Elvanto + GDPR

What is the General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) is a new EU Regulation which will replace the 1995 EU Data Protection Directive (DPD) to significantly enhance the protection of the personal data of EU citizens and increase the obligations on organisations who collect or process personal data. It will come into force on 25th May 2018.

The regulation builds on many of the 1995 Directive's requirements for data privacy and security, but includes several new provisions to bolster the rights of data subjects and add harsher penalties for violations.

GDPR Preparation and Changes

As you may know, Elvanto has been working to ensure it is GDPR compliant. This has involved us making some changes to the way we do things.

Please read this carefully as there are changes which affect all our Church clients and your members and there are actions you should take.

The main changes we've made are:

  • We've got a new privacy policy that explain in clear terms how we collect and handle personal information
  • We've updated our terms of service to include the provisions we're required to (i.e. the terms of the Data Processing Agreement that we as a processor need to have with each of our Church clients);
  • We've set up a processing register with details of our Church clients which must be updated via your Account Settings;
  • We've made some new appointments including a Data Protection Officer and an EU Representative.
  • We adopted some new internal policies to make sure we can help Churches' support the rights of their members under the new privacy laws.

Each of these changes is explained in more detail below.

At Elvanto, our core values include fairness and transparency. We've worked hard to not only make sure we meet all relevant legal requirements but also provide a service that supports our values and meets your expectations.

We think it's important that Church Members are aware of the role that Elvanto plays in supporting their Church administration. We suggest that our Church clients let their members know they are using Elvanto. Transparency about how we support your Church's mission helps ensures clarity around how individual's personal information is being handled.

Please let us know if you have any other concerns or queries. We're happy to talk more about the new measures we've put in place to make sure your information is dealt with in accordance with all legal obligations and your expectations.

Privacy Policy

Elvanto has created a new EU Privacy Policy which meets the requirements of the GDPR. We also took the opportunity to simplify our Non-EU Privacy Policy and make it easier to read. The new privacy policies will come into effect on May 25th, 2018 and your continued use of the services will be subject to the new policies.

The privacy posture of Elvanto's sub-processors was assessed. These are the companies we use to help provide some of our services and to whom we may send personal data. We have included a summary of our findings below.

Legal Terms

Elvanto's legal terms of service have been amended, including by the insertion of mandatory GDPR data processing terms. These amendments will come into effect on 25 May 2018. The changes are summarised below. Please note that if you are not located in the EU, the GDPR changes do not apply to you.

More information on changes to legal terms.

Processing Register

We need to collect and maintain certain information about the data we hold for each of our Church clients.

If you could check that the data we hold is accurate and update it when it changes, that would really help us meet our obligation to ensure this data is accurate and up-to-date.

More information on Processing Register.

New Appointments

Elvanto has appointed a Data Protection Officer and an EU Representative. If you have any concerns about how Elvanto is dealing with personal information in any way then please feel free to contact us directly or our Data Protection Office or EU Representative.

Contact details are below:

EU Representative

DPR Group

1-2 Marino Mart
Fairview, Dublin 3
Ireland

Email: elvanto@dpr.eu.com

Online form

Mail to an address from this list.

Data Protection Officer

Dr Jodie Siganto
Ringrose Siganto Consulting Pty Ltd (ABN 33 614 810 105)

Unit 2/12 Abercrombie St
Rocklea QLD 4106
Australia

Email: jodie.siganto@ringrosesiganto.com.au

Questions?

If you have any questions about the changes Elvanto has made to meet its GDPR obligations, please contact us at legal@elvanto.com.

Processing Register

Elvanto is required to document certain information under Article 30 of the GDPR. In particular, the GDPR obliges Elvanto to maintain information concerning those of our clients who are controllers for the purposes of the GDPR. A "controller" is an entity that, alone or jointly with others, determines how and why personal data are processed. We consider that our church clients who:

  • are based in the EU and use Elvanto services for or on behalf of their members; or
  • who are not based in the EU but have members who are located in the EU and use Elvanto services for or on behalf of their members,

are controllers.

