What has your church done about GDPR?

Status
Not open for further replies.

jwithnell

Moderator
Staff member
I'd love to see how other churches have handled the new international security/privacy regulations for websites. The new laws are even making me wonder if a broader web security policy is needed for a congregation.

So my question has two parts: how are you clearly disclosing the privacy standards you use? Do you have an electronic information policy in place?

My initial reaction to GDPR was, that's simple: we already say upfront we're a local church. But our analytics clearly show European and other visitors.

My next strategy was a low-keyed approach: show we don't collect info unless people are registering for an event like VBS. State that our web service provider uses non-identifying info to provide analytics, then give a link to the Squarespace policies.(That's what I thought I could easily publish tonight. Ha!)

(Likely you've seen a bunch of pop-ups that require the end-user to affirm he has seen and agrees to the website's privacy policies. I REALLY don't want to make people jump through a loophole to visit our site. I suspect privacy laws are much like environmental laws: the concern is disclosure, not tying people up in bureaucratic knots then say we've done our job.)

Now I'm realizing that our data is not being handled securely. For example, the forms from our website dump data into a Google spreadsheet and into whatever email system a ministry leader wants. Third-party apps for e-invites etc. are spam and security nightmares.

So what have y'all done?
 
I was hoping it wouldn't be! It's probably healthy to recognize our responsibility to the end user.
 
not tying people up in bureaucratic knots then say we've done our job.

I'd disagree on this one. While Ayn Rand got much wrong, she got this right:


“Did you really think we want those laws observed?" said Dr. Ferris. "We want them to be broken. You'd better get it straight that it's not a bunch of boy scouts you're up against... We're after power and we mean it... There's no way to rule innocent men. The only power any government has is the power to crack down on criminals. Well, when there aren't enough criminals one makes them. One declares so many things to be a crime that it becomes impossible for men to live without breaking laws. Who wants a nation of law-abiding citizens? What's there in that for anyone? But just pass the kind of laws that can neither be observed nor enforced or objectively interpreted – and you create a nation of law-breakers – and then you cash in on guilt. Now that's the system, Mr. Reardon, that's the game, and once you understand it, you'll be much easier to deal with.”
 
Breaking what laws exactly? My experience in working with one area of the law -- the national environmental policy act -- showed me that people may accept practices like rote, jargon letters and dull, stiff meetings as required. Can you show me where the new (EU) law requires this? Can you share what you have developed for your church in response? We're all out of compliance if we didn't have this done by the end of May.
 
We're all out of compliance if we didn't have this done by the end of May.

Jean:

I am a neophyte when it comes to such things (so it's likely I am missing something obvious), but I don't quite see how this applies to non-commercial enterprises.

If our church is selling nothing to the EU but simply has a website for information purposes, how would the new regulations impact us?

Peace,
Alan
 
@Semper Fidelis may weigh in here, but if you have a site that can register visitors even if you don't take commercial orders (like for commenting on a blog), or even if not, you have to disclose cookie policy and other things I think to not get a complaint possibly as unlikely as it may be. There is conflicting info also on emailing. I read something that said you had to get a accept date from even you legacy customers if you didn't have anything explicit and then was told by someone in the UK that was not necessary and may actually violate their law (! catch 22 if you need an acceptance date and if you can't ask them again).
 
This is a ROUGH draft of the text I'm developing. I will want to run this by the session along with a potential information privacy policy.

"Bethel Orthodox Presbyterian is simply a church local to Leesburg, Virginia, USA. We are here to tell you the good news of Jesus Christ, to give you the opportunity to worship and serve Him, and to invite you to become part of a loving, local community that glorifies God in all areas of life.

Here’s the fine print required by some nations reached by our website, Bethelpres.com

We collect identifying personal information only when you provide it to attend an event such as vacation Bible school. That information is used by event planners and the church’s administration; it is not intentionally shared outside the church for any reason.

Some ministries within the church use outside signup apps or services. If you are uncomfortable using these, please email us [place button] and we will put you directly in contact with the ministry leader in charge of the event.

Our web service provider, Squarespace, uses cookies to tell us how well the website is working. Their data provides general, non-identifying information about who is visiting us so we may serve you better. For more information about their policy, please see [link block] https://support.squarespace.com/hc/en-us/articles/360001264507

Bethelpres.com has installed the latest in security protocols (two factor authentication for those of you who want the technical information) to keep intruders from getting into the website and what little data is stored on-site.
 
Hmmm, I guess I shouldn't be surprised the long arm of Adobe is in the mix. Seems like they supply typefaces for SS templates and I have a personal subscription so it could come from either place. Sigh.
 
Status
Not open for further replies.
Back
Top