© 2018 by Jonathan E. Smith, all rights reserved
Director of Technology, Faith Ministries
Reprinted from MinistryTech Magazine

I know what you’re thinking. You’ve received numerous emails over the past few months about GDPR and you are sick of hearing about it. Seeing GDPR one more time makes you want to scream. I’m with you. I’ve gotten emails about GDPR from companies I have no record of ever interacting with, and I’m a geek so I keep track.

While traveling around the past few months since GDPR went into effect on May 25, 2018, I’ve been amazed at the number of questions folks are asking about it and the astonishing lack of information there is about it, especially as GDPR relates to churches and ministries. In an attempt to narrow the knowledge gap here is my best effort to tackle the GDPR issue, specifically how it relates to churches and ministries. Please note, I’m not an attorney, I don’t even play one on TV, so while I’ve done my research it is always good to ask your legal counsel to sign off on any plans or changes you may have or plan to implement in response to GDPR.

What is GDPR?
GDPR stands for General Data Protection Regulation. It was passed by the European Union to provide their citizens with more control over their personal data and to determine what those they’ve given their personal data to can do with it. In many ways, it could stand for Golden Data Protection Rule, one with a biblical worldview could sum up GDPR as the Golden Rule of Data, treating others data the same way you want your data treated.

The law also provides a few specific provisions for EU citizens. First, what is considered personal data is defined. Second, EU citizens can request their data be completely removed or can only be used for certain purposes. For example, you can contact me using my data but you cannot send me ads using my data. Third, organizations operating in the EU have to report any data breaches within 72 hours.

Reading what GDPR does you can understand why it was written. It took Equifax weeks to notify the world they had been hacked, GDPR addresses that. Your data on Facebook makes you the product, not the customer and you have no control over what Facebook does with your data, GDPR addresses that.

How does this affect those not in the European Union?
This is the biggest question surrounding GDPR and one the entire planet is struggling to understand. The European Union has 500 million citizens, so they have the ability to push their agenda a bit. The challenge for organizations operating worldwide is the EU has set the strictest of standards, so do you operate with multiple policies concerning data collection and use based on where the individual lives, or do you work off GDPR since that ensures the most people will be covered by your policies. If you don’t fully understand, you aren’t alone.

Some companies in response have stopped operating in the EU until they can figure this out. The issue is they operate in the EU and are storing data for EU citizens. GDPR states how you should do that if you meet both qualifications.

Enforcement
This is where the world of international law gets complicated. While GDPR tells you how you can/should store and use the information of its citizens, it cannot be enforced on organizations that do not have a physical presence in the EU. Let’s take Facebook for example; they have a large, lucrative presence in the EU. They have data centers, offices, etc in the EU. The EU is able to enforce GDPR because Facebook has a physical presence there. In other words, there is a location that can be seized, personnel that can be arrested, and executives that can be taken to court.

For organizations that do not have a physical presence in the EU, this does not apply. There is no office or data center or person they can hold accountable and the EU is not able to enforce its laws on those outside the EU, for example, in North America. That’s how international borders work.

Blah, blah, blah. How does this Impact Churches?
If you’ve skimmed the first part of this, that’s fine but this is the part in which to pay close attention. At its heart, the GDPR legislation is about being a good steward of data. While data can mean many things from name, address, phone number to t-shirt size and food allergies, it is important for us to remember in the church world: data means people and people mean souls. We did not need GDPR to tell us to be good stewards of the people our ministries serve.

The Bible tells us to be good stewards (1 Corinthians 4:2), the Bible also tells us to obey the authority (Romans 13), including governments, placed over us. In this case, it seems the EU is telling those who operate in the EU to do what the Bible says and be good stewards of data.

GDPR requires a few things I would hope churches around the globe are already doing:

1. If your data is breached, report it within 72 hours. Even without GDPR, every church should have a data breach plan and procedure in place and want to be open and honest when mistakes happen. The church is the last place that should try to cover it up for weeks or months.
2. If a user wants you to remove them from your database, remove them. Even without GDPR, every church should have a procedure to remove a record from their database if someone does not want any of their information stored within your organization.
3. If a user wants you to email them prayer requests but nothing else, honor their request. Even without GDPR, you should be able to send folks what they want and not require them to get everything you send out. There is a difference between sending out prayer requests and fundraising requests. Do you allow folks to determine how you use their data?

I’m sure by now some of you are wondering about financial data. What happens when someone gives you money and then wants to be totally removed? In the US you are required to keep a record of financial transactions for 7 years. Even without GDPR, if someone wants to be removed, but they’ve given you money, do you have a procedure to remove them while still keeping the financial record for 7 years and then removing them completely when the 7 years are up?

