The General Data Protection Regulation (GDPR) took effect in the UK on the 25 May 2018. It replaced the Data Protection Act 1998 and gave individuals more rights and protection in how their personal data is used by organisations. Parishes must comply with its requirements, just like any other charity or organisation.

Each church within the diocese acts as their own legal entity and each PCC needs to adhere to the rulings. The Church of England have created parish resources for us to use as a diocese.

These can be found on the following website

There is a handy two page overview to act as a guide for PCC’s

And a more in depth document for PCCs

A presentation for training.

Action Required

We are advising each parish to review the data they hold and gain further consent for that data. Essentially parishes are likely to need to consider three areas for action:

1. Review what data you hold, how you store it, and what basis you have for processing it. We have a simple audit template that you may find useful.

2. You will need to have a Data Privacy Notice. We have a guide to help you do this here.

If you do not have a church website to publish you privacy notice, ‘A Church Near You’ has the facility for parishes to add their privacy notice to their church pages.

3. You may need to gain consent from some data subjects. Sample forms and guidance are available here.

Remember though that there will still be some data processing you may can do as part of normal church management that doesn’t need specific consent for that particular action – for example, electoral roll.

Subject Access Requests

Under the General Data Protection Regulation 2016 (‘GDPR’) a person will have the right to ask an organisation to confirm whether or not it is processing any of their personal data.

If you receive a Subject Access Request and have any concerns please contact the Diocesan office.

Please click here for a copy of:

Subject Access Request Guidance 

Letter - Subject Access Response – Provision of Information Requested 

Letter - Subject Access Response - Refusal to Provide Personal Information/ Request for Further Information

Data Breach

A personal data breach is a breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.  A temporary loss of personal data still constitutes a personal data breach.

Please click here for a copy of:

Data Breach Protocol 

Data Breach Protocol – Further Guidance for Data Protection Officer 

Personal Data Breach Log 

How to Encrypt a Memory Stick

If memory sticks are used to store personal data then they should be encrypted, please click here for a guide on how to do this.

How to password protect an Excel File

If Excel spreadsheets are used to store and process personal data then these should be password protected, please click here for a guide on how to do this.


A comprehensive suite of GDPR e-learning courses is now available for anyone within the Church of England structure (dioceses, cathedrals, parishes and other CofE organisations). The courses, delivered by specialist training provider Me Learning, cost £10 + VAT per course. Information on who should complete this training and how Parishes can access this training are here:

GDPR e-learning instructions for parishes

Frequently Asked Questions

Useful FAQ’s can be found here -

Gloucester Diocese have also produced a very in depth GDPR FAQ page which may be of help -

Powered by Church Edit