Data Protection FAQs

Data Protection Information

Please do click on the titles below to find out answers to our most frequently asked questions.

Concerned about the GDPR (General Data Protection Regulations)?

The GDPR (General Data Protection Regulations) is the new EU document that will be replacing the current Data Protection Act, in May 2018. The UK Government has said that we will be complying with these regulations regardless of Brexit and so it is important that churches get equipped to meet the requirements of the law.

Alongside the GDPR will be the new e-Privacy Directive which will replace the current PECR (Privacy and Electronic Communications Regulations). For more information do go to the ICO website.

The GDPR gives 2 reasons relevant to churches, that allow you to legitimately store a person's data. The first is that your church has a "legitimate interest" in doing so. For example, you need to store the contact details of your church members/attenders so that you can offer them pastoral care and smoothly run the various activities going on in the church. The second reason is that an individual has given their consent for you to keep their data. This may be, for example, because they used to be a member of your church and have asked to be kept in touch with church news.

We are adding in the ability to tag groups as "Legitimate Interest" or "Consent" groups and then will provide automatically generated groups to help you see these tagged groups combined and easily find people who don't fit into either category.

In addition to this, your church needs to notify people that you are processing their data, what you are using it for and provide them with additional information as to who they can talk to within the church if they have any concerns. ChurchBuilder will help with the process of getting consent from people and will enable you to track who has been told and who is outstanding.


The e-Privacy Directive looks at the communication you are sending out to your church contacts. This falls into 2 categories – operational and marketing. Informing a church member/attender of an event that they are not already involved in, is counted as marketing. This could simply be emailing your congregation to tell them that there is a church lunch coming up. Marketing emails require "opt in" consent, with the exception of informing people who have paid for an event, about similar events.

Although this sounds initially daunting, ChurchBuilder will be releasing new features that help you with both contacting people with this information, sample forms as to what to tell them, and easy "opt in" buttons for them to be able to click on to subscribe. There will also be unsubscribe links on all emails.

Lastly ChurchBuilder will enable emails to be filtered to prevent marketing emails being sent to those that have not opted in. 


If you are an existing customer, all these features will be rolled out to you and we will be in touch to navigate you through the changes. These new features will apply to all ChurchBuilder products.

Does ChurchBuilder comply with data protection laws?

We are required by law to adhere to the Data Protection Act requiring that data is kept inside the EU unless we can guarantee that the people running the system will adhere to the same data protection rules to which EU members are subject. 

Our servers are in the EU and are owned by us which means that we have complete control over what happens to the data after a server is decommissioned, and can ensure that the disks are destroyed.

Concordant Systems Ltd is registered with the Information Commissioner's Office.

We have a company Privacy Policy which you can read here.

How should our church comply with data protection laws?

Any organisation is entitled to store information about people without their permission as long as it is necessary for the day-to-day running of the organisation.

You do have an obligation to keep people's personal information secure and to remove information about people who are no longer connected with the church. To help with these tasks, ChurchBuilder has many security features and search features that allow you to control, access and manage your data.

If you want to publish contact information - for example, having an online or printed church directory, or if you want to send out emails advertising for example, upcoming church events, then you need to gain permission from your members. Firstly permission to publish their information and secondly permission to send them what are classified as "marketing" emails. 

The best way to deal with this may be to produce a form for your church members with tick boxes for the different options, which they can fill in and sign.

In May 2018 new regulations for both data protection and e-privacy (sending out emails, texts etc) are coming into force. The new Data Protection Act is called the GDPR and there is a new E-Privacy Directive. ChurchBuilder is currently developing new features to help churches comply with these new regulations. Do have a look at our section above on the GDPR.


For more help with Data Protection and your obligations as an organisation, do visit the Information Commissioner's Office website.

How secure is ChurchBuilder?

Access to ChurchBuilder is controlled by username and password and strength checking is done on passwords providing you with information on how to make your password stronger.

The decision as to who can login to your church site is at the discretion of your church leaders. All 3 versions of ChurchBuilder allow you to set automatic logins for groups of your choosing, so that you control who logs in without the burden of having to issue individual passwords to each church member. 

The connection between the user's browser and ChurchBuilder is encrypted using a similar type of encryption as online banking and other secure websites.

Once a user is logged in, the system uses a powerful protection mechanism for deciding what level of access to each feature that user is allowed. All of these protections are set up by your own webmasters/site administrator so that you can choose what people can see or change.

Where is our data kept?

We own and maintain our own servers which are housed in the RapidSwitch data centre in Maidenhead, Berkshire.

By owning the servers we can have tight control over what happens to your data:

  • we can be sure that it stays in the EU to be compliant with EU data protection laws
  • we can be sure that only our own trusted staff have access to it
  • we can be sure that when the disks reach the end of their life they get destroyed.

We also back-up the data to a secondary location every night, encrypting it so that the backups cannot be read by anyone else.

How to I convince our church members that their data is safe with ChurchBuilder?

There is always an understandable fear of data being kept somewhere out of your own control and we deal regularly with this question. 

Until churches come to think about putting their data officially online, their members often don't think about where their data is currently stored. That could be on a church office computer or in the homes of members of staff or church volunteers who are each storing differing sets of information. These computers may not be backed up and the data is probably not encrypted. Home PC's are often very susceptible to viruses which can give access to your data to people who could misuse it. When the computers needs replacing the hard discs containing church data aren't necessarily physically destroyed, rather they can be put into the rubbish where they can be found and potentially restored.

Similarly, church members leave copies of physical church address books on display in their homes or carry them around in their bags, which carries the potential for theft.

In contrast, ChurchBuilder data is kept locked in a secure data centre with regular back ups and encryption to afford you further peace of mind. Our team are all committed Christians and we don't look at your data unless you ask us to or we view your site for the purposes of product development or to improve our service. 

It is often a case of needing to listen to the fears of church members, particularly those not part of the new "technological" generation that has dawned and then gently reassuring them with the facts.