Case Study: Planning Center

How a software developer achieved Privacy by Design and protected 1,000,000s of special category records

What the client said

“The main difference in choosing Calligo was how they sit apart from most other privacy consultants. We had the impression – and this was born out in the delivery – that the service would not be limited to auditing our processes and leaving us to interpret them and determine next steps ourselves. Nor would they simply write our privacy policies and hand us certifications. It was clear it would instead be a thorough, honest, and practical engagement, and the start of a long-term collaborative relationship.”

Daniel Murphy, Product Manager at Planning Center

 Industry
Software Development

 

 Location
California, United States

 

 13
years old

 

 50,000+
customers

 

 1,000,000s
special category records held

The client

 

Planning Center is a 13-year old church management software company based in San Diego, California. It serves more than 50,000 churches and ministries across the US and in many countries in Europe.

 

The platform has evolved from a worship scheduling tool for organising volunteers, facilities and service programmes to now including multiple applications for membership, managing donations, event registrations and child check-in tools.

 

As society’s anxiety over how personal data may be used or misused has grown, Planning Center had seen a rapid increase in inbound enquiries on its approach to GDPR. These were mainly from EU-based churches but they also received a number of enquiries coming in from their US-based customers who appreciated the risk of having US-resident EU citizens’ data in their databases.

 

In addition to gathering and holding enormous amounts of personal data, such as names and contact details, Planning Center also holds sensitive data on children – a particularly protected group under GDPR – as well as data that has been designated as a “special category”, such as counselling records and information on religious beliefs.

 

 

Calligo services in summary 

 

Planning Center recognised that privacy is far too fast-moving, far-reaching and complex for them to safely assign such a specific discipline to their existing resource, even the legal team. The company therefore decided the safest course of action was to outsource this requirement to experts in the laws and their practical implementation.

 

Before meeting Calligo, Planning Center had met with various other service providers but found most were unsuitable. Many were only recently trained in GDPR and would offer options for courses of action, but not practical advice as they were too inexperienced to consult accurately and were wary of implicating themselves. In contrast, Planning Center was struck by Calligo’s longstanding heritage in data privacy and its ability to offer expert advice alongside practical support.

SquaresBlueAndGrey

white-pyramids-2

GDPR GAP Analysis

“When we saw Calligo’s GAP Analysis, we were sure we had made the right decision in choosing them as our partner - more thorough than our previous one, practically-focused and made clear recommendations of next steps.”

 

 

blue-cubes-3

Data Protection Officer as a Service

“Calligo’s team helped us realise that privacy adherence is not a case of receiving a certificate and being signed off as compliant. Instead, it requires an ongoing vigilance into how we treat our customers’ data."

 

 

orange-spheres-2

Privacy by Design

"Our data privacy rigour will support our fulfilment of other IT and security standards that apply to our business. In terms of ongoing and varied impact, this is one of the most efficient initiatives we have conducted to date.”

 

 

 

HexagonsOrangeFlower

 

Service 1: GDPR GAP Analysis

 

The first step for Calligo was to discover how Planning Center’s existing processes and technologies currently stood up to GDPR requirements. Planning Center had previously conducted a GAP Analysis through another provider, but it was shown to be insufficiently thorough and a little simplistic. Calligo therefore performed its own analysis and identified a series of quick wins, plus the areas of non-conformance that required more work.

 

Once the report had been presented and next steps agreed, work then began to implement resolutions. Importantly, Calligo supervised the remedial work to ensure it was carried out correctly and efficiently, rather than simply abandoning Planning Center to implement recommendations alone. Calligo was also careful not to waste Planning Center’s time with a one-size-fits-all approach. Many requirements within GDPR are simply irrelevant for many businesses, and yet many generalist approaches will require clients to take the necessary steps to align with them. Calligo instead removed meaningless tick-box exercises from the project, focusing time and resources only on activities that genuinely improved Planning Center’s ongoing adherence.

 

 

Service 2: Data Protection Officer as a Service

 

Because of the extreme sensitivity of the data Planning Center processes, Planning Center is required to appoint a Data Protection Officer (DPO) who must monitor the organisation’s ongoing adherence.

 

Today, Calligo continues to serve as Planning Center’s DPO under an outsourced service. Calligo’s duties include:

  • Advising on data protection and information security matters pertaining to the GDPR.
  • Reviewing and advising on privacy policies, procedures and documentation.
  • Monitoring the collation of records of personal data processing operations.
  • Advising on the training of staff involved in data processing operations.
  • Advising on data protection impact assessment (DPIA), their implementation and their outcomes.
  • Serving as the contact point for data protection authorities for all data protection issues.
  • Data breach management and reporting.
  • Serving as the contact point for data subjects on privacy matters, including subject access requests.
  • Monitoring ongoing compliance with the GDPR.
 

DiamondsOrangeGreyAndBlue

 

HexagonsGreyBlueAndOrange

 

Service 3: Privacy by Design

 

The value that Calligo’s GDPR project delivered was multi-faceted. Valuable knock-on effects of the work are being discovered regularly.

 

One example stems from Calligo’s capabilities spanning beyond just privacy. Calligo’s heritage in technology, infosecurity and information management meant that Planning Center’s entire risk profile was addressed, not just the compliance framework, including how data flowed through the organisation. Calligo then worked with the wider team at Planning Center to design and deliver a robust foundation for Planning Center to minimise its risk to emerging and developing regulations, without sacrificing time to market. In essence, achieving ongoing data privacy by design and default.

 

Planning Center has noticed that data security and privacy have now become part of the natural language of the business and embedded within its culture. The development team for example – probably the area where it was feared GDPR would have the most obstructive impact – has shifted the point at which privacy is addressed from towards the end of a project to the very beginning, i.e. Privacy by Design. Rather than hindering progress, this has made the department more efficient, as pre-planning privacy adherence from the outset has proven far more effective than retrospectively identifying privacy weaknesses and remedying them before deploying into production.

 

 

 

What the client said 

“Churches and ministries are the heart of what we do at Planning Center. A data breach could have devastating effects on them and an immeasurable impact on our business. As their data management providers, trust is our number one most valuable asset. By working with Calligo, we’ve greatly increased the trust our churches have with us and the trust their congregations have with them, empowering them to do their jobs even better. The impact of our work with Calligo has consequences that reach far beyond our business and our bottom line.”

Daniel Murphy, Product Manager at Planning Center

More about the services in this case study

 

white-pyramids-1

GDPR Services & EU Representatives

Let Calligo steer you through the most wide-ranging and revolutionary data privacy framework

 

 

blue-cubes-1

Data Protection Officer as a Service 

Sidestep the difficulty of appointing internally, and the cost of hiring, with our outsourced expert service

 

 

orange-spheres-2

Privacy by Design Consultancy

Our highly experienced consultants will ensure that your ambition does not overtake your data privacy obligations

 

 

Contact Us

Contact our consultants to discuss how Calligo can make your data work harder for you

Send An Enquiry