Church photo consent and GDPR: what your social media volunteer needs to know
Most church social media volunteers find out about GDPR the hard way. Someone raises it at a leadership team meeting, or a parent asks why a photo of their child appeared on the Facebook page without their knowledge, and suddenly you are the person trying to work out what the rules actually are.
This post covers what UK GDPR means for church social media in plain terms, what you need to have in place, and how to handle photos confidently rather than avoiding them altogether. Because avoiding them is not the answer. Churches that never post photos of real people look empty and unwelcoming online, and that costs you far more than the occasional consent conversation.
Why this applies to you
UK GDPR (the General Data Protection Regulation as it applies in the UK post-Brexit) covers the processing of personal data. A photograph of an identifiable person is personal data. Posting it publicly on Facebook or Instagram is processing it. That means GDPR applies, and it applies to your church regardless of whether you are a registered charity, a small independent congregation, or a large evangelical church.
The good news is that compliance is not complicated. It does not require a lawyer or an expensive privacy consultant. It requires a simple system, applied consistently.
The two situations you will encounter
Adults at church events
For adult members of your congregation, you have two practical options.
The first is to obtain consent at the point of joining or membership. A short paragraph in your welcome pack or membership form explaining that photos may be taken at church events and used on social media is usually sufficient. Anyone who signs that has given informed consent.
The second is a general notice. Many churches display a sign at events stating that photos may be taken and used for church communications including social media. If someone attends an event where that notice is clearly displayed and does not object, that can constitute implied consent for adults. This is a lighter-touch approach and works well for open community events.
Either way, make sure your leadership team is aware of the policy and that you have a simple way for people to opt out. Someone who asks not to be photographed should never appear on your social media, and anyone managing the accounts needs to know that.
Children
This is where the rules are stricter and where most churches get into difficulty.
For anyone under 18, implied consent is not enough. You need explicit, written consent from a parent or guardian before posting a photo where the child is identifiable. Most churches handle this through a photography consent form that parents sign when their child first starts attending, whether that is a Sunday service, a youth group, or a toddler and parent session.
If your church does not have one of these forms, getting one in place is the most important single thing you can do before your next event. Your denomination will almost certainly have a template you can use. The Baptist Union, the Evangelical Alliance and many independent church networks have GDPR-compliant resources available to members. A quick email to your denominational support team will usually get you what you need within a day or two.
Until consent forms are in place, the simplest rule is this: do not post photos where children's faces are clearly identifiable. Wide shots of a hall full of people, photos taken from behind, or images where children are a small part of a larger scene are generally lower risk. Individual portraits or close-up photos of children are the ones to avoid until you have consent confirmed.
What a photography consent form should cover
Keep it short. A single page is enough. It should include:
Who is collecting the data and why. Something like: "Cornerstone Church collects and uses photographs for our social media accounts, website and printed materials to share the life of our church community."
What types of photos will be taken and where they will be used. Be specific: Facebook page, Instagram, church website, printed newsletter. Do not just say "church communications" if you mean social media, because people need to understand what they are consenting to.
The right to withdraw consent. Anyone who has previously consented can change their mind, and you need to honour that. Include a contact name or email address for people to raise this.
A space for a signature and date, and for the name of the child if the form covers a minor.
That is genuinely all you need. Do not make it longer trying to cover every possible scenario. A simple form that people actually read and sign is far more valuable than a comprehensive document that nobody engages with.
Storing consent records
You need to be able to demonstrate that you have consent. That means keeping the signed forms somewhere accessible and not losing them when the previous children's worker moves on.
A simple folder, physical or digital, is enough. If your church uses ChurchSuite or a similar church management system, you may be able to record consent there against individual family records, which makes it much easier to check quickly before an event. If not, a labelled folder with forms organised by family name does the job.
The key thing is continuity. The person who manages your social media needs to be able to check consent status without having to ask the pastor or dig through a filing cabinet on a Sunday morning.
Practical rules for posting photos
Once you have your consent system in place, a few straightforward rules make the day-to-day much simpler.
When in doubt, ask. If you are about to post a photo and you are not sure whether you have consent for the people in it, ask before you post. It takes thirty seconds and protects everyone.
Check your consent records before events where you plan to take photos. Particularly for children's events, it is worth a quick review of who has and has not consented before you arrive with a camera.
Never tag people in photos on Facebook without asking them first. Tagging is a separate consent question from posting the photo, and many people prefer not to be tagged even if they are happy to appear in a church photo.
If someone asks you to remove a photo, remove it promptly and without making them feel like they have caused a problem. Under UK GDPR they have the right to request this and you are obliged to act on it.
Your church social media policy
If your church has a social media policy, the photography and consent section should sit within it. If your church does not have a social media policy, writing one is a worthwhile afternoon's work and will save you considerable difficulty later.
A social media policy does not need to be long. It should cover who manages the accounts, what kinds of content are posted, the photography consent process, how negative comments are handled, and who has authority to post in urgent or sensitive situations. One side of A4 is enough.
Your leadership team should have seen it and agreed to it. That way, if a question arises about why something was or was not posted, you have a clear reference point rather than trying to reconstruct a decision from memory.
The bigger picture
GDPR compliance is not about paperwork for its own sake. It is about your congregation trusting you with their images and their children's images. Getting this right means your church family knows that the person running the social media is responsible and thoughtful. That trust is worth more than any individual post.
The churches that do this best are not the ones with the most complicated privacy policies. They are the ones where the volunteer managing social media has a simple system, knows where the consent forms are, and feels confident enough to take and post genuine photos of real church life rather than defaulting to stock images and Bible verse graphics because they are nervous about getting it wrong.
Get the system in place. Then get back to telling the story of your church.
If you are looking for a consistent way to manage your church's social media alongside consent and safeguarding policies, ChurchReach was built for UK church volunteers. Free trial at churchreach.co.uk.
