The quiet data question every UK church must answer in 2026

If you lead a UK church, you are a data controller. That is not a slogan — it is what the law calls you the moment your PCC keeps a list of attendees, an electoral roll, or a prayer chain. The Information Commissioner’s Office (ICO) is publishing new guidance in 2026, and from June 19, 2026 every data controller must clearly tell people how to make a data protection complaint. That alone is going to catch a lot of churches off‐guard. The good news: GDPR‐comfortable does not have to mean cold. You can keep the personal touch. You just need three things in writing. ## 1. A privacy notice that anyone can find A short, plain‐English page on your church site that explains: - What information you keep (names, contact details, attendance, pastoral notes, photos). - Why you keep it (legitimate interests, legal obligation, consent). - How long you keep it (e.g. 6 years for finance, life of membership for pastoral notes). - Who to contact and how to complain to the ICO. If you cannot show a visitor that page in 30 seconds, it is not really doing its job. ## 2. Special‐category data, handled with care Safeguarding records, health information for pastoral care, and information about children or adults at risk are all “special category” data under Article 9. They are allowed — churches have explicit lawful bases under religious aims and substantial public interest — but they need extra care: locked drawers, restricted access, and clear retention limits. In CAASYS, sensitive notes are scoped to the staff who genuinely need them. Volunteers see what volunteers need to see. No more. ## 3. Easy opt‐outs that you can prove If a member asks not to be emailed, you must be able to: - Mark them opted‐out in seconds. - Exclude them automatically from the next bulletin. - Show, months later, when and how the request was made. In CAASYS, every member profile carries email and SMS opt‐out flags. Bulk sends respect them automatically. STOP keywords on SMS are honoured without staff intervention. ## You do not have to start from scratch The Church of England, the Methodist Church, and Parish Resources all publish strong templates. Copy them. Adapt them. Then make sure your software actually enforces what your privacy notice promises. That is where most churches quietly fall short — and where CAASYS does most of its work.