Data Security FAQs

Data Security Information

Please do click on the titles below to find out answers to our most frequently asked questions.

Concerned about the GDPR (General Data Protection Regulations)?

The GDPR (General Data Protection Regulations) came into force in May 2018 and is the new EU document that replaced the Data Protection Act. The UK Government has said that we will be complying with these regulations regardless of Brexit and so it is important that churches get equipped to meet the requirements of the law.

Alongside the GDPR will be the new e-Privacy Regulation (e-PR) which will replace the current PECR (Privacy and Electronic Communications Regulations). This was intended to be launched at the same time as the GDPR but wasn't ready and so for the meantime the PECR remains current. For more information do go to the ICO website.

The GDPR gives 2 reasons relevant to churches, that allow you to legitimately store a person's data. 

The first is that you have a legitimate reason to store and process someone's data without their consent. This may be because the church has what is called a "legitimate interest" in doing so. For example, you need to store the contact details of your church members/attenders so that you can offer them pastoral care and smoothly run the various activities going on in the church. Or it may be for other reasons such as contractual or safeguarding obligations.

The second reason is for cases where you have no legitimate cause to keep someone's data without their consent and so you have directly obtained consent from them. For example, those church members who have moved away but still may like to receive newsletters or stay in the database so that friends can send them Christmas cards etc. In this case you are allowed to keep someone's data only if they give you their consent to do so.

We have added the ability to tag groups as either "Can Process" (for legitimate reasons to store data without consent) or "Consent Required" (for when consent is legally required) and then have provided automatically generated groups to help you see these tagged groups combined and easily find people who don't fit into either category.

In addition to this, your church needs to notify people that you are processing their data, what you are using it for and provide them with additional information as to who they can talk to within the church if they have any concerns. ChurchBuilder will help with the process of getting consent from people and will enable you to track who has been told and who is outstanding.

The e-Privacy Regulation looks at the communication you are sending out to your church contacts. This falls into 2 categories – operational and marketing. Informing a church member/attender of an event that they are not already involved in, is counted as marketing. This could simply be emailing your congregation to tell them that there is a church lunch coming up. Marketing emails require "opt in" consent, with the exception of informing people who have paid for an event, about similar events.

Under the current PECR you are able to continue to send marketing emails to those for whom you have been doing so, but you must give them the option to opt out should they wish. (This is something ChurchBuilder can help you with).

Although this sounds initially daunting, ChurchBuilder has released new features that help you with both contacting people with this information, sample forms as to what to tell them, and easy "opt in" buttons for them to be able to click on to subscribe. There will also be unsubscribe links on all emails.

Lastly ChurchBuilder enables emails to be filtered to prevent marketing emails being sent to those that have not opted in. 

If you are an existing customer, all these features have been rolled out to you and you can find more information on the Support Site in the "Data Protection" document. These new features apply to all ChurchBuilder products.

Does ChurchBuilder comply with data protection laws?

We are required by law to adhere to the GDPR which replaced the Data Protection Act, in May 2018. The GDPR requires that data is kept inside the EU unless we can guarantee that the people running the system will adhere to the same data protection rules to which EU members are subject. 

Our servers are in the EU and are owned by us which means that we have complete control over what happens to the data after a server is decommissioned, and can ensure that the disks are destroyed.

Concordant Systems Ltd is registered with the Information Commissioner's Office.

We have a company Privacy Policy which you can read here.

How should our church comply with data protection laws?

Any organisation is entitled to store information about people without their permission as long as it is necessary for the day-to-day running of the organisation.

You do have an obligation to keep people's personal information secure and to remove information about people who are no longer connected with the church. To help with these tasks, ChurchBuilder has many security features and search features that allow you to control, access and manage your data.

If you want to publish contact information - for example, having an online or printed church directory, then you need to gain permission from your members. Many churches also ask permission to send church members information about new events that may be relevant to them. Although the ePR (e-Privacy Regulation) has not come into force demanding this as law, it is now common practice and good preparation for when that law comes into force.

The best way to deal with this may be to produce a form for your church members with tick boxes for the different options, which they can fill in and sign.

In May 2018 new regulations for data protection came into force and it was expected that new regulations for e-privacy (sending out emails, texts etc) would shortly follow. So far, the new e-Privacy laws haven't yet become law. The new Data Protection Act is called the GDPR and the new E-Privacy regulation which will replace the current PECR is called the ePR. ChurchBuilder has developed new features to help churches comply with these new regulations. Do have a look at our section above on the GDPR.

For more help with Data Protection and your obligations as an organisation, do visit the Information Commissioner's Office website.

How secure is ChurchBuilder?

Access to ChurchBuilder is controlled by username and password and strength checking is done on passwords providing you with information on how to make your password stronger.

The decision as to who can login to your church site is at the discretion of your church leaders. All 3 versions of ChurchBuilder allow you to set automatic logins for groups of your choosing, so that you control who logs in without the burden of having to issue individual passwords to each church member. 

The connection between the user's browser and ChurchBuilder is encrypted using a similar type of encryption as online banking and other secure websites.

Once a user is logged in, the system uses a powerful protection mechanism for deciding what level of access to each feature that user is allowed. All of these protections are set up by your own webmasters/site administrator so that you can choose what people can see or change.

Where is our data kept?

We own and maintain our own servers which are housed in the Amito data centre in Reading, Berkshire.

By owning the servers we can have tight control over what happens to your data:

  • we can be sure that it stays in the EU to be compliant with EU data protection laws
  • we can be sure that only our own trusted staff have access to it
  • we can be sure that when the disks reach the end of their life they get destroyed.

We also back-up the data to a secondary location every night, encrypting it so that the backups cannot be read by anyone else.

How to I convince our church members that their data is safe with ChurchBuilder?

There is always an understandable fear of data being kept somewhere out of your own control and we deal regularly with this question. 

Until churches come to think about putting their data officially online, their members often don't think about where their data is currently stored. That could be on a church office computer or in the homes of members of staff or church volunteers who are each storing differing sets of information. These computers may not be backed up and the data is probably not encrypted. Home PC's are often very susceptible to viruses which can give access to your data to people who could misuse it. When the computers needs replacing the hard discs containing church data aren't necessarily physically destroyed, rather they can be put into the rubbish where they can be found and potentially restored.

Similarly, church members leave copies of physical church address books on display in their homes or carry them around in their bags, which carries the potential for theft.

In contrast, ChurchBuilder data is kept locked in a secure data centre with regular back ups and encryption to afford you further peace of mind. Our team are all committed Christians and we don't look at your data unless you ask us to or we view your site for the purposes of product development or to improve our service. 

It is often a case of needing to listen to the fears of church members, particularly those not part of the new "technological" generation, and then gently reassuring them with the facts.