Data Protection and GDPR

Data Protection Regulation

Many countries are either introducing new data protection and privacy regulations or enhancing the protections included in existing laws. We’ve listed some of the laws and regulations that may be important to YGG and to our clients:

  • General Data Protection Regulation (GDPR), European Union.
  • Data Protection Act 2019, United Kingdom
  • Personal Information Protection and Electronic Documents Act (PIPEDA), Canada
  • Personal Data Protection Act (2012), Singapore
  • Privacy Act 1988 (Cth). Australia

YGG is taking steps to both ensure it keeps up with changes to international data protection and privacy laws and regulations, and to assist its clients in meeting their obligations.

We explain how we are doing this below.

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is the EU Regulation that became effective on 25th May 2018 which extended the application of EU data protection laws beyond EU territorial borders,  enhanced the protections of personal information processed by data controllers and processors, increased the rights of data subjects and introduced harsher penalties for violations.

GDPR Preparation and Changes has been working to ensure it is GDPR compliant and that it meets the requirements of other data protection laws. This has involved us making some changes to the way we do things.

Please read this carefully as there are changes which affect all our clients and there are actions you should take.

The main changes we've made are:

  • We've got a new privacy poliy that explains in clear terms how we collect and handle personal information
  • We've updated our terms of service to include the provisions we're required to (i.e. the terms of the Data Processing Agreement that we are acting as a processor need to have with each of our clients);
  • We've set up a processing register with details of our clients which must be updated via your Account Settings;
  • We've made some new appointments including a Data Protection Officer, an EU Representative and a UK representative;
  • We adopted some new internal policies to make sure we can help our clients support the rights of their members under the new privacy laws.

Each of these changes is explained in more detail below.

At, our core values include fairness and transparency. We've worked hard to not only make sure we meet all relevant legal requirements but also provide a service that supports our values and meets your expectations.

Privacy Policy has updated its Privacy Policy, to ensure it meets data protection obligations and to cover all the products and services offered. We have also specifically included the sharing of personal information with members of the group in the United States.

Your continued use of the services will be subject to this new Privacy Policy.

Terms of Services has also updated its Terms of Service, to ensure it meets data protection obligations and to more properly cover all products and services. Changes made include the following:

  • the insertion of mandatory GDPR data processing terms (as required to be in place between data controllers and processors);
  • standard contractual clauses to cover the cross-border transfer of personal information wherever required;
  • provisions regarding our use of both optional and non-optional processors and sub-processors. More details of those processors and sub-processors are included below.

These amendments come into effect on 31 October 2019.  After that date, your continued use of the services will be subject to these new Terms of Service.

Processors and Sub-Processors uses the following companies to assist us provide you with services. For the purposes of the GDPR, these companies are known as processors or sub-processors. We reviewed the privacy compliance status of these processors and sub-processors to ensure that, by sending personal data to them for processing, would not be in breach of its GDPR obligations or other data protection laws that restrict the transfer of personal information.

The United States and European Union have reached agreement to enable the transfer of personal data from a processor in the European Union (such as to a processor sub-processor in the United States which has self-certified its adherence to certain principles promulgated by the US Department of Commerce. The arrangement is known as the EU - US Privacy Shield.

If a sub-processor certifies its adherence to the EU - US Privacy Shield, personal data may be sent from the EU to the processor or sub-processor for processing.

View Current Processors and Sub-Processors

Processing Register is required to document certain information about its processing activities, for example under Article 30 of the GDPR. In particular, the GDPR obliges to maintain information concerning those of our clients who are controllers for the purposes of the GDPR. A "controller" is an entity that, alone or jointly with others, determines how and why personal data are processed.

We're required to keep additional data for our Processing Register. If you are a customer who needs to abide by the GDPR, please update this information to make sure our record is correct. Please email the below details to

Church Details

  • Church Name
  • Email Address
  • Phone Number
  • Address

Joint Controllers

If applicable, any joint controllers of the data.

  • Full Name
  • Email Address
  • Phone Number
  • Address

Data Protection Officer

Person designated, where applicable, to facilitate compliance with the provisions of the General Data Protection Regulation (GDPR), which defines the criteria and the conditions under which a data protection officer shall be designated.

  • Full Name
  • Email Address
  • Phone Number
  • Address

EU Representative

Person designated, where applicable, to represent customers not established in the EU with regard to their obligations under the General Data Protection Regulation (GDPR).

  • Full Name
  • Email Address
  • Phone Number
  • Address

Frequently Asked Questions?

Where does store EU customer data?

Although the GDPR does not require us to store customer data in the EU, we have been doing this anyway by storing our EU customer data in Dublin, Ireland for a number of years now for our Church Management (ChMS) product.

For our other products, we store EU customer data in the United States and Canada.

Do you offer your customers a Data Processing Agreement?

Yes! Within our legal terms of service, we have added provisions of the Data Processing Agreement that we as a processor need to have with each of our Church clients who are controllers.

How does secure my data?

We have implemented organizational and technical safeguards to secure our users' data, in compliance with GDPR requirements.

What should I do to be GDPR-ready?

If you are a church that stores the personal data of EU citizens, then you will need to also comply with the GDPR. If you are just getting started with GDPR compliance in your church or organization, here's a quick to-do list to keep in mind.

  • Create a data privacy team to oversee GDPR activities and raise awareness
  • Review current security and privacy processes in place & where applicable, revise your contracts with third parties to meet the requirements of the GDPR
  • Identify the Personally Identifiable Information (PII)/Personal data that is being collected
  • Analyze how this information is being processed, stored, retained and deleted
  • Assess the third parties with whom you disclose data
  • Establish procedures to respond to data subjects when they exercise their rights
  • Establish & conduct Privacy Impact Assessment (PIA)
  • Create processes for data breach notification activities
  • Continuous employee awareness is vital to ensure continual compliance to the GDPR

Who does the GDPR apply to?

GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

Where does the GDPR apply?

This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

What are the penalties for non-compliance?

A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

Who are the key stakeholders?

  • Data subject - A natural person residing in the EU who is the subject of the data
  • Data controller - Determines the purpose and means of processing the data
  • Data processor - Processes data on the instructions of the controller
  • Supervisory authorities - Public authorities who monitor the application of the regulation

What is personal data or Personally Identifiable Information (PII)?

Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).

What are the key changes from the previous regulations?

New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:

  • Explicit consent: Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
  • Right to access: At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
  • Right to be forgotten: The data subject can request the controller to remove their personal information from the controller's systems.
  • Data portability: The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.

Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.

Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.

Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.

Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.

What are you doing about Brexit and Data Protection Rights?

We keep a watching brief on the Brexit negotiations.  At this stage, we do not believe that a no-deal Brexit should have any significant impact on our operations in either the UK or EU.

We will continue to comply with both the Data Protection Act 2018 (UK) and the GDPR.

Other Questions?

If you have any questions about the changes we have made or how we are meeting or can help you meet your data protection obligations, please contact us at