Is your church ready for GDPR?

May 30, 2018 by  
Filed under Featured, News, Research

You’ve probably heard about GDPR. The new European data protection regulation that applies practically to everyone entered in power on May 25, 2018. Especially if you operate a church or ministry website, it’s most likely that there’s already a process for getting your systems in compliance with the regulation.

GDPR in effect adds to or supersedes existing legislation on data protection, which up to this point has been provided by the Data Protection Act 1998 (DPA) and the Privacy and Electronic Communications Regulations 2003. The regulation is basically a law that must be followed in all European countries (but also applies to non-EU organizations that have users in the EU). In this particular case, it applies to companies that are not registered in Europe, but are having European customers. So that’s most church organizations. The GDPR introduces a stronger requirement on accountability for data controllers. This means that you must be able to show that you are complying with the principles by providing evidence. For example, where you process on the basis of consent, you should to store those consents. Since consent should be specific to a “purpose”, you may need separate consent to cover different areas of data processing within the life of the church

The impact is going to be huge as there are a number of very significant changes that will impact every organization that processes data inside the EU. This includes the Church, which has been that in most cases, very poor at complying with legislation. If your church organization or church website process personal information, of any kind, inside the EU, GDPR applies to you. This applies to Churches who are owned/run from outside the EU. If you process any data in the EU like website visitors, live broadcast viewers or attendance, GDPR needs to be on your radar.

Though, GDPR allows religious (amongst others) not-for-profit bodies to process data without specific consent as long as it relates only to members or former members (or those who have regular contact with it in connection with, there is still a great risk. Data that “reveals religious belief” becomes special category data – which requires additional care with regard to processing. Reveling of “religious belief” should not be assumed simply because someone attends church or church events, becomes a “friend” or gives money to a church. However, where someone is required to have affirmed belief (e.g. that they are baptized or that they are a member of the Church) e.g. processing of the electoral roll, then this could be argued to reveal religious belief.

In regard of this, the rights of the user/client (referred to as “data subject” in the regulation) under the new GDPR law are:

  • the right to erasure (the right to be forgotten/deleted from the system),
  • right to restriction of processing (keep the data, but mark it as “restricted”)
  • the right to data portability (export data in a machine-readable format),
  • the right to rectification (the ability to get personal data fixed),
  • the right to be informed (human-readable information, rather than privacy terms)
  • the right of access (the user is able to see all the data you have about them).

Additionally, the relevant basic principles are:

  • data minimization (do not collect more data than necessary),
  • integrity and confidentiality (all security measures to protect data)
  • measures to guarantee that the data has not been inappropriately modified.

To set some context, it may be helpful to ask, “Whose data is it?” If we believe that the data we hold on our systems belong to us then we are likely going to be resistant to GDPR. If we are 100% clear that each person’s personal data belongs to that individual alone, and that we are custodians of their data, then we’ll likely have a much healthier response to GDPR. When we see ourselves as custodians, charged with a “trust,” we’ll likely want to do our very best when we receive, store and process people’s personal data. And also be more ruthless about removing any data that we don’t wish to hold within that trust.

The legal basis for processing data is premised on one or more of six conditions:

  • consent of the data subject
  • performance of any contract with the data subject relating to it
  • compliance with a legal obligation
  • that the vital interests of the data subject are protected
  • that the data acquired and held is needed for the performance of a task carried out by the organization in the public interest
  • that the legitimate interests of data subjects are protected

None of the other requirements of the regulation have an exception depending on the organization size, so “I’m small, GDPR does not concern me” is a myth. “Personal data” is basically every piece of data your organization has collected that can be used to uniquely identify a person.

Just an every day example, Google Maps shows you your location history – all the places that you’ve been to. Displaying your church’s map allows visitors to find you but also records their intent of movement history on any electronic device that can lock a GPS location (this includes any PC with internet connection too). It is still the visitor’s personal information that GDPR allows storing only under certain legal conditions.

An individual can object at any time to you using their personal information for:

  • Direct Marketing (including fundraising). If an individual objects to you using their data to contact them for this purpose then you must cease immediately. There are no exemptions.
  • Scientific, historical, research or statistical purposes. You can have an exemption from this if you have a legitimate need to keep processing it, e.g. you need to send Gift Aid information to HMRC.
  • A ‘legitimate interest’ of the church (ex. video broadcast, family events, small group home gatherings, fund raisers, prayer call campaigns, etc.).

Age check – GDPR introduces special protection for children’s personal data. Broadly, for a child there will be a need to have consent from a parent or guardian in order to process any data lawfully. You should ask for the visitor’s age, and if the user is a child, you should ask for parent permission.

Keeping data for no longer than necessary – if your church collects the data for a specific purpose (e.g. product purchase, email campaign, call list, etc.), you have to delete it/anonymize it as soon as you don’t need it. Many churches offer welcoming package, registration, online offering, etc. The visitor’s consent goes only for the particular item for which you are obligated to keep a consent form.

