GDPR Annual Checklist – Guidance

This page is designed to help Managing Trustees understand in more detail the checks needed to be made with regard to General Data Protection Regulations (GDPR). It is also available to download from this page (GDPR Checklist breakdown).

Carrying out these checks may well highlight some deficiencies that need to be fixed.
Do people need any training to help them to understand and comply with the requirements?
If you have any questions about this, please contact Katrin Hackett, the District Data Champion (katrin@sheffieldmethodist.org) or call 0114 270 9990.

Check 1 – Data Mapping

Review the personal information of the Local Church, Circuit or District holds (known as Data Mapping)

Carrying out a review of the information you hold about individuals is one of the most important aspects of data protection; knowing what you hold and who is holding it.
This can seem a daunting task at first. Every person who holds and uses data as a consequence of their role within the church should be asked about the data they hold. For example, the Church Council Secretary is likely to hold a contact list of Church Council Members and also the Church Council Minutes (which may contain personal data).
See also the section on Data Mapping for more more specific guidance, especially if this check has not been carried out before.

• Do you have an up-to-date record of what personal information is held by each of the people who are entitled to and need to hold data, as a consequence of the job that they do in the church or circuit? (e.g. treasurer, pastoral visitors, Sunday School or Youth leaders)?
• Are you satisfied that they only keep the minimum of personal information that they need to do their job?
• Do you know how they keep that information? (On a computer, manual records?)
• Do you know how they keep that information secure? (Computer passworded files, computer backups, manual records in a safe place?) Note that the level of security necessary does depend on how "personal" the Information that is being held is.
• Do you have a "handover" procedure for when one person stops doing a job and it passes to someone else?

Check 2 – Data Cleansing

Have you destroyed any personal information that is no longer required?

• Have you checked that all the data being held has been kept up to date?
• Are you satisfied that, when a "handover" has taken place, that the person ceasing to do the job has deleted or destroyed all the relevant records?
• Are records being cleansed (deleted/destroyed) after the recommended retention period? See the Retention Schedule for more detailed guidance, or consult with the District Archivist.

Check 3 – Privacy Notice

Review the Managing Trustees' Privacy Notice

The Managing Trustees' Privacy Notice is provided by TMCP. https://www.tmcp.org.uk/about/data-protection/managing-trustees-privacy-notice. A copy should be easily available in each church. Here are some suggestions as to how/where it could be displayed or referred to.

• Include a notice on the board telling people where they can find the Privacy Notice .You could use the wording from the template Fair Processing Statement
• Include a link on your website and in your email footer to the most up to date version of the privacy notice. Again, use the template Fair Processing Statement.
• Include the link in any directories or any other lists that you publish for your members
• Add this QR code to the Fair Processing Statement as an alternative way to access the online version of the Privacy notice
• Display a copy of the Symbol Truth statement on notice boards – this is a simple visual statement explaining that the Methodist Church will take care of information they collect about individuals, but also contains the QR link to the full Privacy Statement

Have you got a printed version of the latest Notice easily accessible – eg in the vestry?

Check 4 – Accuracy

Ensure your contact information is correct

• Is the information that is being held, by all that are holding it, being kept up to date (addresses, phone numbers, email addresses etc.)?
• Do you keep a record of when it was last checked?
• Do you have a process for updating information?

Check 5 – Consents

Review & Renew Consents

The most common reasons where consent is required are:

• Sharing contact details in a directory (or other document) where there information will be shared with third parties (eg where the directory is available to read in church foyers)
• Publicising details about members or church activities including personal information on church websites, social media pages or in a newsletter
• Requesting prayer for someone in a public setting (eg during open prayer in a church service or in a church newsletter)
• Taking photos at an event to publicise on social media or other public platforms.

For those situations where consent is required:

• have you kept a record of how and when the consent was given
• Consent can be given verbally, this will still need to be recorded somewhere
• In some instances, clearly visible signs might be appropriate, especially if photographing a public event.
• Do you need to renew that consent?You only need to renew consents if they are over two years and you need to rely on consent as your only lawful basis

Is your Consents Recording up to date?

Check 6 – Records

Review the "Processor Record" of the Local Church, Circuit or District

The Processor Record for Managing Trustees shows where the various records are held. It should be reviewed each year to see if any changes need to be made (for example – the contact details of the representative). You can download the Word version from this page. Please make sure your paper is set to Portrait orientation when printing out, otherwise the formatting can go wrong.

10. Consents Record – Ideally there should be a single document where all the consents are recorded, but in some cases it may be more appropriate to have more than one version. Consent is needed when personal data is made public (see Check 5)

• Does everyone know where/how they record Consents
• Do you know where the Consents Record is held?

11. Categories of Processing: This is the Data Mapping table. As with Consents, the ideal would be a single document which can be easily checked, but it may be more appropriate to hold different ones relating to the role.

• Do you know where the Data Mapping record is held?

12. Breach record: All instances of a personal Data breach, regardless of how small (eg an email sent to the wrong recipient) should be recorded. This can be done here: Breach Reporting

• Does everyone know how to report a breach?
• Do you know where this record is?

13. Transfer of information overseas: In some cases you may be sending personal information overseas – for example, to a partner church for prayer request. If this is the case, a separate record is required on the Annex to the Processor Record.

Is this information (sections 10-13) recorded on the Template Processor Record for Managing Trustees?

• Do you know where the Processor Record is stored?
• A blank Processor Record for Managing Trustees can be downloaded from the link on this page if one has not been competed before.

Check 7 – Security

Review your Data Security

This section is asking that you make sure that the data is kept as secure as possible. Whilst this may be fairly straight forward in the church office, it is not as easy when people hold data at home. Things to be looked at might include:-Are all computers kept on the latest level of software update?

• Do all computers have virus protection software?
• Is the information on the computer either backed up regularly or kept on the cloud?
• If a printed directory is produced, are those who hold a copy reminded to keep it where a member of the public cannot access it (for example, in a drawer rather than on a table by the phone)? Are they also reminded of what they can and cannot do with this information?
• Are paper records (eg Room booking forms) kept in a locked filing cabinet?

Other things to consider

• Do you have job specific email addresses that are only used for that job and are used by successive job holders?
• Membership of church councils and circuit meetings changes on a continuing basis. Are new members (especially people new to a managing trustee role) given any induction?
• Does that include their responsibilities with regard to GDPR?

You can complete the checklist by following this link: https://www.sheffieldmethodist.org/resources/data-protection/gdpr-checklist-report.html