies - like the details of events (and you can book online too!), recordings and resources from previous conferences, and our on-line database of articles. You can quickly search for contact details of someone else you may have met in the network, and see local groups who may be near you. At any time, you can update your account and communications preferences with us - and lots of administrators have already been eagerly uploading their profile pictures to help us recognize each other when we next meet.

We've received great feedback so far, and are always happy to hear from you as we serve the church together.

At a venue near you!

A grand total of 21 local  groups of administrators/church managers are now officially listed with UCAN, spanning the country from Bournemouth to Aberdeen, from Northern Ireland to the M11!

Group sizes range from a handful to 40 (on the mailing list!), with each group meeting with timing, location and frequency to suit the constituent members.

Most meetings involve food and drink to a greater or lesser extent, and vitally provide a link with others who share the same joys and frustrations, and find that their burdens are lightened in this knowledge! Groups tend to include a mix of pre-arranged content, and informal opportunity to ask questions and benefit from each others’ wisdom and experience: hot topics seem to be databases and GDPR…but the range of discussions is as broad-ranging as our roles!

The newest group is in South Yorkshire – welcome to Sally Davies and her  members.  Take a look at ChurchSuite and see if there is already a group near you.  If not, why not get in touch with other UCAN members near you (search the membership database) and see if you could start one.  Just let us know if we can help you get this started – making contacts, working out formats, providing materials.  Any questions, please feel free to contact Isabel Willerton or I’m on the end of an email: