Church Communications

GDPR for Churches — What UK Parishes Need to Know

Tuesday, April 21st, 2026 · Ian Tearle · 13 min read · 0 comments
Compliance

This article provides general guidance only and does not constitute legal advice. For specific situations — particularly around safeguarding records, employment data, or data breaches — consult your diocese, a solicitor, or the ICO directly.

GDPR applies to churches. It applies whether you’re a large diocese managing thousands of records or a small rural parish with a paper address book and a weekly bulletin email list. The regulation doesn’t distinguish between commercial organisations and religious ones — if you hold personal data about living individuals, the rules apply to you.

The good news is that GDPR compliance for a typical UK parish is not as complicated as it sounds. Most of what it requires is formalising good practice that parishes should already have in place. This guide covers the essentials.

Does GDPR apply to your parish?

Yes, if you:

  • Hold a list of parishioner names, addresses, or contact details
  • Send a newsletter or bulletin by email
  • Keep records of Gift Aid declarations
  • Store baptism, marriage, or funeral registers
  • Use ChurchSuite or any other church management system
  • Run a website with a contact form or analytics
  • Keep personnel records for staff or DBS-checked volunteers

In short: almost certainly yes.

Who is responsible? Your parish (or the legal entity it operates under — often a diocesan trust) is the data controller — the organisation that determines why and how personal data is processed. Software providers like Google, ChurchSuite, or Mailchimp act as data processors — they process data on your behalf under your instructions. You remain responsible for how that data is used.

Do you need to register with the ICO?

Most organisations that process personal data must pay the ICO (Information Commissioner’s Office) data protection fee — currently £40/year for small organisations (fewer than 10 staff/turnover under £632,000) or £60/year for medium organisations.

Exemptions exist, including for some processing of personal data for purely personal, household, or not-for-profit purposes — but these exemptions are narrow. A parish that holds contact details for Gift Aid, runs a school, employs staff, or processes data for any commercial activity will almost certainly need to register.

Check the ICO’s self-assessment tool at ico.org.uk/registration to confirm your status. If in doubt, register — the fee is modest and it protects you.

The six lawful bases for processing

Every time you process personal data, you need a lawful basis for doing so. There are six under UK GDPR, and the following three are most relevant to parishes:

1. Legitimate interests

This is the most flexible basis and the one parishes use most often. You can process data if you have a legitimate interest in doing so, that interest isn’t overridden by the individual’s rights, and the processing is necessary to achieve it.

Typical parish uses: maintaining a parishioner contact list for pastoral care, sending a weekly bulletin to regular Mass-goers, keeping records of who volunteers on which rota.

The key test is the balancing test — would a reasonable parishioner expect you to hold and use this data in this way? If yes, legitimate interests is likely appropriate. Document your reasoning.

2. Contractual necessity

Processing is necessary to fulfil a contract with the individual — for example, processing payment information for a hall booking, or holding employment details for a paid member of staff.

3. Legal obligation

You’re required to process the data by law — for example, maintaining Gift Aid records for HMRC, or keeping DBS check records for safeguarding purposes.

What about consent?

Consent is often assumed to be the default lawful basis, but it’s actually one of the more demanding options. Consent must be freely given, specific, informed, and unambiguous — and individuals must be able to withdraw it as easily as they gave it. If someone withdraws consent, you must stop processing their data for that purpose.

For most ongoing parish communication, legitimate interests is more appropriate than consent — particularly where the relationship is established and the processing is what a reasonable person would expect. Where you genuinely need consent (e.g. sending marketing emails to people who aren’t existing members, or processing special category data), make sure your consent mechanism meets the GDPR standard.

Special category data

Some personal data requires extra protection. In a parish context, the most significant category is religious beliefs — explicitly protected under UK GDPR as special category data.

The fact that someone attends your parish, is a confirmed Catholic, or holds a particular religious role is special category data. This means:

  • You need an additional lawful basis to process it (beyond the standard six)
  • For religious organisations, the most relevant additional basis is “legitimate activities of a not-for-profit body with a religious aim” — this covers keeping membership records and communications within the parish community
  • You must be particularly careful about sharing this data outside the organisation
  • You cannot share it with third parties without explicit consent unless there’s a compelling reason

Other special category data you may hold:

  • Health information (e.g. mobility needs, dietary requirements for events)
  • Ethnic origin (may be held as part of baptism records)
  • Criminal conviction data (DBS check results for volunteers)

DBS check results should be kept securely, with access limited to those who need it, and should not be retained longer than necessary — typically no more than 6 months after a decision is made.

What data do parishes typically hold?

It’s worth auditing what you actually have before trying to comply. Common parish data holdings include:

Membership and pastoral records

  • Parish register (names, addresses, contact details of parishioners)
  • Sacramental records (baptism, confirmation, marriage, funeral)
  • Electoral roll or community register

Communications

  • Email newsletter subscriber list
  • Bulletin distribution list
  • Contact form submissions from the website

Finance

  • Gift Aid declarations (name, address, taxpayer status)
  • Donation records
  • Bank details for standing orders

Volunteers and staff

  • Employment records, payroll, P60s
  • DBS check records and outcomes
  • Rota details and availability

Events and activities

  • Booking details for hall hire
  • Children’s Liturgy registration forms
  • Alpha or other course participant details

Children’s data

  • Children’s Liturgy registers
  • Youth group attendance
  • Emergency contact details for minors

Each category needs a lawful basis, a retention period, and appropriate security.

Retention: how long should you keep data?

You should only keep personal data for as long as you need it for the purpose for which it was collected. This means defining retention periods and sticking to them.

Guidance for common parish records:

Record typeSuggested retention
Sacramental registers (baptism, marriage, funeral)Permanent — canonical and historical record
Gift Aid declarations6 years after the last donation they relate to (HMRC requirement)
Donation records6 years (accounting purposes)
DBS check records6 months after decision, then destroy
Employment records6 years after employment ends
Email newsletter subscribersUntil unsubscribed, then delete promptly
Event booking details1–2 years, or once any financial obligation is resolved
Children’s activity registersUntil the child reaches 18, or longer if safeguarding concerns arose
CCTV footage (if applicable)31 days typically, unless part of an incident investigation
Website contact form submissionsDelete once the enquiry is resolved — no longer than 12 months

Document your retention policy and apply it. A policy that exists on paper but isn’t followed provides no protection.

Privacy notice

Every organisation that processes personal data must provide individuals with a privacy notice — a clear explanation of what data you hold, why you hold it, who you share it with, and what rights they have.

Your privacy notice should be published on your website and made available on request. It needs to cover:

  • Who you are and how to contact you
  • What personal data you collect and from what sources
  • Why you process it (the lawful basis for each type)
  • Who you share it with (e.g. ChurchSuite as a processor, HMRC for Gift Aid, the Diocese)
  • How long you keep it
  • The rights of individuals (see below)
  • How to make a complaint to the ICO

Keep the language plain. A parish privacy notice doesn’t need to read like a legal document — in fact, it’s better if it doesn’t.

Individual rights

Under UK GDPR, individuals have the following rights, and you must be able to respond to them:

Right of access (Subject Access Request): Anyone can ask to see the personal data you hold about them. You have one month to respond, and there is no fee. In a parish context, this might mean someone asking to see their contact details, donation history, or what notes are held about them pastorally.

Right to rectification: If data is inaccurate, the individual can ask you to correct it.

Right to erasure (“right to be forgotten”): Individuals can ask you to delete their data in certain circumstances — for example, if you were relying on consent and they withdraw it. Note that this right is not absolute: you may have legitimate reasons to retain data (Gift Aid records, safeguarding records) that override an erasure request.

Right to object: Individuals can object to processing based on legitimate interests. You must stop unless you have compelling legitimate grounds that override their interests.

Right to restrict processing: In some circumstances, individuals can ask you to pause processing their data while a dispute is resolved.

Assign someone in the parish to handle data subject requests. Requests must be taken seriously and responded to within the legal timeframe — ignoring them is a compliance failure.

Gift Aid and GDPR

Gift Aid declarations are a specific area where GDPR and HMRC requirements interact. You have a legal obligation to keep Gift Aid declarations and donation records for 6 years — this overrides any erasure request for those records.

Key points:

  • You must collect the minimum data necessary for Gift Aid — name, address, and taxpayer status
  • Declarations can be made on paper, online, or verbally (with a written record)
  • Keep declarations securely — they contain financial information
  • If a donor withdraws from Gift Aid, retain the historical declaration for the required period but stop claiming on future donations
  • Share records with HMRC when required for audit — this is a legal obligation that doesn’t need separate consent

ChurchSuite and GDPR

ChurchSuite is a data processor acting on your behalf. By using ChurchSuite, you’re transferring personal data to them — you need to be satisfied that they handle it appropriately.

ChurchSuite is UK-based and operates under a Data Processing Agreement, which is required under UK GDPR when controllers use processors. Their DPA is available in their terms of service.

Practical considerations:

  • Only give ChurchSuite accounts to people who need access — don’t share login credentials
  • Review who has admin or elevated access periodically
  • Use ChurchSuite’s built-in data export tools if you ever need to migrate away — don’t let your data become locked in
  • When a volunteer or staff member leaves, remove their ChurchSuite access promptly
  • Be aware of what data ChurchSuite modules collect — the Address Book module holds contact and personal details; the Giving module holds financial data; the Children’s module holds minors’ data

Email newsletters and marketing

Sending your parish bulletin by email requires a lawful basis. For established parishioners who regularly attend and have provided their email address in that context, legitimate interests is generally appropriate — they would reasonably expect to receive parish communications.

For people who have signed up via your website or at an event, consent may be more appropriate — particularly if they don’t have an existing relationship with the parish.

