“The main difference in choosing Calligo was how they sit apart from most other privacy consultants. We had the impression – and this was born out in the delivery – that the service would not be limited to auditing our processes and leaving us to interpret them and determine next steps ourselves. Nor would they simply write our privacy policies and hand us certifications. It was clear it would instead be a thorough, honest, and practical engagement, and the start of a long-term collaborative relationship.”
Industry
Software Development
Location
California, United States
13
years old
50,000+
customers
1,000,000s
special category records held
Planning Center is a 13-year old church management software company based in San Diego, California. It serves more than 50,000 churches and ministries across the US and in many countries in Europe.
The platform has evolved from a worship scheduling tool for organising volunteers, facilities and service programmes to now including multiple applications for membership, managing donations, event registrations and child check-in tools.
As society’s anxiety over how personal data may be used or misused has grown, Planning Center had seen a rapid increase in inbound enquiries on its approach to GDPR. These were mainly from EU-based churches but they also received a number of enquiries coming in from their US-based customers who appreciated the risk of having US-resident EU citizens’ data in their databases.
In addition to gathering and holding enormous amounts of personal data, such as names and contact details, Planning Center also holds sensitive data on children – a particularly protected group under GDPR – as well as data that has been designated as a “special category”, such as counselling records and information on religious beliefs.
Planning Center recognised that privacy is far too fast-moving, far-reaching and complex for them to safely assign such a specific discipline to their existing resource, even the legal team. The company therefore decided the safest course of action was to outsource this requirement to experts in the laws and their practical implementation.
Before meeting Calligo, Planning Center had met with various other service providers but found most were unsuitable. Many were only recently trained in GDPR and would offer options for courses of action, but not practical advice as they were too inexperienced to consult accurately and were wary of implicating themselves.
In contrast, Planning Center was struck by Calligo’s longstanding heritage in data privacy and its ability to offer expert advice alongside practical support.
“When we saw Calligo’s GAP Analysis, we were sure we had made the right decision in choosing them as our partner - more thorough than our previous one, practically-focused and made clear recommendations of next steps.”
“Calligo’s team helped us realise that privacy adherence is not a case of receiving a certificate and being signed off as compliant. Instead, it requires an ongoing vigilance into how we treat our customers’ data."
"Our data privacy rigour will support our fulfilment of other IT and security standards that apply to our business. In terms of ongoing and varied impact, this is one of the most efficient initiatives we have conducted to date.”
The first step for Calligo was to discover how Planning Center’s existing processes and technologies currently stood up to GDPR requirements. Planning Center had previously conducted a GAP Analysis through another provider, but it was shown to be insufficiently thorough and a little simplistic. Calligo therefore performed its own analysis and identified a series of quick wins, plus the areas of non-conformance that required more work.
Once the report had been presented and next steps agreed, work then began to implement resolutions. Importantly, Calligo supervised the remedial work to ensure it was carried out correctly and efficiently, rather than simply abandoning Planning Center to implement recommendations alone. Calligo was also careful not to waste Planning Center’s time with a one-size-fits-all approach. Many requirements within GDPR are simply irrelevant for many businesses, and yet many generalist approaches will require clients to take the necessary steps to align with them. Calligo instead removed meaningless tick-box exercises from the project, focusing time and resources only on activities that genuinely improved Planning Center’s ongoing adherence.
Find out more about GDPR Services
Because of the extreme sensitivity of the data Planning Center processes, Planning Center is required to appoint a Data Protection Officer (DPO) who must monitor the organisation’s ongoing adherence.
Today, Calligo continues to serve as Planning Center’s DPO under an outsourced service. Calligo’s duties include:
Find out more about DPO as a Service
The value that Calligo’s GDPR project delivered was multi-faceted. Valuable knock-on effects of the work are being discovered regularly.
One example stems from Calligo’s capabilities spanning beyond just privacy. Calligo’s heritage in technology, infosecurity and information management meant that Planning Center’s entire risk profile was addressed, not just the compliance framework, including how data flowed through the organisation. Calligo then worked with the wider team at Planning Center to design and deliver a robust foundation for Planning Center to minimise its risk to emerging and developing regulations, without sacrificing time to market. In essence, achieving ongoing data privacy by design and default.
Planning Center has noticed that data security and privacy have now become part of the natural language of the business and embedded within its culture. The development team for example – probably the area where it was feared GDPR would have the most obstructive impact – has shifted the point at which privacy is addressed from towards the end of a project to the very beginning, i.e. Privacy by Design. Rather than hindering progress, this has made the department more efficient, as pre-planning privacy adherence from the outset has proven far more effective than retrospectively identifying privacy weaknesses and remedying them before deploying into production.
Find out more about Privacy by Design Services
Let Calligo steer you through the most wide-ranging and revolutionary data privacy framework
Sidestep the difficulty of appointing internally, and the cost of hiring, with our outsourced expert service
Our highly experienced consultants will ensure that your ambition does not overtake your data privacy obligations