Cookies – Every basic website nowadays use a number of different types of cookies. They are all subject of a different regulation (a Directive that will soon become a Regulation). However, GDPR still changes things when tracking cookies are concerned. I’ve outlined my opinion on tracking cookies in a separate post.

Encrypt the data in transit – means that communication between your application layer and your database (or your message queue, or whatever component you have) should be over TLS.

Encrypt the data at rest – this again depends on the database (some offer table-level encryption), but can also be done on machine-level

Implement pseudonymisation – the most obvious use-case is when you want to use production data for the test/staging servers. You should change the personal data to some “pseudonym”, so that the people cannot be identified.

Don’t log personal data – getting rid of the personal data from log files (especially if they are shipped to a 3rd party service or a plugin.

Above all, DO NOT use data for purposes that the user hasn’t agreed!

Finally, GDPR mandates identification and notification of breaches of the regulation to the individual, and sometimes the national regulator (the Information Commissioner’s Office, ICO) within 72 hours. The maximum fine for organizations which breach the regulation will be €20 million. Quite apart from anything else, this should give charity trustees pause for thought.

Where to begin? Start with the following questions and actions:

  1. Does your collection and use of personal or sensitive data fall within the “purposes” of your current Data Protection policy?
  2. Are there current uses that fall outside the current scope?
  3. Are your policy’s stated “purposes” sufficiently broad enough to cover all your ministry and activity? Highlight any areas that need further expansion in your policy.
  4. Note down any third party “processors” that use or further process the personal data like: Book keeper, WordPress, MailChimp, Planning Center, Stripe, GoCardless, Textlocal.
  5. Identify and list all the ways your church adds personal data into each module, including contact details, attendance or tracking data, and notes.
  6. Note any additional processing of information you carry out in your admin workflows within each module, such as communications you send, notifications to others in your church that get triggered, and any reports you produce and distribute in those workflows.
  7. Are there any areas of “bad practice” or risk that needs addressing? For example, using images from people’s social media profiles without consent or audio/video and live broadcast recordings of the same. Notes that express opinion rather than fact, or where consent has not been obtained for all of these.
  8. In respect of handling personal data, how do your church’s procedures demonstrate accountability practices?
  9. Are any changes communicated to those in your church or team that need to know?
  10. If you were a newcomer to your church, would you as a newcomer be clear at every point of submitting your personal data, what the church’s privacy notice and data protection policy is? Would you feel sufficiently informed about how your data will be used and would know how you could opt out if you wanted to?

Common sense disclaimer: This article is not legal advice. You need to contact your church attorney for a complete evaluation and action guide on how to fully protect your organization.

2018 Annual Conferences of Bulgarian Churches in America

May 25, 2018 by  
Filed under Featured, Missions, News

bulgarian-churchThe congregations within the Alliance of the Bulgarian Evangelical Churches in North America meet every Memorial Day weekend for an annual conference:

  1. Dallas (2002)
  2. Chicago (2003)
  3. Minneapolis (2004)
  4. Los Angeles (2005)
  5. Dallas (2006)
  6. Chicago (2007)
  7. Minneapolis (2008)
  8. Los Angeles (2009)
  9. Houston (2010)
  10. Las Vegas (2011)
  11.  Chicago (2012)
  12. Dallas (2013)
  13. Minneapolis (2014)
  14. Las Vegas (2015)
  15. Houston (2016)
  16. Chicago (2017)
  17. Jacksonville (2018)

READ ALSO:

15th Annual Conference of Bulgarian Churches in North America Building Bridges to Church and People in Bulgaria

May 30, 2016 by  
Filed under Events, Featured, News

Huston

Annual Conferences of Bulgarian Churches in America

May 25, 2014 by  
Filed under Featured, Media, News

bulgarian-churchIn the summer of 2002 the pastors of the Bulgarian churches in North America came together for their first meeting in Dallas, TX. As a result, an organization called the Alliance of the Bulgarian Evangelical Churches in North America was established as a first step toward networking between the churches. The churches within the Alliance has met over Memorial Day weekend every year since then as follows:

2002 – Dallas
2003 – Chicago
2004 – Minneapolis
2005 – Los Angeles
2006 – Dallas
2007 – Chicago
2008 – Minneapolis
2009 – Los Angeles
2010 – Houston
2011 – Las Vegas
2012 – Chicago
2013 – Dallas
2014 – Minneapolis
2015 – Las Vegas
2016 – Houston
2017 – Chicago

READ ALSO:

Annual Conference of the Bulgarian Churches in North America

May 25, 2013 by  
Filed under Events, Featured, News

Comments Off on Annual Conference of the Bulgarian Churches in North America

bulgarian-churchBulgarian Churches in the United States meet this weekend for their annual conference in Dallas, Texas. They are hosted by the local Assemblies of God as the Bulgarian churches represent Full Gospel, Foursquare, the Church of God and independent works. Currently, there are regular Bulgarian church meetings in Chicago, Dallas, Houston, Las Vegas, Los Angeles and Minneapolis. Through the years, small groups have sporadically started meetings in Buffalo, St. Louis, Seattle and three places in Florida: Ft. Lauderdale, Tampa and Jacksonville. Through the years, we have assisted with the church projects in Atlanta, San Francisco and Washington, D.C. There have also been attempts to restore the meetings in Washington State, where the difficulty is that most Bulgarians live in the outer suburbs.

