GDPR and church social media: complete guide for UK churches
UK GDPR applies to churches. This surprises some volunteers and church leaders who assume that because they are a religious organisation or a small charity, the rules do not quite reach them. They do. Any organisation that processes personal data about identifiable individuals is covered, and a church that posts photos of its congregation on Facebook is processing personal data.
This guide covers what UK GDPR actually means for church social media in practical terms, not legal theory. It is not legal advice - for specific situations your diocesan office, denomination, or the ICO’s own guidance will give you more authoritative answers. But it will give you a clear understanding of what is required and how to manage it without it becoming a burden.
What UK GDPR is and why it applies to your church
UK GDPR (the UK General Data Protection Regulation) came into force in January 2021 following the UK’s departure from the EU. It largely mirrors the EU GDPR but with some UK-specific modifications. The legislation is enforced by the ICO (Information Commissioner’s Office).
Under UK GDPR, personal data means any information relating to an identified or identifiable living person. A photograph in which someone’s face is visible is personal data. Posting it publicly on Facebook is processing personal data, and processing personal data requires a lawful basis.
For most church social media activity, the relevant lawful bases are consent and legitimate interests. Understanding which applies when is the practical core of GDPR compliance for church social media.
The two lawful bases you will use
Consent means the individual has actively agreed to their data being used in a specific way. For church social media this usually means a photography consent form that individuals or families sign, confirming they are happy for their photos to be posted on the church’s social media accounts and website.
Consent must be informed (they understand what they are agreeing to), freely given (no pressure), specific (they know exactly what they are agreeing to) and unambiguous (a positive opt-in, not a failure to opt-out). You must keep a record of when and how consent was given.
Legitimate interests can be used where the processing is necessary for a genuine purpose, the individual would reasonably expect it, and their interests do not override yours. For example, posting a photo of a congregation event where the focus is the event rather than any individual, where a general notice has been given that photos may be taken, may be justifiable under legitimate interests for adults. It is more difficult to use legitimate interests as a basis for photos of children.
In practice: get explicit consent for identifiable photos of children always. Use consent or legitimate interests for adults depending on the context, and document your reasoning.
Photography and posting: the practical rules
Children (under 18): Explicit written consent from a parent or guardian before any identifiable photo is posted. No exceptions. See church photo consent and GDPR for how to set up a consent form.
Adults: A combination of explicit consent (via membership forms or photography consent forms) and legitimate interests for general congregational photos where people would reasonably expect to be photographed. Always give people a way to opt out and honour it immediately when they do.
Tagging: Tagging someone in a photo on Facebook is a separate act that requires their separate consent. Do not tag without asking, even if the person appears in a photo you are legitimately posting.
Public events: Photos taken at events that are open to the general public, and where it would be reasonable for people to expect to be photographed (a civic Remembrance service, a community fair), carry a different expectation from photos taken in a more private setting like a Sunday service or a small group gathering. Context matters.
Removing photos: Anyone can request that a photo of them be removed from your social media. Under UK GDPR’s right to erasure, you are obliged to remove it promptly if they do. Keep a simple log of these requests and your actions.
Your church social media policy
Every church that has a social media presence should have a short written policy covering:
Who manages each account, what kind of content is appropriate, what requires approval before posting, your approach to photography consent, and how to handle requests to remove content or access data.
This policy does not need to be complicated. One or two pages is enough. It should be agreed by your leadership or PCC and reviewed annually. For a template to work from, see church social media policy template UK.
Privacy notices and transparency
Under UK GDPR you are required to tell people how you use their data. For a church this typically means a privacy notice on your website covering how you use personal data, what data you hold, how long you keep it, and how people can exercise their rights.
For social media specifically, a brief statement in your social media policy (or in an annual notice to the congregation) explaining that photos may be taken at church events and used on social media is good practice, alongside making clear how people can opt out or request removal.
If your church does not have a privacy notice on its website, creating a simple one should be a priority. The ICO’s website has free templates and guidance for small organisations.
Data subject rights
UK GDPR gives individuals rights over their personal data. The ones most relevant to church social media:
Right to access: Someone can ask to see what personal data you hold about them. For social media this is less common, but if asked you should be able to tell them what photos or information you have posted about them.
Right to erasure: Someone can ask you to delete their data, including removing photos from your social media. You are generally obliged to comply promptly.
Right to object: Someone can object to you processing their data, including posting photos of them. You must stop unless you have compelling legitimate grounds.
In practice, most requests from church members are informal: “Please don’t post that photo of me.” Handle these promptly and without making the person feel they have caused a problem, regardless of the legal framework behind them.
Live streaming
If your church live streams its services on YouTube or Facebook, people visible in the stream are having their image broadcast and potentially recorded. This requires the same consideration as photography.
The practical approach most churches use: place a notice at the entrance to the service explaining that it is being live streamed, and give anyone who does not want to appear on the stream the option to sit in a position that is out of shot. Document this approach and make it consistent.
For more on the legal considerations around church live streaming, a conversation with your diocese or denomination’s communications or legal team is worth having before you start.
ICO registration
Most churches that process personal data beyond purely personal or household use should be registered with the ICO. Registration costs £40 per year for organisations with a turnover under £632,000. Check the ICO’s website (ico.org.uk) to confirm whether your church needs to register and do so if it does.
Being registered does not mean you are automatically compliant, but it is a basic step that demonstrates you are taking data protection seriously.
The practical checklist
Rather than a lengthy policy document, start with this checklist and work through it at your own pace:
Photography consent form in place for children attending regular activities. Adults given a clear way to opt out of photography. Social media policy written and agreed with leadership. Privacy notice on the church website. ICO registration checked. Someone designated as responsible for data protection queries (does not need to be a formal DPO for most churches). Log of consent forms kept somewhere secure and accessible.
That is the core of GDPR compliance for church social media. It is achievable for any church regardless of size.
ChurchReach is built with UK church compliance in mind. All data is stored in compliance with UK GDPR, and the platform is designed for the way UK churches actually work. Start a free trial at churchreach.co.uk.