GDPR and International Ministry
Any time we hear about big news in the world of secular business, we ask ourselves how, or if, it will affect our ministries. Big ministries with a marketing wing have probably heard about GDPR, but we thought we’d reach out to our friends over at Brotherhood Mutual’s Legal Assist to see what they had to say about how GDPR may affect ministries with an international presence.
General Data Protection Regulation
The General Data Protection Regulation (“GDPR”) is a new regulation designed to better protect the privacy of residents of the European Union (“EU”). The previous EU privacy regulation, the Data Protection Directive, was created in 1995 and effective until May 25, 2018. Compared to the Data Protection Directive, the GDPR is expected to better protect EU residents in this digital age where information can be spread far and wide at the click of a button.
How the GDPR May Affect Ministries
Ministries that were already in compliance with the Data Protection Directive may need to modify their practices to meet the heightened requirements of the GDPR. The GDPR regulates the use and processing of personal data of EU residents. Although protection is only afforded to EU residents, the broad definition of “personal data” has far-reaching consequences that will likely affect US companies, organizations and ministries. “Personal data” includes any information that can directly or indirectly identify an EU resident. This includes, but is not limited to, names, identification numbers, location data, or online identifiers such as an email address or IP address. If a ministry’s website allows visitors to provide their name, email address, or other personal data, that ministry may want to contact a locally licensed attorney regarding any potential new obligations under the GDPR. Similarly, ministries that collect personal information from EU residents in paper form may also want to review their information privacy practices with the assistance of an attorney. Because it may be difficult to discern whether a ministry is gathering information from an EU resident or an individual outside of the EU at any given time, ministries may want to take this opportunity to review their data collection practices for all individuals that interact with the ministry or its website.
Key Concepts of the GDPR
Although a couple key concepts of the GDPR are noted briefly below, ministry leaders are highly encouraged to review the GDPR in its entirely with the assistance of an attorney to determine what steps are necessary for each specific ministry to adequately protect the personal data of its EU visitors.
Although previous EU privacy regulations required an organization to obtain consent from an EU resident before collecting his or her personal data, organizations may need to revise their practices to meet the GDPR’s more strict definition of consent. Organizations must offer EU residents a genuine choice of whether they agree to share their personal data. The resident must consent by taking a clear affirmative action, meaning he or she must “opt-in” to sharing his or her personal data with the organization. This means that pre-checked opt-in boxes are likely not permissible under the GDPR. Additionally, organizations must provide EU residents with a right to withdraw their consent at any time, and the method for withdrawing consent must be as easy as it is to give consent.
Lastly, it is important to keep in mind that organizations will be held accountable for both complying with the GDPR and demonstrating their compliance. This means that organizations should thoroughly document their data protection policies and practices and have procedures in place to periodically review them and confirm their adequacy. Larger organizations that regularly control or process a large amount of personal data may also need to appoint a Data Protection Officer to oversee the organization’s practices.
I hope this information is helpful. As noted above, the information provided here is only a brief introduction to the GDPR and ministries are highly encouraged to contact a licensed attorney to discuss whether their ministry needs to make any changes to their current data collection and privacy practices. In preparation for speaking with an attorney, ministry leaders might consider reviewing the resources provided by the official European Commission website.