See all Bulgarian Churches in the United States, Canada and Europe on our catalog website http://bulgarianchurches.com/

2012 South Georgia Homecoming Revival

June 1, 2012 by  
Filed under Featured, News

2012-south-ga-revival-1

2012-south-ga-revival-4 2012-south-ga-revival-3 2012-south-ga-revival-2

Speaking at the Annual Conference of the Bulgarian Christian Student Union in Lyaskovets

November 15, 2009 by  
Filed under Featured, News

lyaskovetsOn October 25, 2009 after ministering in the morning service of the Gabrovo Church of God, we traveled to Lyaskovets near Veliko Tarnovo to minister at the annual national conference of the Bulgarian Christian Student Union. The main speaker of the conference was the National Student Coordinator of the Macedonian movement, Nicolas Galevska. Other speakers included, Dr. Benjamin Peev, Zefian Nicholas from Albania, Petyo Valkov, Trife Trifonov and Dr. Dony Donev.

Dr. Donev spoke on “ChristSpace: How to Revolutionize the Internet for Christ”. The well attended session covered various topics on how to minister using the internet with special focus on the growing influence of the social networking movement and upcoming release of Google Wave. A time for questions and answer was left as a round table discussion at the end of the meeting. All present were given a souvenir ring with our website “Bibliata.TV” and encouraged to create and upload their Christian videos to this site using any camera capabilities they may have. We are thankful for the local church team who attended and filmed the event, for their work is essential for the future development for the newly started Church of God congregation in Veliko Tarnovo, where we ministered also before leaving.

Society for Pentecostal Studies Annual Meeting

March 10, 2005 by  
Filed under News

dove_gradient_dark1Cup & Cross Ministries will participate in the 34th annual conference of the Society for Pentecostal Studies. The meeting will take place on March 10-13, 2005 in Virginia Beach at the campus where Regent University, CBN and the 700 Club are located. The Society’s meeting involved world renowned scholars who study Pentecostalism, as well as doctoral students from Regent University’s renewal theology program. Cup & Cross participated in the mission’s presentation of the meeting. The full schedule can be viewed here.

2004 Annual Ministry Report

December 12, 2004 by  
Filed under News

churchofgod-yambol-region

Annual Bulgarian Conference

June 1, 2004 by  
Filed under News

During Memorial Day Weekend Cup & Cross Ministries participated in the Third Annual Conference of Bulgarian Churches in North America. The conference took place on May 29-31, 2004 in Minneapolis and was hosted by the local Bulgarian Evangelical Church. Over 130 delegates from Bulgarian communities of Dallas, Chicago, Los Angeles, Montreal and Atlanta attended the event. Among the Bulgarian ministers present, there were pastors who have been persecuted along with their families as a part of the underground church in Bulgarian during the Communist Regime.

The conference began on Saturday with an introduction of the ministries present and a concert in honor of May 24, the Bulgarian holiday which celebrates the Bulgarian alphabet and culture.

The Sunday morning service was accompanied with a picnic, followed by two sessions on the topic of the conference, “The Joy of the Lord is our Strength”. The first one was presented by the pastor of the Bulgarian Church in Los Angeles, and the second one by our ministry.
During the presentation we were able to inform of some of our findings of our research.

Cup & Cross has worked with Bulgarian immigrants for the past ten years, and our team has actively and purposefully observed the Bulgarian Evangelical Churches in North America for almost three years as a part of our research. We were able to present each minister, pastor and leader of a congregation with a special copy of the results of our research. The churches were also presented with a special Bible study software prepared by our internet ministry team of which administrates www.bibliata.com.

A new ambitious goal was set to review the results and analyses provided by the research and implement them in the ministry of the local congregations through a church-planting program for Bulgarian communities in North America.

Our research called for awareness of cross-cultural challenges, immigration dynamics and interchurch relationship as well as their affect on the churches identity and ministry. The conclusion included an altar call and dedication prayer for the future of the Bulgarian Evangelical Churches in North America and especially for the second generation of Bulgarian immigrants.

It was decided that the 2005 annual conference of Bulgarian Evangelical Churches in North America will take place in Los Angeles. The conference gave us an opportunity to network with Bulgarian congregations and communities nationwide. It is our prayer that their ministry is successful and blessed in the future.