At Tithely, we value the privacy of our customers and their members. When it comes to having a church website, it’s imperative that you too are thinking about the privacy of your members and visitors.
Since websites are a global and open platform, no matter the privacy laws in your jurisdiction, it’s important to put measures in place to ensure the privacy of individuals visiting your website.
The various privacy laws in place today are designed to protect individual privacy and ensure the secure handling of personal information. These regulations apply to organizations of all sizes, emphasizing the need for preparation to avoid severe consequences for non-compliance.
Privacy law compliance also offers advantages. It presents an opportunity for organizations to reassess their data storage, sharing, and protection practices. By prioritizing privacy, organizations can position themselves as trusted entities. With proper preparation, organizations can capitalize on new opportunities arising from the various privacy laws.
This guide has been written to provide insight into what steps you can take to ensure your website is adhering to the various privacy laws.
Understand the Data You Hold
Gain clarity on the personal data you collect, store, and process through your website. Identify sensitive data and establish measures to secure it. Determine if your website collects data from minors and ensure proper consent mechanisms are in place.
Sensitive data is referred to as "special categories of personal data." These categories are specifically protected due to their sensitive nature, as they can reveal information about an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data, health data, or data concerning a person's sex life or sexual orientation.
Most privacy laws impose additional requirements and safeguards for the processing of these special categories of personal data. In most cases, processing such data is prohibited unless explicit consent is obtained from the data subject or unless certain specific circumstances apply, such as for medical purposes, employment obligations, or legal claims.
It's important to note that privacy laws place a high level of importance on the protection of all personal data, not just sensitive personal information. Organizations should implement appropriate measures to ensure the security and confidentiality of all personal data they process, regardless of whether it falls within the special categories outlined by privacy laws.
What personal data does Tithely Websites hold?
Tithely Websites collects and stores email addresses when subscribing to newsletters managed through our platform.
Secure Your Website
Website security is paramount. Protect stored data and fortify your website against external threats. Implement an SSL certificate for encrypted communication, use strong passwords for admin accounts, consider additional layers of server protection, utilize anti-virus software, and minimize data collection to what is necessary.
How does Tithely Websites secure your website?
Tithely Websites implements security measures as well as SSL certificates to ensure all connections and data transferred through the website are encrypted.
Obtain Consent for Email Communications
Ensure that you receive user consent before sending emails, preferably using a double opt-in process. Provide an easy and accessible option for users to unsubscribe from your mailing list.
How does Tithely Websites help collect email consent?
Tithely Websites puts website visitors through a two-step sign up process to join a newsletter to ensure that consent has been given.
Implement a Cookie Banner
If your website utilizes non-necessary cookies, use a cookie banner to obtain consent from users. Clearly explain the purpose and types of cookies used, provide options for managing preferences, and offer an opt-out for users who refuse cookie storage.
There are various tools out there today like Cookie Script to allow you to create a compliant cookie banner for free or a small monthly fee.
Type of cookies included in your Tithely Website:
Other cookies may be present depending on what features and third-party services you embed on your website. Cookie Script provides a free cookie scanner to identify additional cookies.
Review and Update Website Forms
To ensure compliance with privacy laws when collecting personal data from users, the following measures should be taken:
- Privacy Statement: Include a privacy statement that clearly explains the purpose of data collection, how the data will be used, and the user's ability to withdraw consent at any time. This statement should provide transparency and clarity regarding the handling of personal data.
- Opt-in Consent: Implement an opt-in mechanism, such as an unticked checkbox or a disabled toggle switch, to obtain explicit user consent before collecting their data. This ensures that users actively indicate their agreement to have their data collected, rather than assuming consent by default.
- Communication Preferences: Provide users with the option to choose whether they wish to receive correspondence from your organization or related services. This can be achieved through the inclusion of a checkbox or a similar option that allows users to select their communication preferences.
By implementing these measures, you can ensure that your data collection practices align with the principles of transparency, consent, and user control mandated by the various privacy laws.
Assess Third-Party Services
Evaluate International Data Transfers
If your website transfers personal data to countries outside the privacy laws you adhere to, conduct thorough risk assessments. Ensure the recipient country or service provides an adequate level of data protection and establish necessary agreements with recipients if required.
Provide Data Rights Provision
Analyze and Prepare for Data Breaches
You should establish a proactive approach to data breach preparation and response, mitigating potential risks and safeguarding the security and privacy of individuals' personal data.
