Protection from identity theft

Protect members (and ministries) from costly identity theft

By Eric Seiberling

Over the past several months, the news has been full of stories about GDPR, identity theft, fraud and privacy concerns. Both the European Union and individual states like California have enacted legislation mandating that organizations protect personal data.

With these privacy initiatives, the burden of protection is on the organizations storing the data (including nonprofits).

Your church cannot ignore these changes designed to protect individuals’ information or claim ignorance. There will be significant penalties for being non-compliant. It doesn’t matter whether the information is paper-based or electronic. If you keep any records of personal information (even on an attendance pad), you need to protect and manage them.

The bottom line: If your organization collects or processes personal information of any type, you must safeguard it and comply with the regulations.

Don’t panic.

There are a number of steps that you can take to protect people’s information and safeguard the church.

Step #1: Conduct an information inventory across your church (members, staff and volunteers) and ministry participants. Start by surveying the leaders and members of your church as to the information they manage. United Methodist Communications has built a sample survey that you can use as a starting point. Build a survey that works for your ministry and then share it with everyone. To produce the survey, you may want to use an online survey tool to help you facilitate things.

Step #2: Gather the physical church records. Churches often have membership records and other personal information scattered across different closets, file cabinets and attendance books. Conduct a systematic search throughout the building and centralize records. Document what records are being kept, where they are stored and how they are secured. Consider moving all file cabinets to a single room that can be locked, preferably with even the cabinets locked.

Step #3: Do a comprehensive electronic audit. Computers, cloud backups and flash drives are the “bottomless closets” of the 21st century. Audit all staff computers, backups, emails and record-keeping systems for member records. Be sure to check your email database and website as well as Google Drive, Dropbox and other software tools. Add those to your inventory list. Make certain the data is password protected and encrypted. (Here is a guide for encrypting Microsoft Office applications, the primary tool for holding church data.)

Step #4: Purge data you no longer need. The General Commission on Archives and Historyprovides guidelines on what documents you are required to retain and how to manage them. They also offer basic guidelines for managing and preserving electronic records. In general, keep what’s needed to:

  • support the efficient conduct of ministry (membership and giving records),
  • meet financial and legal requirements (tax, property and incorporation documents) and
  • maintain the expectations of the community (baptismal and membership records)

Keep meeting records and other documentation as long as it’s useful; then get rid of it — whether it’s paper or electronic. The upside: reducing your total volume of data will help you find the information you need more easily.

Ensure that people who need to manage personally identifiable information (such as email and phone lists) keep it secure with a strong password and store it on a church computer, Google Drive or Dropbox. Confirm that those who no longer need access have deleted the data and emptied their recycle bin.

Step #5: Take steps to protect the data you want to keep. Here are few steps a church can take to protect personal data without breaking the bank.

  • Encrypt all portable devices that hold personal data. Make sure all portable devices — from laptops to memory sticks — used to store personal information are encrypted. Here’s a guide to encryption tools to help you.
  • Centralize paper records. Again, consider placing all of your paper records in a single place with a door that can be locked. Make sure that only authorized people have access. Locking filing cabinets can further help protect information.
  • Update your plugins for your website. Make sure your website is up to date with the latest plugins. Wordpress has now implemented elements to support compliance with new European privacy laws (GDPR) that took effect this year.
  • Check your email application. New rules require organizations to obtain consent from people to contact them and to provide them with an opportunity to opt out of your communications. Consider using a “double opt in” where new subscribers receive an email from you asking them to reconfirm their subscription. Email providers like MailChimp or Constant Contact use this feature, making “double opt in” easy to implement. Also, make sure you have an “unsubscribe” link on your emails if people want to opt out. Learn more from UMCom’s church email marketing materials.


Step #6: Ask for permission. Anytime you gather personal data, be clear as to how you intend to use the data your church collects. We often collect registration information for events or at Sunday worship. Consider adding a check box for people to indicate how they would like the church to contact them (text message, email, etc.). Remember: Make sure you provide a way for people to opt out of any church communications.

Step #7: Create a privacy and data policy. What’s your church’s data privacy policy? What data does the church need to retain and for how long? How should data be stored? What’s the church’s password policy? Be clear as to what data you collect. Be transparent about how data will be used and with whom it will be shared. Build a website privacy policy from these examples and resources. Also take a look at UMCom’s article on web privacy for additional considerations. Use this information to create a short handout explaining the policy and a checklist of what to remember.

Step #8: Take steps to keep the church data safe. This is not a one-time event. Your church needs to take a basic steps to:

  • Train your staff and key volunteers. Take the time to hold a short training session on the church’s privacy and data policy. Keep it simple and straightforward, focused on the goal of being good stewards of people’s personal information.
  • Ask everyone to use strong passwords. Typically, hackers get personal information because of easy-to-guess passwords. All passwords should contain upper and lower case letters, a number and (ideally) a symbol. Ask people to change their passwords every 90 days.
  • Keep your computer operating systems up to date and “patched.” Hackers use security vulnerabilities in the operating system or software to get access to personal data. Build a strategy to keep your church secure online. One easy step is to make sure your software is current with the latest updates. To stay on top of potential threats, sign up for free hacking alerts with an email that’s monitored on a daily basis. This can avoid a major issue and keep the church protected.


This roadmap provides general guidance and good practices for churches to follow. It provides a strong foundation, but consider consulting with an expert to ensure your church complies with any international, federal, state and local regulations.