I'd love to see how other churches have handled the new international security/privacy regulations for websites. The new laws are even making me wonder if a broader web security policy is needed for a congregation. So my question has two parts: how are you clearly disclosing the privacy standards you use? Do you have an electronic information policy in place? My initial reaction to GDPR was, that's simple: we already say upfront we're a local church. But our analytics clearly show European and other visitors. My next strategy was a low-keyed approach: show we don't collect info unless people are registering for an event like VBS. State that our web service provider uses non-identifying info to provide analytics, then give a link to the Squarespace policies.(That's what I thought I could easily publish tonight. Ha!) (Likely you've seen a bunch of pop-ups that require the end-user to affirm he has seen and agrees to the website's privacy policies. I REALLY don't want to make people jump through a loophole to visit our site. I suspect privacy laws are much like environmental laws: the concern is disclosure, not tying people up in bureaucratic knots then say we've done our job.) Now I'm realizing that our data is not being handled securely. For example, the forms from our website dump data into a Google spreadsheet and into whatever email system a ministry leader wants. Third-party apps for e-invites etc. are spam and security nightmares. So what have y'all done?