The Right to Be Forgotten
You may need to delete congregant data in order to comply with data protection and privacy regulations. ShulCloud offers a rich set of features to help you meet your obligations under the GDPR. ShulCloud allows our Shuls to delete personal data at both a family/organization level and an individual level.
Data Portability
You can contact ShulCloud Support to help you honor your customers’ requests to export their data. We will provide a machine readable format as required. To comply with GDPR you must report all requests to us immediately.
Consent
ShulCloud helps you comply with data protection and privacy regulations with out-of-the-box support for indicating, email opt-out preferences. As the controller, the shul has the responsibility to understand which data requires consent and which does not, and to obtain the requisite consent.
Restriction of Processing
If you have been requested to restrict processing, you must comply on your end by deleting the data from ShulCloud.
Security
ShulCloud has security built into every layer. The infrastructure we provide comes with replication, backup, and disaster recovery planning. Network services are encrypted in transit. Our application services implement identity, authentication, and user permissions. To learn more about our security procedures see www.shulcloud.com/security.
Here is some of what you need to do:
- Review existing privacy and security efforts to identify strengths and weaknesses
- Identify all the systems where the organization stores personal data, and create a data inventory
- Create a register of data processing activities and carry out a privacy impact assessment for each high-risk activity
- Document compliance
- Ensure privacy notices are present wherever personal data is collected
- Implement controls to limit the organization’s use of data to the purposes for which it collected the data
- Establish mechanisms to manage data subject consent preferences
- Implement appropriate administrative, physical, and technological security measures and processes to detect and respond to security breaches
- Establish procedures for responding to data subject requests for access, rectification, objection, restriction, portability, and deletion (right to be forgotten)
- Enter into contracts with affiliates and vendors that collect or receive personal data
Establish a privacy impact assessments process - Administer employee and vendor privacy and security awareness training
- Compile copies of privacy notices and consent forms, the data inventory and register of data processing activities, written policies and procedures, training materials, intra-company data transfer agreements, and vendor contracts
- If required, appoint a data protection officer and identify the appropriate EU supervisory authority
- Conduct periodic risk assessments