In either case:

  • Always include an unsubscribe link in every email
  • Process unsubscribe requests promptly — don’t continue emailing people who have opted out
  • Don’t add people to your mailing list without their knowledge
  • Keep a record of how and when people subscribed
  • Segment your list if you send different types of content — someone who signed up for the bulletin hasn’t necessarily consented to fundraising appeals

If you use Mailchimp or a similar platform, you’re transferring data to another processor — ensure their terms include a DPA and that you understand where data is stored.

Your website and GDPR

Your parish website likely processes personal data in several ways:

Contact forms: When someone submits a contact form, you receive their name, email, and message. Inform them in or near the form what you’ll do with that data, and delete submissions once the enquiry is resolved.

Analytics: Google Analytics and similar tools collect data about website visitors. Under UK GDPR, you need a lawful basis for this — typically consent, obtained via a cookie banner. If you use Google Analytics, ensure your cookie banner meets the standard: it must give a genuine choice and not default to acceptance. Consider a privacy-focused analytics alternative (e.g. Fathom or Plausible) if managing cookie consent feels disproportionate for a small parish site.

Embedded third-party content: ChurchSuite calendar embeds, YouTube videos, or Google Maps widgets may set third-party cookies. Users should be informed of this.

Data breaches

A personal data breach is any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of personal data. In a parish context, this might be:

  • Sending a bulletin email with all recipients visible in the CC field (rather than BCC)
  • A laptop containing parishioner records being stolen
  • A ChurchSuite account being accessed by an unauthorised person
  • A paper register being lost or left in a public place

What to do:

  1. Contain the breach as quickly as possible
  2. Assess the risk to individuals — how sensitive was the data? How many people affected?
  3. Notify the ICO within 72 hours if the breach is likely to result in a risk to individuals’ rights and freedoms — this is a legal requirement
  4. Notify affected individuals if the breach is likely to result in a high risk to them
  5. Document the breach and your response, even if you decide notification isn’t required

Not every breach needs to be reported to the ICO, but the decision must be documented. A BCC mistake on a low-sensitivity bulletin email to 20 parishioners is unlikely to require ICO notification. A breach of safeguarding records or financial data almost certainly does.

Practical steps to take now

If you haven’t already addressed GDPR in your parish, here is a prioritised list:

  1. Audit your data. List what personal data you hold, where it’s stored, why you have it, and who can access it. A simple spreadsheet suffices — this is your Record of Processing Activities (ROPA), which you’re required to maintain.
  2. Check your ICO registration. Use the ICO self-assessment tool to confirm whether you need to pay the data protection fee.
  3. Publish a privacy notice. Write a plain-English privacy notice and put it on your website. Link to it from your contact form, newsletter sign-up, and anywhere else you collect data.
  4. Review your email list. Ensure everyone on your bulletin list has a legitimate basis for being there. Remove anyone who has previously unsubscribed or asked not to be contacted.
  5. Secure your data. Password-protect files containing personal data. Use Shared Drives in Google Workspace with appropriate access controls rather than personal drives. Don’t email spreadsheets of personal data unnecessarily.
  6. Set retention periods. Decide how long you keep each type of data and build in a process to delete it — even if that’s a calendar reminder to review and clear down records annually.
  7. Train your team. Anyone handling personal data should understand the basics: don’t share data unnecessarily, report suspected breaches immediately, and know how to handle a subject access request.
  8. Contact your diocese. Most Catholic dioceses in England and Wales have a Data Protection Officer who can provide guidance specific to your canonical and legal structure. Use them.

Where to get help

  • ICO website: ico.org.uk — comprehensive guidance, self-assessment tools, and the breach reporting portal
  • Your diocese: Diocesan offices often have a DPO or can refer you to one
  • NCSC (National Cyber Security Centre): ncsc.gov.uk/cyberessentials — Cyber Essentials certification is a practical baseline for small organisations
  • Parish Resources: Some dioceses publish GDPR template documents (privacy notices, data audit templates) for parishes — check your diocesan website

Expanse CMS is built with parish data handling in mind — contact forms, newsletter integrations, and ChurchSuite connections are all designed to minimise unnecessary data processing. Get in touch to find out more.

Found this useful?

Share it with your colleagues

𝕏 f in
IT

Written by

Ian Tearle

Ian Tearle is a web developer and the creator of Expanse CMS. He builds and maintains websites for Catholic parishes and religious organisations across the UK, including St Mark's RC Parish in Ipswich, where he is also a parishioner. He has been integrating ChurchSuite with parish websites since the platform became the go-to church management system for Catholic communities in England and Wales. When he isn't writing PHP, he's usually serving on a rota he built the reminder system for.

Discussion

0 Comments

Add yours

No comments yet — be the first to add one below.

Join the conversation

Post a comment

No HTML is allowed. Links and line breaks will be formatted automatically, and links are sanitized with rel="nofollow".