Many countries are either introducing new data protection and privacy regulations or enhancing the protections included in existing laws. We’ve listed some of the laws and regulations that may be important to YGG and to our clients:
YGG is taking steps to both ensure it keeps up with changes to international data protection and privacy laws and regulations, and to assist its clients in meeting their obligations.
We explain how we are doing this below.
The General Data Protection Regulation (GDPR) is the EU Regulation that became effective on 25th May 2018 which extended the application of EU data protection laws beyond EU territorial borders, enhanced the protections of personal information processed by data controllers and processors, increased the rights of data subjects and introduced harsher penalties for violations.
Tithe.ly has been working to ensure it is GDPR compliant and that it meets the requirements of other data protection laws. This has involved us making some changes to the way we do things.
Please read this carefully as there are changes which affect all our clients and there are actions you should take.
The main changes we've made are:
Each of these changes is explained in more detail below.
At Tithe.ly, our core values include fairness and transparency. We've worked hard to not only make sure we meet all relevant legal requirements but also provide a service that supports our values and meets your expectations.
Tithe.ly has also updated its Terms of Service, to ensure it meets data protection obligations and to more properly cover all products and services. Changes made include the following:
These amendments come into effect on 31 October 2019. After that date, your continued use of the services will be subject to these new Terms of Service.
Tithe.ly uses the following companies to assist us provide you with services. For the purposes of the GDPR, these companies are known as processors or sub-processors. We reviewed the privacy compliance status of these processors and sub-processors to ensure that, by sending personal data to them for processing, Tithe.ly would not be in breach of its GDPR obligations or other data protection laws that restrict the transfer of personal information.
The United States and European Union have reached agreement to enable the transfer of personal data from a processor in the European Union (such as Tithe.ly) to a processor sub-processor in the United States which has self-certified its adherence to certain principles promulgated by the US Department of Commerce. The arrangement is known as the EU - US Privacy Shield.
If a sub-processor certifies its adherence to the EU - US Privacy Shield, personal data may be sent from the EU to the processor or sub-processor for processing.
Tithe.ly is required to document certain information about its processing activities, for example under Article 30 of the GDPR. In particular, the GDPR obliges Tithe.ly to maintain information concerning those of our clients who are controllers for the purposes of the GDPR. A "controller" is an entity that, alone or jointly with others, determines how and why personal data are processed.
We're required to keep additional data for our Processing Register. If you are a customer who needs to abide by the GDPR, please update this information to make sure our record is correct. Please email the below details to email@example.com.
If applicable, any joint controllers of the data.
Data Protection Officer
Person designated, where applicable, to facilitate compliance with the provisions of the General Data Protection Regulation (GDPR), which defines the criteria and the conditions under which a data protection officer shall be designated.
Person designated, where applicable, to represent customers not established in the EU with regard to their obligations under the General Data Protection Regulation (GDPR).
Where does Tithe.ly store EU customer data?
Although the GDPR does not require us to store customer data in the EU, we have been doing this anyway by storing our EU customer data in Dublin, Ireland for a number of years now for our Church Management (ChMS) product.
For our other products, we store EU customer data in the United States and Canada.
Do you offer your customers a Data Processing Agreement?
Yes! Within our legal terms of service, we have added provisions of the Data Processing Agreement that we as a processor need to have with each of our Church clients who are controllers.
How does Tithe.ly secure my data?
We have implemented organizational and technical safeguards to secure our users' data, in compliance with GDPR requirements.
What should I do to be GDPR-ready?
If you are a church that stores the personal data of EU citizens, then you will need to also comply with the GDPR. If you are just getting started with GDPR compliance in your church or organization, here's a quick to-do list to keep in mind.
Who does the GDPR apply to?
GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.
Where does the GDPR apply?
This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.
What are the penalties for non-compliance?
A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).
Who are the key stakeholders?
What is personal data or Personally Identifiable Information (PII)?
Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).
What are the key changes from the previous regulations?
New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:
Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.
Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.
Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.
Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.
What are you doing about Brexit and Data Protection Rights?
We keep a watching brief on the Brexit negotiations. At this stage, we do not believe that a no-deal Brexit should have any significant impact on our operations in either the UK or EU.
We will continue to comply with both the Data Protection Act 2018 (UK) and the GDPR.
If you have any questions about the changes we have made or how we are meeting or can help you meet your data protection obligations, please contact us at firstname.lastname@example.org.