We have included additional fields in the 'Legal and Compliance' part of your Elvanto Account Settings to collect the information we're required to keep. We've created an article on how to access this form. Please update this information to make sure our records are accurate.

Questions?

If you have any questions about this requirement, please contact us at legal@elvanto.com.

Frequently Asked Questions

Where does Elvanto store EU customer data?

Although the GDPR does not require us to store customer data in the EU, we have been doing this anyway by storing our EU customer data in Dublin, Ireland for a number of years now.

Do you offer your customers a Data Processing Agreement?

Yes! Within our legal terms of service, we have added provisions of the Data Processing Agreement that we as a processor need to have with each of our Church clients who are controllers.

How does Elvanto secure my data?

We have implemented organizational and technical safeguards to secure our users' data, in compliance with GDPR requirements. For more information on security at Elvanto, please see our Security FAQs page.

What should I do to be GDPR-ready?

If you are a church that stores the personal data of EU citizens, then you will need to also comply with the GDPR. If you are just getting started with GDPR compliance in your church or organization, here's a quick to-do list to keep in mind.

  • Create a data privacy team to oversee GDPR activities and raise awareness
  • Review current security and privacy processes in place & where applicable, revise your contracts with third parties to meet the requirements of the GDPR
  • Identify the Personally Identifiable Information (PII)/Personal data that is being collected
  • Analyze how this information is being processed, stored, retained and deleted
  • Assess the third parties with whom you disclose data
  • Establish procedures to respond to data subjects when they exercise their rights
  • Establish & conduct Privacy Impact Assessment (PIA)
  • Create processes for data breach notification activities
  • Continuous employee awareness is vital to ensure continual compliance to the GDPR

Who does the GDPR apply to?

GDPR applies to any organization that works with the personal data of EU residents. This law introduces new obligations for data processors while clearly stating the accountability of data controllers.

Where does the GDPR apply?

This law doesn't have territorial boundaries. It doesn't matter where your organization is from — if you process the personal data of subjects of the EU, you come under the jurisdiction of the law.

What are the penalties for non-compliance?

A breach of the GDPR incurs a fine of up to 4% of annual global turnover or €20 million (whichever is greater).

Who are the key stakeholders?

  • Data subject - A natural person residing in the EU who is the subject of the data
  • Data controller - Determines the purpose and means of processing the data
  • Data processor - Processes data on the instructions of the controller
  • Supervisory authorities - Public authorities who monitor the application of the regulation

What is personal data or Personally Identifiable Information (PII)?

Any information relating to an identified or identifiable natural person. The identifiers are classified into two types: direct (e.g., name, email, phone number, etc.) and indirect (e.g., date of birth, gender, etc.).

What are the key changes from the previous regulations?

New & enhanced rights for data subjects - This law gives an individual the right to exercise complete authority over their personal data. Some of the rights highlighted in the regulation are:

  • Explicit consent: Data subjects must be informed about how their personal data will be processed. Organizations must make it as easy for data subjects to withdraw their consent as it is to grant it.
  • Right to access: At any point in time, the data subject can ask the controller what personal data is being stored or retained about him/her.
  • Right to be forgotten: The data subject can request the controller to remove their personal information from the controller's systems.
  • Data portability: The controller must be able to provide data subjects with a copy of their personal data in machine readable format. If possible, they must be able to transfer the data to another controller.

Obligations of the processors - GDPR has raised the bar for the responsibilities and liabilities of data processors as well. Processors must be able to demonstrate compliance with the GDPR and they must follow the data controller's instructions.

Data Protection Officer - Organizations may need to appoint a staff member or external service provider who is responsible for overseeing GDPR, general privacy management compliance and data protection practices.

Privacy Impact Assessments (PIA) - Organizations must conduct privacy impact assessments of their large-scale data processing to minimize the risks and identify measures to mitigate them.

Breach notification - Controllers must notify the stakeholders (the supervisory authority, and where applicable, the data subjects) within 72 hours of becoming aware of a breach.