What UK GDPR is, and isn't
UK GDPR is the post-Brexit version of the EU GDPR, regulated by the ICO. It applies to every UK organisation that processes personal data — including every church, regardless of denomination or size. Religious purposes get a few specific carve-outs (notably around special-category data for religious affiliation), but the core obligations apply to you exactly as they apply to a business.
Lawful bases for processing
Every act of processing personal data needs a lawful basis. For churches, the common ones are: legitimate interests (most member-care comms, attendance tracking), consent (marketing emails, photo use), legal obligation (Gift Aid records, safeguarding referrals, employment records), contract (paid staff and volunteers), and vital interests (rare — emergency contact use). Document which one you're relying on for each data category.
Data subject rights
Members can ask you to: (1) confirm what data you hold about them and provide a copy (DSAR — data subject access request); (2) correct mistakes; (3) erase their data ('right to be forgotten'); (4) restrict processing; (5) object to processing; (6) port their data to another controller. You have one calendar month to respond, extendable by a further two months for complex requests. Refusal must be justified (e.g. Gift Aid records you legally have to keep).
Gift Aid + safeguarding carve-outs
If a donor signs a Gift Aid declaration, HMRC requires you to keep it for at least six years from the end of the accounting period. You can't fully delete that record under a 'right to be forgotten' request — you have a competing legal obligation. Same for safeguarding records. Good software handles this by 'soft-deleting' the personal-care fields while keeping the legally-required compliance fields frozen.
DSARs — what to actually send
When a member asks for their data, you owe them: their member record (name, contact details, dates), their giving history, their attendance, their group memberships, any communication you've sent them, any safeguarding records (with appropriate redactions if a third party is named), any Gift Aid declarations, and any photos where they're identifiable. You also tell them: who you've shared it with (Stripe, your email provider, etc.) and how long you'll keep it.
Breach notification
If personal data is exposed (laptop stolen, email sent to the wrong list, database hack), you have 72 hours from awareness to report to the ICO if the breach is likely to result in a risk to people's rights and freedoms. You also have to tell affected individuals 'without undue delay' if the breach is high-risk. Have a documented incident response process before you need it.
How MosesTab handles it
DSARs are a one-click export. Erasure requests soft-delete personal-care data while preserving the Gift Aid + safeguarding records you're legally required to keep. Audit trails on every record show who saw and changed what. The data processor agreement and standard retention rules are documented in the help centre. Stripe (giving), the email provider, and the SMS provider are listed as sub-processors.