ChurchSuite and GDPR
The new General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and introduces a number of significant changes that will impact the way an organisation processes personal data for EU citizens.
In Summer 2017 we produced a GDPR case study to help churches prepare for some of the main the changes being introduced.
How can ChurchSuite help you with GDPR compliance?
We're committed to ongoing development of functionality to help churches comply with best-practice and compliance, both for those already in your database, but also for new people that you'll add in the future. Obviously we're not responsible for your church's compliance, and certainly the GDPR extends to far more than just your use of ChurchSuite.
The remainder of this article outlines some of the changes we've introduced to the platform to help churches in their compliance as they use ChurchSuite.
- We now log all My ChurchSuite password reset requests against the Address Book contact, and we log all user password reset request against the User's profile.
- When viewing people in your database we've made it much clearer for you to see how and when new people are added to your database. You can now see the "created by" user/date/time stamp when viewing a contact, child or giver's profile page. Previously this was only visible when editing a person. Now located under the 'Recent Activity' section you can see at a glance when a person was first added to your database and how/by whom.
- In Administrator > Profile you can now set an account-level Data Protection statement that will be made available on all public-facing forms - typically this is where you would paste your church's privacy notice.
- We've added a clear 'opt in' checkbox, linked to your Data Protection statement, for all public-facing forms where personal data is submitted in ChurchSuite, including Donate, the Connect "My Details" form, the Embed 'My Details' form, Group sign-up, Visitor child check-in, Event pages with sign-up, and the customer-facing Booking pages.
- We've added the Data Protection statement from your administrator profile to the Privacy Settings section of My ChurchSuite.
- We've introduced a new Data Protection contact in Administrator > Profile > Contacts, which will be used for certain GDPR-related workflow notifications e.g. "Request to be forgotten". By default the DP contact is populated with your Account Contact details.
- We've adding additional "Receive email/SMS?" opt in/out communication settings for unlinked givers and unlinked parents.
- We now always send a confirmation email back to a submitter whenever personal information is submitted through any public-facing ChurchSuite forms - this applies to event sign-up, the Connect "My Details" form, the embeddable "My Details" form, small group sign-up, Visitor child check-in and Donate. Confirmation emails include a snapshot of personal data submitted, presented in a partially obfuscated format - so you can easily see what the form looked like at the point of submission. These confirmation emails are logged in each person's 'sent' communications, providing an historic record of the data submitted.
- When resetting a password from within ChurchSuite (either when a user resets their own password, or when an Administrator resets another user's password), we now show a password strength indicator so that you can see at a glance whether your "Password123" password really is the best-compliance, secure option!
- We've added "Settings" to each module's Reports section, which allows Administrators to easily disable a report that your church would prefer not to use and doesn't want to collect unnecessary data for. Further settings can prevent users from exporting a report (i.e. download or print) or communicating from the report. Essentially we want to make it easier for you to manage the flow of personal data going out of your ChurchSuite account. Currently report settings apply to all users and administrators i.e. it's an on/off switch.
Following a full review of our change logs, we've implemented additional logging to provide a much more detailed audit trail of precisely how a person was added to ChurchSuite, and by whom. For example, when an event sign-up is added to your Address Book from the event in the Calendar module we show the event that person was added from and the user that performed the action...
...or perhaps when a child visitor is added to your Children module from the Visitors report...
...or when an existing unlinked parent is added as a new contact in your Address Book from the child's profile page...
When moving a contact to the Children module, or a child to the Address Book, we now maintain a more detailed change log history in the Recent Activity section.
- We've added a module password option to all the modules. You can now add an extra layer of security to any module by implementing a module password. Any user, including administrators will be unable to access the module without the correct module password.
- The "Sex" field can now be set as optional on the My Details newcomer form for Connect and Embed. This will be helpful if a person's sex is personal data that you do not wish to process.
- The following Children module fields are now optional and can be disabled on your account if you don't wish to process this category of personal data within ChurchSuite: school, special needs, doctor details and additional information fields.
- Givers can now manage their own online recurring donation subscriptions within the My Giving section of My ChurchSuite; perhaps to cancel an existing direct debit in order to create a new one, or to manage their recurring card donations, including changing the amount, adding an end date to their subscription, cancelling their donation entirely, or changing their payment card. Helpful change logs are recorded in the Giving module, including a confirmation of the changes to the giver.
