Case Study

Case Study: Planning Center

How a software developer achieved Privacy by Design and protected 1,000,000s of special category records

Digital transformation

The client

Planning Center is a 13-year old church management software company based in San Diego, California. It serves more than 50,000 churches and ministries across the US and in many countries in Europe.

The platform has evolved from a worship scheduling tool for organising volunteers, facilities and service programmes to now including multiple applications for membership, managing donations, event registrations and child check-in tools.

As society’s anxiety over how personal data may be used or misused has grown, Planning Center had seen a rapid increase in inbound enquiries on its approach to GDPR. These were mainly from EU-based churches but they also received a number of enquiries coming in from their US-based customers who appreciated the risk of having US-resident EU citizens’ data in their databases.

In addition to gathering and holding enormous amounts of personal data, such as names and contact details, Planning Center also holds sensitive data on children – a particularly protected group under GDPR – as well as data that has been designated as a “special category”, such as counselling records and information on religious beliefs.

Company Information


Software Development


California, United States


years old




special category records held

The main difference in choosing Calligo was how they sit apart from most other privacy consultants. We had the impression – and this was born out in the delivery – that the service would not be limited to auditing our processes and leaving us to interpret them and determine next steps ourselves. Nor would they simply write our privacy policies and hand us certifications. It was clear it would instead be a thorough, honest, and practical engagement, and the start of a long-term collaborative relationship.

Daniel Murphy
Planning Center

Calligo services in summary

Planning Center recognised that privacy is far too fast-moving, far-reaching and complex for them to safely assign such a specific discipline to their existing resource, even the legal team. The company therefore decided the safest course of action was to outsource this requirement to experts in the laws and their practical implementation.

Before meeting Calligo, Planning Center had met with various other service providers but found most were unsuitable. Many were only recently trained in GDPR and would offer options for courses of action, but not practical advice as they were too inexperienced to consult accurately and were wary of implicating themselves.

In contrast, Planning Center was struck by Calligo’s longstanding heritage in data privacy and its ability to offer expert advice alongside practical support.


Service 1: GDPR GAP Analysis

The first step for Calligo was to discover how Planning Center’s existing processes and technologies currently stood up to GDPR requirements. Planning Center had previously conducted a GAP Analysis through another provider, but it was shown to be insufficiently thorough and a little simplistic. Calligo therefore performed its own analysis and identified a series of quick wins, plus the areas of non-conformance that required more work.

Once the report had been presented and next steps agreed, work then began to implement resolutions. Importantly, Calligo supervised the remedial work to ensure it was carried out correctly and efficiently, rather than simply abandoning Planning Center to implement recommendations alone. Calligo was also careful not to waste Planning Center’s time with a one-size-fits-all approach. Many requirements within GDPR are simply irrelevant for many businesses, and yet many generalist approaches will require clients to take the necessary steps to align with them. Calligo instead removed meaningless tick-box exercises from the project, focusing time and resources only on activities that genuinely improved Planning Center’s ongoing adherence.

Service 2: Data Protection Officer as a Service

Because of the extreme sensitivity of the data Planning Center processes, Planning Center is required to appoint a Data Protection Officer (DPO) who must monitor the organisation’s ongoing adherence.

Today, Calligo continues to serve as Planning Center’s DPO under an outsourced service. Calligo’s duties include:

  • Advising on data protection and information security matters pertaining to the GDPR.
  • Reviewing and advising on privacy policies, procedures and documentation.
  • Monitoring the collation of records of personal data processing operations.
  • Advising on the training of staff involved in data processing operations.
  • Advising on data protection impact assessment (DPIA), their implementation and their outcomes.
  • Serving as the contact point for data protection authorities for all data protection issues.
  • Data breach management and reporting.
  • Serving as the contact point for data subjects on privacy matters, including subject access requests.
Find out more

Service 3: Privacy by Design

The value that Calligo’s GDPR project delivered was multi-faceted. Valuable knock-on effects of the work are being discovered regularly.

One example stems from Calligo’s capabilities spanning beyond just privacy. Calligo’s heritage in technology, infosecurity and information management meant that Planning Center’s entire risk profile was addressed, not just the compliance framework, including how data flowed through the organisation. Calligo then worked with the wider team at Planning Center to design and deliver a robust foundation for Planning Center to minimise its risk to emerging and developing regulations, without sacrificing time to market. In essence, achieving ongoing data privacy by design and default.

Planning Center has noticed that data security and privacy have now become part of the natural language of the business and embedded within its culture. The development team for example – probably the area where it was feared GDPR would have the most obstructive impact – has shifted the point at which privacy is addressed from towards the end of a project to the very beginning, i.e. Privacy by Design. Rather than hindering progress, this has made the department more efficient, as pre-planning privacy adherence from the outset has proven far more effective than retrospectively identifying privacy weaknesses and remedying them before deploying into production.

Find out more

Churches and ministries are the heart of what we do at Planning Center. A data breach could have devastating effects on them and an immeasurable impact on our business. As their data management providers, trust is our number one most valuable asset. By working with Calligo, we’ve greatly increased the trust our churches have with us and the trust their congregations have with them, empowering them to do their jobs even better. The impact of our work with Calligo has consequences that reach far beyond our business and our bottom line.Daniel Murphy

Daniel Murphy
Planning Center

Calligo can make your data work harder for you.

Talk to us