To effectively prepare for a potential data breach, the following steps should be taken:
- Maintain a Record of Processing Activities: Keep a comprehensive record of your data processing activities. This includes documenting the types of data you collect, the purposes for which it is used, any third parties involved, and the security measures in place.
- Temporarily Block Website Access: In the event of a data breach, it is crucial to promptly address the vulnerability. As a precautionary measure, consider temporarily blocking all access to your website until the vulnerability is fixed. This helps prevent further unauthorized access and potential data leaks.
- Conduct a Thorough Investigation: Perform a detailed investigation to determine the specifics of the breach. Identify where and when it occurred, the methods employed, the data involved, and the extent of the impact on affected individuals. This investigation aids in understanding the severity of the breach and guides subsequent actions.
- Notify the Appropriate Supervisory Authority: Adhere to the requirement of notifying the relevant supervisory authority about the breach (e.g: within 72 hours for the GDPR). Provide all available information regarding the breach, including the categories and approximate number of affected users, the types and approximate number of compromised personal data records, and any measures taken or planned to address the breach.
- Inform Affected Users: If there is a heightened risk to users' rights and freedoms resulting from the breach, promptly notify the affected individuals. Communicate the details of the breach, the potential impact on their data, and any recommended steps they can take to protect their information. Transparently sharing information enables affected users to take necessary precautions.
- Enhance Policies and Procedures: Review and update your existing policies and procedures to strengthen your website's security and prevent future breaches. Assess vulnerabilities, implement additional security measures, and ensure that your data protection practices align with best practices and regulatory requirements.
- Develop a Data Breach Response Plan: Prepare a comprehensive plan of action to guide your organization's response in the event of another data breach or the likelihood of future breaches. This plan should include predefined steps, assigned responsibilities, and communication protocols to enable swift and coordinated incident response.
Frequently Asked Questions
- What are the key requirements of privacy laws?
The fundamental requirements of privacy laws include:
- Collecting and processing personal data in a fair, secure, and lawful manner, and disclosing how data is handled to users.
- Collecting data for specific and legitimate purposes, avoiding incompatible processing.
- Ensuring data collected is adequate, relevant, and limited to what is necessary for its intended purpose.
- Granting users the ability to exercise their data rights and promptly notifying them of data breaches with relevant details.
- What are the principles of privacy laws?
The seven principles of privacy laws are as follows:
- Lawfulness, fairness, and transparency: Processing personal data in a legal, fair, and transparent manner while informing individuals about its usage.
- Purpose limitation: Collecting data for specific and legitimate purposes without further unrelated processing.
- Data minimization: Using only the minimum necessary personal data required for the intended purpose.
- Accuracy: Keeping personal data accurate, up to date, and correcting any errors if necessary.
- Storage limitation: Storing personal data no longer than necessary and deleting or anonymizing it once the purpose is fulfilled.
- Integrity and confidentiality: Protecting personal data from unauthorized access, loss, or disclosure through appropriate security measures.
- Accountability: Organizations being responsible for complying with privacy law principles and being able to demonstrate their compliance.
- What is a privacy compliance checklist?
A privacy compliance checklist is a valuable tool for businesses to ensure compliance with privacy law regulations. It provides a list of tasks and areas that need to be addressed to ensure adherence to the law. The checklist helps identify areas of improvement, highlights gaps in information or data protection processes, and ensures comprehensive compliance.
- What is the maximum penalty for non-compliance with privacy laws?
This varies between privacy laws but the maximum penalty for non-compliance with GDPR can be up to €20 million or 4% of the annual global turnover, whichever is greater. In addition to financial penalties, authorities may also require the deletion of held personal data or cessation of data processing.
- How to achieve compliance?
To ensure full compliance, it is essential to adopt a privacy-first approach and keep the following considerations in mind:
- Maintain transparency regarding data processing practices.
- Collect and use personal data fairly and lawfully.
- Obtain relevant consent for data collection.
- Enable users to access, correct, and delete their data.
- Provide users with data management options.
- Ensure technology meets regulatory compliance requirements.
- Implement robust measures to keep personal data safe and secure.
- Review and ensure privacy law compliance of third-party services and vendors.
Disclaimer: Please note that the information provided in this guide is for general informational purposes only and should not be considered as legal advice. It is strongly recommended that you seek professional legal advice or consult with an appropriate expert regarding your specific circumstances. Reliance on any information provided in this guide is solely at your own risk. The author and publisher of this guide disclaim any liability for any loss or damage incurred in connection with the use of this information.