A plain-English guide to GDPR obligations for UK churches — covering lawful basis, consent, data retention, breach procedures, and how the right platform handles most of it for you.
By Aurnet Team · Church Tech
GDPR applies to every UK church that holds personal data about its members — which is all of them. Names, addresses, phone numbers, email addresses, giving records, pastoral care notes, and prayer requests are all personal data under the UK General Data Protection Regulation. Yet many churches are still uncertain about what they need to do. This guide explains the key obligations in plain English.
You need a lawful basis to hold and use personal data. For most church activities, this falls under 'legitimate interests' — you have a legitimate reason to hold a member's name and contact details because they've joined your church. For sensitive data like health information, pastoral care notes, or information about religious belief, you need explicit consent or must rely on the 'substantial public interest' condition. The simplest approach: collect clear consent at the point of data collection, and record when and how it was given.
Consent must be freely given, specific, informed, and unambiguous. Pre-ticked boxes don't count. Burying consent in a long form doesn't count. The member must actively opt in, and you must be able to demonstrate they did so. This matters for mailing lists, photo permissions, and any data you share with third parties.
You should only keep personal data for as long as you need it. If a member leaves your church, you don't have an ongoing legitimate interest in holding their contact details indefinitely. Set a retention policy — for example, archive leavers after 12 months and delete after 36 months unless there's a legal reason to keep the data (such as Gift Aid records, which HMRC requires you to keep for six years).
Members have the right to ask you to delete their personal data. You must comply unless you have a legal obligation to retain it. In practice, this means if someone asks to be removed from your system, you need to be able to find and delete all their data across every spreadsheet, document, and tool you use — or use a platform that can do it in one click.
This is where scattered data becomes a liability. If member data lives in WhatsApp groups, spreadsheets, email inboxes, and a separate giving tool, fulfilling a deletion request is near-impossible. A centralised platform makes it straightforward.
If personal data is accidentally exposed — a spreadsheet emailed to the wrong person, an unlocked phone with the member database visible, a WhatsApp group where phone numbers are visible to non-members — that may constitute a data breach. Serious breaches must be reported to the ICO within 72 hours. You need a simple documented procedure: what counts as a breach, who to contact, and how to report it.
Most small and mid-size churches do not need a formal DPO. The requirement applies to organisations that process data on a large scale or handle special category data as a core activity. However, it is good practice to designate someone as the data protection lead — typically a trustee or admin — who understands the basics and can respond to requests.
Using a platform like Aurnet means most GDPR obligations are handled by design. Member data is stored securely with encryption at rest and in transit. Access is controlled by role-based permissions — the worship team lead cannot see giving records. Consent is collected digitally with timestamps. Data deletion can be performed from the admin dashboard. And because everything is in one system, you always know where member data lives.
For detailed guidance, the ICO provides a free toolkit for small organisations at ico.org.uk. If your church hasn't reviewed its data practices recently, now is a good time to start — and using the right tools makes compliance significantly easier.
Aurnet is free to start and GDPR-compliant from day one. Set up your church in 15 minutes.
WhatsApp is free, familiar, and fast — but it was built for friends and families, not churches. Here's why your congregation has outgrown it.
Gift Aid adds 25p to every £1 donated by a UK taxpayer — and most churches are leaving thousands of pounds on the table by not claiming it properly.