Joe Merrill

Web Analytics and Marketing Consultant

Is your church GDPR Compliant?

May 1, 2018
, Episcopal Churches, Media

The relationship between websites and the information they collect about the people who use them is changing on May 25th, 2018. In this article I talk about why GDPR matters to your church or organization, explain what it is, and give you step by step instructions to make your church compliant.

Disclaimer

Before I launch fully into this post, it is important for me to say that what follows does not constitute legal advice. While I have researched the law extensively and understand what steps you need to take to remain compliant, I am not a GDPR Compliance Officer.

Failure to comply with GDPR can result in a fine of 4% of global revenue or 20 million euro’s, whichever is greater. GDPR applies to all websites which may be visited by a European – regardless of whether the visiting European is physically in Europe.

what is GDPR?

GDPR stands for General Data Protection Regulation. It is a set of laws enacted by the European Union that come into effect on May 25th, 2018. From a certain angle, data compliance law is pretty boring stuff. From another angle, it matters on almost every level. After all, in a post Cambridge Analytica world, it is all to evident that aggregate information about all of us is powerful enough to influence politics and culture at every level.

Since pretty much the beginning of the internet, people who browse on any website leave behind them what I’ll refer to as a digital trail of bread crumbs. Websites have been picking up these ‘digital crumbs’ that are the result of people using their sites since day one, and analyzing them. Since it’s beginning, Facebook figured out how to use these digital crumbs to customize almost every ad you see there. Google does the same thing.

Websites own the digital crumbs that you leave behind. This has always been the case. GDPR changes that equation and gives the legal right of ownership to the one who created the trail of digital crumbs, and takes it away from the site on which it was left. So, in a nutshell, that is what GDPR is – it is a transfer of ownership of the data that is left behind by users of the internet when they use the internet.

This transfer of ownership applies, as well, to all information users intentionally give away while viewing the internet, like email address, name, contact info, address, – anything you would include in any contact form. In fact, it also means that if you fill out a contact form for, say, a free download, that does not subscribe you to an email list. The website owner is strictly only allowed to use your email to contact you for the express written purpose for which you gave you email.

This means that all contact boxes must have a check box that remains, by default, unchecked, and links to the privacy policy of the site. But we’ll get much more into that later on in the post.

Why does it matter for churches?

Churches have websites that, among other things, collect digital crumbs from people who use them. They also collect email addresses, contact info, blog comments, and the like. They store this information behind a (hopefully) secure firewall, protected by an SSL certificate and a constantly updated website so that no back doors are created through which a site can be hacked. They have an easily identifiable privacy policy on their site that shows exactly how users data (digital crumbs) are stored, used, and disposed of. (Or at least, they are supposed to.)

GDPR forces the issue and insures that we do, in fact, maintain best practices. If we don’t, we are at risk of being fined. Will the EU actually fine thousands of websites the day after this goes into effect? Probably not. But could they? Absolutely. Larger organizations (like a Seminary or a Dioceses or an Initiative) are at greater risk since there is more odds that they could, quite by accident, obtain, analyze, and store the data of European Citizens.

However, there is also a theological implication here. One of the significant ways you demonstrate to the world that you are capable of being trusted, is by being GDPR compliant. Seeing the difficulty and choosing inaction communicates a message that we can ill afford. One of the ways that we fulfill our calling to be light in the world is by being viewed as worthy of trust. GDPR compliance, for all its technical tedium, goes along way in increasing our visibility.

What can/should I do about it for my website?

This is a good question to ask! So far, we have discussed what GDPR is, and why GDPR matters to your church and your church’s website. The rest of the article will give you a checklist of items you need to accomplish in order to make sure your website is as close to GDPR compliant as it can be. The following 8 elements are crucial to GDPR compliance. If you have any questions with them, I would be happy to consult with you and help you through the process.

Visitor Engagement

Email Contact Form

Any form that asks the user to contact you via email must now have an aditional box that by default is unchecked. This box needs to have a link to the privacy policy of your website. Users must click it in order to complete the request. By clicking it, they acknowledge they have read your policy and agree to let you use their email.

Subscriber Form

Whenever a user subscribes to a newsletter, not only must they check the box, but they must receive an email in their inbox that informs them they have subscribed and asks them to confirm their subscription. This is called double optin. Double optin is now required.

Blog Comments

If you have a blog in which people can leave comments, all of their comments are being stored in your blog. That means you must give them a check box (which by default must be unchecked) in which they give you permission to store their comment data.

Opt In

Any time you have content on your blog that asks a user to give you any of their information in order to receive something (a sermon download, a call with the pastor, sign up for a small group, a volunteer form for being the reader or serving on the alter, you must also give them that check box that links to your privacy policy.

Internal to the website

Third Party Software

Google Analytics, HotJar, TypeForm, Facebook Pixel, Constant Contact, MailChimp, iContact all have new policies regarding GDPR. You must go into these accounts and accept the new policy and implement any changes they suggest. Google Analytics and Facebook Pixel especially you must be careful not to pass any personally identifying attributes into the system. CC, Mailchimp, and iContact should all help in providing privacy buttons in their optin forms.

Website policies

You must have a privacy policy on your website that is clearly accessible. This policy needs to talk about how you access user data, how you store it, and what you use it for. It needs to be written in readable english, not 'legalize'.

SSL Certificate

Install a security certificate on your site (the green padlock on the domain browser). Not only does google warn everyone who views your site that it is insecure if you don't have it, but it also encrypts data your users give you so it arrives safely on your site.

Keep your site updated!

Especially if your site is on Wordpress. A site that isn't updated is a hacker's paradise. Not only is your site at risk if it isn't updated, but so is all the data you store about your users. Put up a secure firewall as well.

Final Thoughts

I hope this article helped to explain what GDPR is, why it matters to your church, and what you can do about it. As you can see, GDPR compliance is not a thing you do and then forget about it. Rather, it is an ongoing process that becomes part of the fabric of how you sustain and maintain your online presence. If you need any help with this now or in the future, please don’t hesitate to let me know. Just click on the helpful green button.

Please share this with any webmasters or people you know who may find it interesting and or useful.