This page explains how we are affected by the introduction of the European General Data Protection Regulation and what the association is doing to ensure we comply with this.


To view our privacy policy please click here:


Please contact Richard Harris at if you have any questions or comments on the information provided here.


What is GDPR?


The General Data Protection Regulation (GDPR) is a new, Europe-wide law that replaces the Data Protection Act 1998 in the UK. It is part of the wider package of reform to the data protection landscape that includes the Data Protection Bill. The GDPR sets out requirements for how organisations will need to handle personal data from 25 May 2018.


The GDPR applies to ‘personal data’, which means any information relating to an identifiable person who can be directly or indirectly identified in particular by reference to an identifier. The GDPR brings in a much broader definition of personal data from previous legislation, increases the standard of consent needed and the obligations to protect and secure information under our control.


How this affects the Surrey Association


All organisations are required to have a legal basis for processing personal information and to adhere to the requirements for processing this data. Where necessary we will need to ensure we have a valid consent from individuals whose data we hold and we have appropriate systems and controls in place to ensure that data is maintained and secured and individuals legal rights are protected.


During February we conducted a review of our readiness for GDPR.  Following the review an action plan was proposed with both short and longer term changes to ensure the association complies with the new regulation.


A summary of this was delivered to the General Committee at it's meeting in March.  A copy of this document is attached below.


As part of our preparations for GDPR a new privacy policy is being developed.  This provides information on our data processing and our lawful basis for this as well as your rights.  The latest draft of this document is attached below.


Why do we need to do this?


It is not only big companies that get fined for data protection offences the ICO has prosecuted and fined numerous charities and voluntary organisations under the existing data protection legislation.   


These are just a few of many charities fined in 2017:


Battersea Dogs and Cats Home (fined £9,000)

Great Ormond Street Hospital Children's Charity (fined £11,000)

Macmillan Cancer Support (fined £14,000)

The Royal British Legion (fined £12,000)


GDPR increases the level of fines the ICO can levy, raises the standards that organisations need to adhere to and gives individuals more rights to ensure their data is protected.


GDPR resources


Start here:


The full text of the regulations:



GDPR Summary V2.pdf
Adobe Acrobat Document 487.2 KB
GDPR Legitimate Interest Assessment.pdf
Adobe Acrobat Document 523.1 KB

GDPR for tower bands


Individual towers will need to adhere to the policy of their local parish and this will be based on diocesan policy. You can find more information on this here:


Tower Captains and Secretaries should familiarise themselves with their own churches GDPR preparations and data privacy policies.  In most cases the data processing carried out relates to the maintenance and use of a contact list for band members.


Most PCC's will have a complex and diverse set of data protection issues to address and the tower contact list is probably the least of their worries but you need to check that this is included in the scope of the policy.


Lawful basis


One of the most important changes for GDPR is a requirement to establish a lawful basis for any data processing. In many cases this requires a consent from the data subject but there are other ways to establish a lawful basis, the most commonly used one is likely to be a 'legitimate interest'.


Provided your data is limited to reasonable information necessary to administer the band (name, address, phone number and email address for example) you are entitled to claim a legitimate interest as a lawful basis for data processing in which case there is no need to seek consent. You would only need consent if you did anything with the data that would compromise an individuals rights (such as the right to privacy).


Your PCC's privacy policy is required to state the lawful basis on which data is processed so you should check and confirm your policy allows you to claim a legitimate interest. 


If your church insists on consent for all data uses please query this.  It is an unnecessary burden for the kind of common data processing performed by bell ringers administering their own groups.


The Southwark Diocese publishes a comprehensive toolkit with advise and templates for parishes. This does explain the difference between legitimate interest and consent as a lawful basis for data processing and they do include both in their template privacy policies. The advise also acknowledges that there are circumstances where consent is not appropriate and that there are other lawful basis for processing personal data, particularly where data is only shared within members of the church group (Page 15 para 4).


Care of personal data


It is important that you protect any personal information you hold and take care that it is held securely and used only for the purpose it was collected.  You should take care to delete data when it is no longer needed.


You need to be particularly careful to clearly distinguish between data you hold as an officer of a church and is controlled under their privacy policies and data you hold as a private individual.  Data held by natural persons in the course of their personal activity is excluded from GDPR so your personal records and contacts are not affected.