What is the GDPR?
25th of May 2018, the old directives of data protection (DPD) in Europe were replaced by the new regulation known as General Data Protection Regulation or simply GDPR. It has increased the obligations on the organizations that collect, store and process EU citizens’ personally identifiable data. The regulation lays down provisions for the organizations operating not only in Europe but also binds organizations outside of EU that handle the data of EU citizens. Replacing the old data protection act means.
Making it increasingly transparent, GDPR has significantly changed the data processing methods. It has set forth clear principles for the data controllers to comply with when processing the personal data provided by the data subject.
Comparing to DPD (Data Protection Directive), the new regulation has empowered the data subjects (EU Citizens) with considerably enhanced control of their own data. Who obtains the personal data and how they process it? Data subject decides.
Organizations that fall short to comply with the GDPR or violate the set terms, can face serious consequences. The infringements liable to fine can inflict penalties of up to whichever amount is bigger between, 4% of annual global turnover or €20 million.
UCare and General Data Protection Regulation
As data protection of EU member states citizens is mainly governed by GDPR, UCare has not only prepared for itself but has also put together information necessary for the churches to ensure compliance. As trust is the decisive factor in the cloud, protection of personal data has always been and will remain the top priority for UCare. The following area discusses steps that have been taken to ensure maximum compliance with the provisions.
Data Processing Agreement (DPA)
You may download our DPA here: UCare Data Processing Agreement
Email the completed and signed DPA to firstname.lastname@example.org. The DPA has been pre-signed on behalf of UCare. Upon receipt of the validly completed DPA by UCare at this email address, the DPA will become legally binding.
Compliance Guide for Churches
A Church’s role as a data controller is important. We have simplified things and have separately made a guide for our customer churches. Being a software service provider, we recommend our churches inform their members about the role of UCare in the administration and management of their organizations and how we enable them to process the personal information they hold. The document has collected a sufficient amount of information for churches to ensure that the right practices are followed when collecting and processing the data of EU citizens.
UCare as Data Processor
UCare as a data processor processes the data on behalf of the data controller, and with the intention of providing improved services and simplified processes. Being based in Australia, a considerably small portion of data we process is located in EU member states; we still keep that high standard of data processing defined in GDPR.
There are third-party service providers that provide specific services, act as sub-processors. The sub-processors only store and process the personal data that you input to carry out a specific operation, i.e. providing member details to send an email. Even for this purpose, UCare chooses to work with globally acknowledged names that also take GDPR compliance into consideration.
The sub-processors that UCare works with:
|Entity Name||Applicable Services||Purposes||Entity Country||GDPR Compliance|
|Microsoft Corporation||Azure, Power BI||Cloud Service Provider, Optional - Data Analytics||United States|
|Message Systems, Inc||Sparkpost||Email Delivery||United States|
|Stripe, Inc||Stripe||Payment Processing||United States|
|Zendesk, Inc||Support, Guide, Talk||Customer Support||United States|
|Clickatell, Inc||Developer Central||Optional - Text Messaging||United States|
|The Rocket Science Group, LLC||Mailchimp||Optional - Email Delivery||United States|
|PayPal Holdings, Inc||PayPal||Optional - Payment Processing||United States|
|Pushpay Limited||Pushpay||Optional - Payment Processing||New Zealand|
|Ministry Centered Technologies, Inc||Planning Center Services||Optional - Service Planning||United States|
|Life Covenant Church, Inc||Church Metrics||Optional – Data Insights||United States|
|Google, LLC||ReCaptcha||Optional – Avoiding Bot Form Submissions||United States|
|Calendly, LLC||Calendly||Optional – Appointment Management||United States|
|UCare Technologies Pty Ltd||UCare||Database Management||Australia|
Frequently Asked Questions
Where does UCare store EU customer data?
UCare uses Microsoft Azure as a cloud partner. The data is stored depending on each churches location; however, Azure keeps European identity data in EU datacenters. However, GDPR doesn’t obligate that processors can host/store EU customer data in the EU only.
Does GDPR apply to the countries outside of EU?
If you are a company or organization that is located outside of EU member states, but you collect, store or process the data of EU citizens, GDPR does apply.
