Most of us have received a seemingly endless stream of emails in our inbox in recent weeks with “urgent” notices from social media and other companies about privacy settings updates. What accounts for this sudden inbox clutter? On May 25, the General Data Protection Regulation (GDPR), a sweeping new European data privacy law, went into effect. Why should that impact us in the U.S., and even at St. James?

 

As a consequence of that multifaceted and sometimes spooky word “data,” the answers to these questions—and why GDPR matters—are not very clear and simple. In part, but only recently adding to GDPR’s impetus, have been various data breaches and scandals like Cambridge Analytica’s misuse of Facebook data.

 

GDPR was passed by the European Commission more than two years ago. At first largely ignored by U.S. companies and regulators, seemingly all of a sudden GDPR becomes the de facto global (and inevitably over time) U.S. standard for how businesses and organizations, including nonprofits and religious groups, mine and use data from consumers, members—and, yes, parishioners.

 

Parishioners are consumers and Internet users, too. In all cases, you typically have provided your name, email address and maybe a phone number, allowing companies as well as other organizations, including churches, to track how you interact with their websites and platforms, how often you click on certain things, and even where you go on the Web afterward.

 

Until now, you have not had the right to access your data to see what any of these business and other entities know about you. With GDPR, you will be able to access your data to see what, exactly, different companies, services, and organizations, including churches, know about you. Whereas before GDPR you may not have thought much about data privacy and how you’re interacting, continuously, with all of the data-driven organizations in the U.S., and indeed the world, that will soon change.

 

Seemingly overnight we have become aware of the fact that data-driven tech giants like Google and Facebook and countless other businesses have financed their growth to become the biggest economic powerhouses in the world, by selling our personal data to marketers. However, the uses of our data being made by non-profits and religious organizations mostly remain a mystery.

 

St. James Faith Lab intends to peel off key layers of that mystery by developing and promulgating a set of data privacy and protection policies that can set high standards for religious organizations anywhere. This will be a complex undertaking since at some future time it will necessarily involve intervening in decisions impacting on the protection of personal data being made by AI and its algorithms.

 

For St. James Faith Lab this effort will be both a challenging and consequential undertaking in the context of companies, and hopefully religious organizations, around the world striving to develop a lawful basis and transparent systems for gathering and processing personal data. Already companies around the world are spending tens of millions of dollars to comply with GDPR in order to avoid daily fines of as much as €20 million or 4% of global annual revenue in the prior year!

 

These compliance efforts are extending to business relationships with third parties that will have to certify that they are GDPR compliant. The world now has yet another standard and test for business trustworthiness that at some point will encompass religious organizations, but without the threat of regulators enforcing data collection policies and practices.

 

Unlike Europe, the United States has never had laws spelling out the digital rights of its citizens. As early as 1995, Europe adopted a policy that included many of the ideas in the GDPR. The U.S. historically regulated data privacy in the context of various business sectors, for example, healthcare records and financial documents. The St. James Faith Lab data-privacy initiative, therefore, will take place in a country where public policies and regulation will be playing catchup.

 

For St. James Faith Lab, GDPR and Europe’s robust data-privacy laws pertaining to business will provide the data privacy model irrespective of the speed with which the U.S. plays catchup. Under GDPR, people have the right to ask companies how their personal data is collected and stored, how it’s being used and request that personal data be deleted. Companies have to clearly explain how data is stored and used and get the consent of customers and other citizens before collecting it. People can object to personal data being used for purposes like direct marketing. In future articles, we will discuss practices that will constitute a “digital bill of rights” for parishioners.