You can download a copy of this guidance here Tollard Royal and the General Data Protection Act

The village has several different groups that all use our ‘village directory’ mailing list:

  • The Parish Council
  • The Church
  • The Social Committee
  • Neighbourhood Watch
  • Tollard Tattler
  • Village email List
  • Emergency telephone tree
  • Whats App emergency and crime group
  • Facebook Page

We are a small village of less than 120 residents, however we are NOT exempt from GDPR.

In very simple terms that means that every resident in Tollard Royal must ‘OPT IN’ to have their email and personal details used by any of the above groups. Our reality is that one email list called The Village Directory is used for all communications. That data base is currently held by the Chair and Clerk of the Parish Council on their personal computers. The village directory has also been uploaded into an online secure system called ’MAILCHIMP’ which we use for our village newsletter.

The village of Tollard Royal has not employed a specific Data Protection Officer. The responsibility is taken up by the Clerk to he Parish Council supported by the Chair of the Parish Council, the Neighbourhood Watch Co-ordinater and the Treasurer to the church.

One single consent has been gathered for all the above from parishioners.

What is the GDPR?

The EU’s General Data Protection Regulation (GDPR) is the culmination of four years of efforts to update data protection for the 21st century, in which people regularly grant permissions to use their personal information for a variety of reasons in exchange for ‘free’ services.

In the UK, GDPR will replace the Data Protection Act 1998, which was brought into law as a way to implement the 1995 EU Data Protection Directive. GDPR seeks to give people more control over how organisations use their data, and introduced hefty penalties for organisations that faily to comply with the rules, and for those that suffer data breaches. It also ensures data protection law is almost identical across the EU.

Explaining the jargon:

Personal data is information about a living individual which is capable of identifying that individual. Processing is anything done with/to personal data, including storing it. The data subject is the person about whom personal data are processed.The data controller is the person or organisation who determines the how and what of data processing, in a parish usually the incumbent or PCC.

One of the main changes to note is that the GDPR places a much greater emphasis on transparency, openness and the documents we as a village need to keep in order to show that we are complying with the legislation – This is incorporated within the idea of “accountability”.

Accountability – What is it and how does Tollard Royal comply?

The new accountability principle means that we must be able to show that we are complying with the principles. In essence, we cannot just state we are compliant; we have to prove it and provide evidence. To do this there are a number of actions we should take,


Tollard Royal relies on consent as the lawful basis for processing any personal data, you need to be aware that to be valid under the GDPR, consent must be freely given, specific, informed, unambiguous and able to be withdrawn. Also, we will need to record how and when the consent was obtained (and review this over time).

What does the really mean?

For example, we cannot use the personal data from the electoral roll to send mail to individuals about events at the church without seeking consent first. If we have not obtained consent from individuals to do this, we will not be able to use your personal data in this way. We will need to keep records of all consents received and periodically review them (e.g. every 5 years) to ensure that they are still valid.

You should note that consent may not be appropriate in every case. Remember there are other lawful bases for processing personal data. For example, you would not have to obtain consent to share the names of individuals on the Church Readers rota or after service tea/coffee rota with other church members. In that instance, the information is shared with others in order to carry out a service to other church members. Of course, if it was intended to share the names outside the church for another purpose, then we would need to obtain consent.

Parishes are highly unlikely to be required to have a Data Protection Officer. Data Protection Officers are required in certain circumstances, such as where organisations process sensitive (special category) personal data on a “large scale”. The processing of sensitive personal data by the PCC and/or incumbent is unlikely to be classed as “large scale”. However, we can make it clear who has access to the data and who is responsible for data protection issues, including providing support and guidance for others.




Description Why is the data held and what is it used for Who Basis for processing data (e.g. consent, legal obligation etc) Who holds the data and who can access it? What security controls are in place? How long is data kept for? Is this covered by our privacy notice? ACTION REQUIRED
Gift Aid Declarations For claiming Gift Aid PCC Legal obligation Processed by the PCC treasurer Paper declarations kept in a filing cabinet. Spreadsheet on PC. Six complete calendar years after last gift claimed on the declaration Yes Password protect the spreadsheet

Electoral Roll


For running PCC Elections PCC Consent given by completion of form, legal obligation and public task Held by Church Warden and made publically available on the church notice board. No security as a public information Reviewed each AGM No none

Names and addresses, phone numbers, emails of PCC


For the functioning of the PCC PCC Consent given at election Information is passed to the Diocese and can be published in any public place including parish magazine No security Reviewed each AGM No None
52 Club



PCC fundraiser PCC Consent given when joining Held by PCC Treasurer –names made public when drawn in church and then published in the Tollard Tattler No Security Annually on subscription No None
Donors to the church Tracking of donors PCC Consent given when making donation Held by PCC Treasurer.

Seen by independent examiner

Held of a data base by treasurer Annually Yes Password protected spreadsheet

Parish Register Baptisms Funerals and Weddings

Public Record PCC Manifestly made public


Kept by the Churchwardens On display in the church Permanent record No
Flower Rota/ caretaking rota/ reading list



PCC No consent needed as this information is never shared and only used for the function of the church On display on notice board. As required No
Email List

Telephone numbers

Emergency Telephone Tree



For emergency planning Parish council Consent given on electronic consent form Chair of the PC Kept confidential shared only with residents of Tollard Royal and key stakeholders such as the unitary councillor for Tollard Royal Business. Annually Yes Ensure email group is always Blind copied.

Electoral roll Email list


Agenda and minute distribution PC Consent obtain by all villagers via an electronic form Chair of pc and clerk Held on personal computers


Reviewed every 5 years – new residents will be added ad hoc. Leavers removed Yes

Email and phone

Council function PC Consent given at election Clerk Public

On notice board and website

On election No

Public information

Village Directory Distribution list Fish &Chip Notices







Consent given by electronic form PC chair & Clerk rivate

Password protected login

Reviewed every 5 years – new residents will be added ad hoc. Leavers removed Yes Ensure email group is always Blind copied.
Village Directory Distribution plus people who have subscribed to the newslewtter list Village newsletter Tollard Tattler


PC Consent obtain by all villagers via an electronic form


Held on Mail Chimp – everyone can simply unsubscribe Private

Password protected login

As required NO Mail chimp does not reveal recipients
Whats App Crime and Emergency Group Neighbourhood watch PC / NHW Consent given on joining and can remove themselves from the group Held on the administrators phone Public to the group members As required No
Facebook Page PC and NHW PC / NHW Consent given on joining and can remove themselves from the group Held by administrator Public page S required No

Public page