California, United States
special category records held
Planning Center is a 13-year old church management software company based in San Diego, California. It serves more than 50,000 churches and ministries across the US and in many countries in Europe.
The platform has evolved from a worship scheduling tool for organising volunteers, facilities and service programmes to now including multiple applications for membership, managing donations, event registrations and child check-in tools.
As society’s anxiety over how personal data may be used or misused has grown, Planning Center had seen a rapid increase in inbound enquiries on its approach to GDPR. These were mainly from EU-based churches but they also received a number of enquiries coming in from their US-based customers who appreciated the risk of having US-resident EU citizens’ data in their databases.
In addition to gathering and holding enormous amounts of personal data, such as names and contact details, Planning Center also holds sensitive data on children – a particularly protected group under GDPR – as well as data that has been designated as a “special category”, such as counselling records and information on religious beliefs.
“When we saw Calligo’s GAP Analysis, we were sure we had made the right decision in choosing them as our partner - more thorough than our previous one, practically-focused and made clear recommendations of next steps.”
“Calligo’s team helped us realise that privacy adherence is not a case of receiving a certificate and being signed off as compliant. Instead, it requires an ongoing vigilance into how we treat our customers’ data."
"Our data privacy rigour will support our fulfilment of other IT and security standards that apply to our business. In terms of ongoing and varied impact, this is one of the most efficient initiatives we have conducted to date.”
Because of the extreme sensitivity of the data Planning Center processes, Planning Center is required to appoint a Data Protection Officer (DPO) who must monitor the organisation’s ongoing adherence.
Today, Calligo continues to serve as Planning Center’s DPO under an outsourced service. Calligo’s duties include:
The value that Calligo’s GDPR project delivered was multi-faceted. Valuable knock-on effects of the work are being discovered regularly.
One example stems from Calligo’s capabilities spanning beyond just privacy. Calligo’s heritage in technology, infosecurity and information management meant that Planning Center’s entire risk profile was addressed, not just the compliance framework, including how data flowed through the organisation. Calligo then worked with the wider team at Planning Center to design and deliver a robust foundation for Planning Center to minimise its risk to emerging and developing regulations, without sacrificing time to market. In essence, achieving ongoing data privacy by design and default.
Planning Center has noticed that data security and privacy have now become part of the natural language of the business and embedded within its culture. The development team for example – probably the area where it was feared GDPR would have the most obstructive impact – has shifted the point at which privacy is addressed from towards the end of a project to the very beginning, i.e. Privacy by Design. Rather than hindering progress, this has made the department more efficient, as pre-planning privacy adherence from the outset has proven far more effective than retrospectively identifying privacy weaknesses and remedying them before deploying into production.
Let Calligo steer you through the most wide-ranging and revolutionary data privacy framework
Sidestep the difficulty of appointing internally, and the cost of hiring, with our outsourced expert service
Our highly experienced consultants will ensure that your ambition does not overtake your data privacy obligations