- We've added the new "Right to be forgotten" option to the My Details section within My ChurchSuite. No data is auto-deleted if invoked; instead a notification is sent to the Data Protection contact, a key date is added in the Address Book, email/SMS is opted out, My ChurchSuite access is revoked, and the person is immediately logged out of My ChurchSuite. The 'forget me' option is only visible if your church have added their privacy notice (in Administrator > Profile)
- We've implemented some visual changes to the My Details section of My ChurchSuite and for child profiles in My Children within My ChurchSuite. We've separated out sections for Details, Login and Privacy, and have introduced a new Communication section for managing communication preferences.
- We've updated ChurchSuite's Terms of Service to reflect the GDPR, incorporating the compulsory terms set out by the ICO. We've made things much clearer to reflect our two distinct roles - where ChurchSuite is a Processor to you, the customer Controller; but also where ChurchSuite is a Controller and you, our customer, are a data subject. Essentially the Terms of Service is the written contract that exists between controller and processor, as required by the GDPR, and more clearly sets out our respective rights, duties and obligations. The new Terms are effective from 8th May 2018.
- We've added two new optional communication options - "Receive post?" and "Receive telephone calls?". These can be enabled in the Address Book and Children module options. Once enabled, these are visible in ChurchSuite, My ChurchSuite and the My Consent form.
- We've introduced an affirmative "opt in to receive communications" section on the Connect and Embed "My Details" forms. Opt in is distinct from confirming they have "read and accept your privacy notice". Consent will evidenced by a confirmation email sent back to the submitter detailing what they submitted and opted into. That sent email will serve as consent evidence and will provide data subjects a further opportunity to opt out if they wish.
- Implementation of a brand new "unsubscribe" workflow that will be embedded into the email footer of all ChurchSuite emails. Recipients will be able to manage their subscription preferences or unsubscribe entirely. Key dates are now added when a person unsubscribes from any communication method.
- We've introduced new communication options to opt in/out of receiving rota reminders, as distinct from other general church communications. This is manageable within My ChurchSuite, the My Consent form, and through the 'unsubscribe/manage subscriptions' link from within emails.
- As part of our own Data Protection Impact Assessment for GDPR compliance, we've implemented new internal processes for our support team, meaning that we can only access your account when you, the data controller, enable support access. Access can be enabled and disabled by Administrators as required. When disabled, we may only be able to provide general support responses and support article links.
- We've produced a new policy (found in the footer links in ChurchSuite) called "Acceptable Use Policy". This is essentially a helpful list of "do's and don'ts" for users who are otherwise only indirectly bound by the Terms of Service that exists between us and you the data controller. The acceptable use policy provides data controllers and their users some basic "ground rules" of acceptable use of The Service.
- We've added a new workflow to manage ongoing consent of people in the Address Book and Children module. This comprises an email consent request to a secure page showing the personal data you currently hold about people presented in a partially-obfuscated form. Recipients can then review the form, make any changes/corrections, and submit the completed form back with their opt-in consent to your processing their data. People can also manage their communication preferences and privacy options on the form. We add a key date for the consent, add change logs as appropriate, and record a snapshot of the completed form in the communications log as a confirmation back to the submitter. We'll also trigger a notification to the data protection contact where a person invokes the 'forget me' right to be forgotten. The ongoing consent workflow is entirely independent of a church's use of My ChurchSuite and doesn't require data subjects to have a login.
- We've introduced batch actions on all Notes reports throughout ChurchSuite's modules, making it much easier to review historic notes and, where they are no longer deemed necessary, to bulk-delete those notes.
- We've added batch actions to the Archived Contacts and Archived Children reports to make it easier to bulk-delete archived contacts and children.
- We've added a Communication Options report to the Children module to make it easier to bulk-manage the communication options of children and unlinked parents.
- We've added a Changes Log to the children Visitors report in the Children module, so you can more clearly see the trail of changes made to visitor children details by your users.
- We've introduced the option to override communication preferences when sending emails and SMS - ideal where you have a compelling reason or another lawful basis for communicating that doesn't require consent e.g. legitimate interest or legal obligation. When composing a message and selecting "Do not respect communication settings" the user is required to provide a "reason", which is included in the email footer - "You have received this message because [reason]". The reason is included in the sent communication history.