A question I’ve received quite a bit lately has to do with a church or schools need to comply with GDPR — the European Union’s General Data Protection Regulations which will go into effect later this month. While there is a lot we don’t know and it is a complex topic, let me take a stab at providing guidance and what this means for you as a WELS church or school. Over the coming months, as things get a little clearer, I’ll revisit the topic and hopefully provide more definitive information.
First a little FAQ…
What us GDPR?
The General Data Protection Regulation, or GDPR is a regulation by which the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.
When Is Compliance Required?
The GPDR becomes enforceable on May 25th, 2018
What Users Does GDPR Apply to?
The GDPR applies to the personal data of all EU residents whether they are EU citizens or not.
What Data Does GDPR Apply to?
The scope of GDPR is really very broad and vague: it covers any entity collecting information that is “monitoring the behavior of Individuals”. Most of the security community agrees that this applies to all web stored personal data including tracking cookies, email lists, form data, etc.
Can the EU Enforce GDPR on US Organizations? What Could Happen?
They apparently can, but “how much” is still a question. Experts have suggested that having a plan in place may, at this point, shows good-faith effort toward compliance that may minimize the chance of litigation.
What does that mean for you as a WELS Church or School?
- Any database (church or school management system, spreadsheet, digital list, form data, etc.) must be encrypted and data transport to and from it also encrypted.
- If you have not secured permission from an EU resident to store their data, for whatever purpose, get permission and provide them with clear reasons for why you would like to store the data.
- When collecting data from EU residents (likely via online forms), the form must provide an active (vs passive) means for the user to consent to data storage. Again, the expressed purpose for the data collection must be clearly stated.
- EU resident data must be expunged when the “expressed purpose” has expired.
- Provide a mechanism for EU residents to request that their data be removed, and a means for either them to do it themselves (example, unsubscribe from a newsletter) or database owners to do it for them.
- Make sure that EU resident data in all systems and storage mechanisms is accounted for. This is important if you receive a request from an EU resident that their data be removed…you need to know where it is.
- Ensure that all 3rd party tools used to collect or maintain EU resident data are GDPR compliant. This could apply to your Church Membership Database, Student Information System, forms tool like JotForms or FinalWeb Forms, etc.
In summary, a lot of these regulations are just good practices anyway, but it is likely that you may not be in compliance today. Get started with these first steps, have a plan and reach out for help if you aren’t sure you are on the right track.