ChurchSuite and GDPR
The General Data Protection Regulation (GDPR) came into effect on 25th May 2018 and introduces a number of significant changes that impact the way an organisation processes personal data for EU citizens.
How can ChurchSuite help you with GDPR compliance?
We're committed to ongoing development of functionality to help churches comply with data protection best-practice and compliance with prevailing legislation. Obviously ChurchSuite isn't responsible for your organisation's compliance and certainly the GDPR extends to far more than just your organisation's use of ChurchSuite!
The remainder of this article summarises some of the key GDPR features we introduced to the platform to help organisations with compliance as they use ChurchSuite. Not in any particular order...
- We now log all My ChurchSuite password reset requests against the Address Book contact, and we log all user password reset request against the User's profile.
- When viewing people in your database we've made it much clearer for you to see how and when new people are added to your database. You can now see the "created by" user/date/time stamp when viewing a contact, child or giver's profile page. Previously this was only visible when editing a person. Now located under the 'Recent Activity' section you can see at a glance when a person was first added to your database and how/by whom.
- You can add your Data Protection statement (privacy notice) that will be made accessible on all public-facing forms through which people might submit personal information into your ChurchSuite account.
- We've added a clear 'opt in' checkbox, linked to your Data Protection statement, for all public-facing forms where personal data is submitted into ChurchSuite, including Donate, the Connect "My Details" form, the Embed "My Details" form, Group sign-up, Visitor child check-in, Event pages with sign-up, and the customer-facing Booking pages. Data subjects are unable to submit the form without ticking a checkbox to confirm they have read, understood and accepted your privacy notice.
- We've added the Data Protection statement set in your account profile to the Privacy Settings section within My ChurchSuite, so that it's accessible to your church members.
- We've introduced a new Data Protection contact to the list of ket Contacts for your account. The Data Protection contact is used for certain GDPR-related workflow notifications e.g. "Delete account" requests received from data subjects. By default the Data Protection contact is populated with your Account Contact details.
- We've adding additional "Receive email/SMS?" opt in/out communication settings for unlinked givers and unlinked parents.
- We now always send a confirmation email back to a data subject whenever personal information is submitted through any public-facing ChurchSuite forms – this applies to event sign-up, the Connect "My Details" form, the embeddable "My Details" form, Small group sign-up, Visitor child check-in and Donate. Confirmation emails include a snapshot of personal data submitted, presented in a partially obfuscated format – so you can easily see what the form looked like at the point of submission. These confirmation emails are logged in each person's 'sent' communications, providing a historic audit trail of what data came into your possession, when and how. The confirmation email also serves as double confirmation for data subjects, ensuring their data was submitted as expected.
- When resetting a password from within ChurchSuite (either when a user resets their own password, or when an Administrator resets another user's password), we now show a password strength indicator so that you can see at a glance whether your password really is the best-compliance, secure option!
- We've added "Settings" to each module's Reports section, which allows Administrators to easily disable a report that your organisation would prefer not to use and doesn't want to collect unnecessary data for. Further settings can prevent users from exporting a report (i.e. download or print) or communicating from the report. Essentially we've made it easier for you to manage the flow of personal data going out of your ChurchSuite account. Currently report settings apply to all users and administrators, i.e. it's an on/off switch.
Following a full review of our changes logs, we've implemented additional logging to provide much more detailed audit trails of precisely how a person was added to ChurchSuite, and by whom. For example, when an event sign-up is added to your Address Book from the event in the Calendar module we show the event that person was added from and the user that performed the action...
...or perhaps when a child visitor is added to your Children module from the Visitors report...
...or when an existing unlinked parent is added as a new contact in your Address Book from the child's profile page...
When moving a contact to the Children module, or a child to the Address Book, we now maintain a more detailed changes log history in the Recent Activity section.
- We've added a module password option to all the modules. In this way you can add an extra layer of security to any module. Any user, including administrators will be unable to access the module without the correct module password.
- The "Sex" field can now be set as optional on the My Details newcomer form for Connect and Embed. This will be helpful if a person's sex is personal data that you do not wish to process.
- The following Children module fields are now optional and can be disabled on your account if you don't wish to process this category of personal data within ChurchSuite: school, special needs, doctor details and additional information fields.
