Tag Archive for: security

General Information Security Guidelines for WELS Organizations

/in

A frequent request I receive from WELS congregations, schools and other organizations is for guidance on digital security and privacy. While this is a complex topic and varies by organization and even location, I have put together a document (available below) that attempts to give, at least at a high level, best practices and guidance for things like encryption, data storage, and privacy policies. If you are a WELS organization please feel free to reach out directly if you’d like more detailed information or have specific questions.

General Information Security Guidelines

This document provides guidance to WELS congregations, schools and other organizations for establishing best practices in handling user data and securing online resources. It is important to handle member information (personal and financial), as well as website visitor data, with care. Foreign, and now domestic legislation (depending on what state you operate in) may dictate what you can and can’t do, as well as the policies and procedures you need in place. Many of the new laws have to do with Personally Identifiable Information (PII).

Disclaimer: These guidelines are recommendations but may not consider all local, state, federal or international law. They are meant to call attention to certain important compliance and safety areas but should not be taken as official legal advice. We will attempt to keep this document up to date with general best practices and conventional guidance.

View Full Document: General Information Security Guidelines.pdf

GDPR Guidance

/in ,

A question I’ve received quite a bit lately has to do with a church or schools need to comply with GDPR — the European Union’s General Data Protection Regulations which will go into effect later this month. While there is a lot we don’t know and it is a complex topic, let me take a stab at providing guidance and what this means for you as a WELS church or school. Over the coming months, as things get a little clearer, I’ll revisit the topic and hopefully provide more definitive information.

First a little FAQ…

What us GDPR?

The General Data Protection Regulation, or GDPR is a regulation by which the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also addresses the export of personal data outside the EU.

When Is Compliance Required?

The GPDR becomes enforceable on May 25th, 2018

What Users Does GDPR Apply to?

The GDPR applies to the personal data of all EU residents whether they are EU citizens or not.

What Data Does GDPR Apply to?

The scope of GDPR is really very broad and vague: it covers any entity collecting information that is “monitoring the behavior of Individuals”. Most of the security community agrees that this applies to all web stored personal data including tracking cookies, email lists, form data, etc.

Can the EU Enforce GDPR on US Organizations? What Could Happen?

They apparently can, but “how much” is still a question. Experts have suggested that having a plan in place may, at this point, shows good-faith effort toward compliance that may minimize the chance of litigation.

What does that mean for you as a WELS Church or School?

  1. Any database (church or school management system, spreadsheet, digital list, form data, etc.) must be encrypted and data transport to and from it also encrypted.
  2. If you have not secured permission from an EU resident to store their data, for whatever purpose, get permission and provide them with clear reasons for why you would like to store the data.
  3. When collecting data from EU residents (likely via online forms), the form must provide an active (vs passive) means for the user to consent to data storage. Again, the expressed purpose for the data collection must be clearly stated.
  4. EU resident data must be expunged when the “expressed purpose” has expired.
  5. Provide a mechanism for EU residents to request that their data be removed, and a means for either them to do it themselves (example, unsubscribe from a newsletter) or database owners to do it for them.
  6. Make sure that EU resident data in all systems and storage mechanisms is accounted for. This is important if you receive a request from an EU resident that their data be removed…you need to know where it is.
  7. Ensure that all 3rd party tools used to collect or maintain EU resident data are GDPR compliant. This could apply to your Church Membership Database, Student Information System, forms tool like JotForms or FinalWeb Forms, etc.
  8. Have a privacy policy on your website or linked to from forms that clearly states what you do and don’t do with data collected.

In summary, a lot of these regulations are just good practices anyway, but it is likely that you may not be in compliance today. Get started with these first steps, have a plan and reach out for help if you aren’t sure you are on the right track.