GDPR Compliance


(Tim Cool) #1

Hey CITN Members…has your church made any decisions about using software that either does or does not comply with the upcoming GDPR requirements for EU citizens?

What is the GDPR?

General Data Protection Regulation (GDPR) proposed by the European Commission will strengthen and unify data protection for individuals within the European Union (EU), whilst addressing the export of personal data outside the EU.

https://www.eugdpr.org/

Thanks


(Joe Benson) #2

Given that we have no presence in the EU, I think we’re not especially concerned about GDPR’s requirements or compliance with it, except to the extent that some of our service providers may choose to apply GDPR policies to all their clients rather than maintain two separate sets of policies and/or software. We’ll have to take those on a case-by-case basis. I know Google Analytics sent out their notification about GDPR updates yesterday; haven’t had a chance to review in detail yet.


(Tim Cool) #3

Thanks Joe…appreciate the insight.


(Russ Taylor) #4

The basic principles of GDPR are quite simple:

Are based in the EU?
Is any of your data stored in the EU?
Does your data contains any personal information about any EU citizen?

If your answer to ALL 3 questions is an emphatic NO, then you do not need to worry about GDPR.

If you answer yes to either of the first two, you MUST contact every person on your database and request their permission to continue to store data about them.

If your answer is YES to the 3rd question, you must ask each EU citizen for permission to continue to store personal data about them.


(Tim Cool) #5

Thanks Russ. Appreciate the feedback.


(Daniel Murphy) #6

Russ is right that even if you have no presence in the EU, if you store personal information about EU residents, technically speaking, your organization falls under the scope of the GDPR. So if you’ve got the name and email of someone’s grandma from Germany who donated once while she was visiting, you should ensure compliance. (Whether any EU supervisory authority will, or even can, come after an entity with no EU presence is debatable and up to your risk tolerance for now.)

However, consent is not the only basis for which you can continue to process grandma’s information. Article 6 spells out all of the different reasons you might be able to continue processing her info, including if the “processing is necessary for compliance with a legal obligation to which the controller is subject;” (would make sense for tax reporting financial gifts, etc) or if “processing is necessary for the purposes of the legitimate interests pursued by the controller” (if an EU resident comes to your church and gives you their information, there’s debatably “legitimate interest” that they’re part of your congregation. None of this has any case law behind it yet, so it’s up for interpretation and again, your risk tolerance.

GDPR also provides limits on what you can do with “special categories” of information, which includes religious affiliations. However, the processing is okay if it is “carried out in the course of its legitimate activities with appropriate safeguards by a foundation, association or any other not-for-profit body with a political, philosophical, religious or trade union aim”. (Article 9)

Al that to say, you probably don’t need grandma’s consent, but you should have a good reason to have her data.

Besides providing the legal bases for processing data, GDPR also creates obligations about where you transfer that data to. In a nutshell, your ChMS should also be GDPR compliant.

Personally, if I still worked for my church which has no EU presence, I wouldn’t sweat it, but that’s your call not mine. If I were in the EU, I’d feel a lot different.

I’m neck deep getting my organization (Planning Center) GDPR compliant. If you’ve got any other GDPR questions, lemme know.


(Tim Cool) #7

BOOM…you rock Daniel. that is freaking great insight. 99.9% of all out clients are not EU. We also do not store any financial data…just name, church/org name and email. I realize all of that is considered “personal Information”…so we will need to address that for sure.

Thanks again…best of success as you!


(Nick Miller) #8

One side note that you have to consider with GDPR is that this is not just a financial giving thing. Let’s say that you have a newsletter/email list sign-up on your website. If an EU citizen signs up, they have the right under GDPR to request to be removed from your mailing lists.
Also, unlike the US, in the EU IP addresses are considered personally identifiable information. So by the letter of the law, if they visit your website and you keep visitor logs, you fall under GDPR. Granted, the chance that someone would want their IP addressed removed is slim-to-none.
But, what this does tell me is that we, as IT professionals need to make sure we know what data we store, and how to remove it if required.


(Melanie Reed) #9

Unless the Church/FBNP site has some reason for commerce that would invite EU visitors, its not so much of an issue. But if you do, even one (check your GA) then, yes, you do need a PP uploaded to your site and easily accessible. It would need to be listed as a link on any intake forms and listed certainly if you are going to do any transactions. Is the US legally bound to GDPR at this point? No. But if you do transactions (cookies, intake, ecommerce, etc) and you have EU visitors, then yes, you do need one.