- Givers can now manage their own online recurring donation subscriptions within the My Giving section of My ChurchSuite; perhaps to cancel an existing direct debit in order to create a new one, or to manage their recurring card donations, including changing the amount, adding an end date to their subscription, cancelling their donation entirely, or changing their payment card. Helpful change logs are recorded in the Giving module, including a confirmation of the changes to the giver.
- We've added a "Delete account" request option to the My Details section within My ChurchSuite. No personal data is auto-deleted if requested; instead a notification is sent to the Data Protection contact, a key date is added in the Address Book, email/SMS is opted out, My ChurchSuite access is revoked, and the person is immediately logged out of My ChurchSuite.
- We've implemented some visual changes to the My Details section of My ChurchSuite and for child profiles in My Children within My ChurchSuite. We've separated out sections for Details, Login and Privacy, and have introduced a new Communication section for managing communication options.
- We've updated ChurchSuite's Terms of Service to reflect the GDPR, incorporating the compulsory terms set out by the ICO. We've made things much clearer to reflect our two distinct roles – where ChurchSuite is a Processor to you, the customer Controller; but also where ChurchSuite is a Controller and you, our customer, are a data subject. Essentially the Terms of Service are the written contract that exists between controller and processor, as required by the GDPR, and more clearly sets out our respective rights, duties and obligations.
- We've added two new optional communication options – "Receive post?" and "Receive telephone calls?". These can be enabled in the Address Book and Children module options. Once enabled, these are visible in ChurchSuite, My ChurchSuite and the My Consent form.
- We've introduced an affirmative "opt in to receive communications" section on the Connect and Embed "My Details" forms. Opt in is distinct from confirming they have "read and accept your privacy notice". Consent will evidenced by a confirmation email sent back to the submitter detailing what they submitted and opted into. That sent email will serve as consent evidence and will provide data subjects a further opportunity to opt out if they wish.
- We've implemented a brand new "unsubscribe" workflow that is embedded into the email footer of all ChurchSuite emails. Recipients are able to manage their communication options or unsubscribe entirely. Key dates are added against their Address Book profile when they unsubscribe from any communication method.
- We've introduced communication options to independently opt in/out of receiving rota reminders, as distinct from all other general church communications. This is manageable by data subjects within My ChurchSuite and on the My Consent form, by Users in ChurchSuite, and through the "unsubscribe/manage communication" link from within emails.
- As part of our own Data Protection Impact Assessment for GDPR compliance, we've implemented new internal processes for our support team, meaning that we can only access your account when you, the data controller, enable support access. Access can be enabled and disabled by Administrators as required. When disabled, we may only be able to provide general support responses and support article links.
- We've produced a new policy (found in the footer links in ChurchSuite) called "Acceptable Use Policy". This is essentially a helpful list of "do's and don'ts" for users who are otherwise only indirectly bound by the Terms of Service that exists between us and you the data controller. The acceptable use policy provides data controllers and their users some basic "ground rules" of acceptable use of The Service.
- We've added a new workflow to manage ongoing consent of people in the Address Book and Children module. This comprises an email consent request to a secure page showing the personal data you currently hold about people presented in a partially-obfuscated form. Recipients can then review the form, make any changes/corrections, and submit the completed form back with their opt-in consent to your processing their data. People can also manage their communication preferences and privacy options on the form. We add a key date for the consent, add change logs as appropriate, and record a snapshot of the completed form in the communications log as a confirmation back to the submitter. We'll also trigger a notification to the data protection contact where a person invokes the 'forget me' right to be forgotten. The ongoing consent workflow is entirely independent of a church's use of My ChurchSuite and doesn't require data subjects to have a login.
- We've introduced batch actions on all Notes reports throughout ChurchSuite's modules, making it much easier to review historic notes and, where they are no longer deemed necessary, to bulk-delete those notes.
- We've added batch actions to the Archived Contacts and Archived Children reports to make it easier to bulk-delete archived contacts and children.
- We've added a Communication Options report to the Children module to make it easier to bulk-manage the communication options of children and unlinked parents.
- We've added a Changes Log to the children Visitors report in the Children module, so you can more clearly see the trail of changes made to visitor children details by your users.
- We've introduced the option to override communication preferences when sending emails and SMS – ideal where you have a compelling reason or another lawful basis for communicating that doesn't require consent, e.g. legitimate interest or legal obligation. When composing a message and selecting "Do not respect communication settings" the user is required to provide a "reason", which is included in the email footer – "You have received this message because [reason]". The reason is included in the sent communication history.
- We've introduced Multi-Factor Authentication for User accounts.