Who is the data subject?
The data subject under GDPR is a natural person from whom you collect identifiable information, hold and further process it in connection to your business operations.
Who are the key stakeholders in GDPR?
They are mainly the following
- Data Subject: From whom the Personal Data is collected and processed.
- Data Collector: The organization who primarily collects the information from the Data Subject.
- Data Controller: The entity that alone or jointly with others, determines the purposes and means of the Processing of Personal Data.
- Data Processors: A person or organization who acts on behalf of the Data Controller to Process Personal Data.
- Sub-Processors: A Processor engages with third-party organization/business to assist in Processing of Personal Data.
- Supervisory Authorities: Public authorities who monitor the application of the regulation.
Who is exempt from GDPR?
There are very limited exemptions, mostly in connection to the activities of law enforcement, government agencies, Member States, or processing of data for household activities. Charities, faith organizations, and even churches don’t have an exemption.
Does GDPR inflict real Penalties?
Yes, it does. In case of a breach, serious penalties can be imposed on a person or an organization. It includes penalties of up to 4% of annual global turnover or €20 million.
What Churches Need to Know?
Many faith organizations and churches are already aware of the GDPR and its impacts on data processing, but there is a number of others who may need to take note of the following key elements. As a leading church software service provider, UCare has made a simple guide for our churches.
Definition of personal data
The GDPR applies when you collect and process data that leads to the identification of a natural person (EU citizen). It can be generally identifiable information or can also fall in another special category of data i.e. sensitive data. A church may hold both the generally identifiable data, i.e. names, emails, numbers, etc. as well as data belonging to the sensitive category, i.e. religious and philosophical beliefs. It doesn’t only include the data of your customers belonging to EU, but also suppliers, employees and other individuals from whom you collect personal data.
Collection of personal data
Faith organizations and churches aren’t exempt from the GDPR scope. If you are collecting EU citizens’ data, you must now need policies to show why you need the personal information you are collecting? How you will hold, process and protect it. Before you obtain personal information, you must clearly state why you need it and how you use this information.
Consent of data Subject
The important part of GDPR is Consent of the subject being freely given, affirmative and unambiguous. The clearly asked for and freely given consent provides legal ground to process the data for the purposes the data subject has given consent. For example, consent is given by a member to receive prayer updates by the church via email. If the consent was obtained before GDPR came to existence, and you doubt it no longer complies with the tougher standards of GDPR. It must be updated.
Data of children
We know children are part of the church and GDPR adds an extra protection layer to the data belonging to this age group. As earlier mentioned, it is only the consent that provides a lawful basis for the processing of the data which is personally identifiable. To process the data of the children under age, you need to obtain consent from their parents/guardian or simply who holds parental responsibility. The age of consent is generally 16; however, for certain member states like the UK, there are provisions to lower the consent age to 13. If you are offering sign-up for free or paid children events, serve clear notice in the privacy that children can understand.
Consent can be withdrawn
GDPR bolsters the rights of EU citizens by handing over great control to them on their personal data. Earlier given consent to process the data for a certain purpose can later be withdrawn by the data subject. Being a data controller, you must have the policy to inform them their right to do so anytime. For example, a member no longer wants to receive prayer updates through email. Note though that legal exemptions may apply, for instance a person who has been involved as a leader in child related activities may need that information kept. In this case the laws requiring storage of their areas of involement can overide the GDPR.
Religiously sensitive data
Faith organizations and churches are under extra obligations as they hold specific personal data that falls under the sensitive data category of GDPR. Religious and philosophical beliefs are one among many other sorts of sensitive personal data that can expose a natural individual to a potential risk of persecution. Therefore, such data is generally prohibited to process, and can only be processed under specific derogations, i.e. upon giving explicit consent by the data subject.
When it comes to safeguarding the personal data one holds, GDPR puts data controllers and processors under obligation to take measures on organizational as well as technical levels for the protection of personal information. Some of the measures it suggests include, encryption and pseudonymization of the personal information, having a system capable of regularly testing and evaluating security, restoring timely access to personal data, and ensuring availability, integrity, and confidentiality.