Most churches don’t have a physical presence in the EU so there isn’t an issue here but what happens if you do have a presence in the EU and someone from the EU gave you money and then wanted to be removed from your database? The principle is to apply donor intent; they don’t want to be in your database so you treat them as if they weren’t there by removing everything you can until you can remove their record entirely.

While there may be several legal and international law issues at play here, I believe the core concept is not a legal one but one of ministry integrity. We should not have needed GDPR to tell us how to care for the data those we minister to have entrusted to us.

FAQ 

1. We support missionaries or other ministries that operate in the EU and have a physical presence there; do we fall under GDPR?
   • No, the organization you support in the EU that has a physical presence there does fall under GDPR but you as an individual or organization supporting them do not.
2. Should churches have data access and user rights policies?
   • Yes, even if in a basic format a policy showing who gets access to your data, for what purposes, and how you handle the data you’ve been given is important. It is also important to note how you handle requests for removal from your databases and/or email lists. With everyone talking about GDPR, you may find a guest or two asking if you have any data policies before they give you their children’s allergies when they check their kids in some Sunday.
3. Should anyone lose sleep over this?
   • No, what we are talking about here is Golden Rule stuff. If you are losing sleep over GDPR then there are probably bigger issues to address in how you handle user data.
4. Is this really new?
   • No, in 1995 the EU had a privacy policy called Data Protection Directive. It expired when GDPR was enacted. In many ways, GDPR further refines and enhances privacy and data protection provisions that have been around since 1995.
5. What counts as data?
   • This is harder to answer because there is admittedly some subjectivity here. The obvious name, address, phone number, email address, SSN, picture, etc are pieces of data that can be used to positively identify a person. Recently an EU court ruled that under certain circumstances an IP address can also be considered personal data and is therefore subject to GDPR.
6. If we take signups and collect data on our website, do we need to make changes for GDPR?
   • Only if you have a physical presence in the EU.

Next Steps 

1. If your church or ministries do not have a data access and management policy, then get one. Even a basic policy and procedure for how you handle user data and requests is important and shows you’ve thought about it and care about it.
2. This is not an IT issue nor should this be dumped on the IT team. While IT clearly has a role in data management, they should not be the decision makers. GDPR requires organizations operating in the EU to have a privacy compliance officer. This can be a new employee or a role added to an existing employee. While churches and ministries may not need a privacy compliance officer the concept of having someone constantly checking to make sure you are being good stewards of data and coordinating data stewardship across ministry and church departments and silos is valid.
3. Get legal counsel. If you operate in the EU or are concerned you might, it would be wise to consult with a licensed attorney with experience in this area. Don’t try to figure it out on your own. The EU is intent on enforcing GDPR and no church or ministry should want to be on their radar.

The Golden Rule comes from Matthew 7:12 and Luke 6:31. “Do unto others as you would have them do unto you.” This applies to how individuals relate to each other in person and online, and to how organizations treat each other and those they serve. Whether we are talking about money, data, time, or talent the Golden Rule is more than just a rule or ideology from long ago; it is the Word of God.

Jonathan Smith is the Director of Technology at Faith Ministries in Lafayette, IN. You can reach Jonathan at jsmith@faithlafayette.org and follow him on Twitter @JonathanESmith.

© 2018 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

A church IT forum discussion came up recently that is worth thinking through. The original post asked for input on how to keep team members from connecting their personal devices to the password-protected staff WiFi. The discussion that followed was a little like Mr. Toad’s Wild Ride! Lots of ideas being tossed around, most of which uncomfortably avoided the most important questions.

Underlying Risk
The vast majority tried to help by explaining various ways the team could be controlled or prohibited from attaching their personal devices to the staff WiFi. There were a couple voices of reason that participated, suggesting positive ways forward.

Those not in IT may not understand the underlying risk. Why shouldn’t team members connect their personal devices to the staff WiFi? There are legitimate dangers associated with letting personal devices attach to the staff WiFi.

• The staff WiFi, usually password protected, is typically configured to give devices full access to the organization’s network as though they were connected and logged in via an Ethernet cable. That is in contrast to the public guest WiFi, which is typically configured to give devices access only to the internet, and hopefully access that is filtered.
• The organization’s data needs to be protected. Churches and ministries maintain a lot of sensitive data that could hurt congregants and team members if not adequately protected. Data like contributions records, HR records, social security numbers of staff and some vendors, church member disciplinary notes, board minutes, and more. That data needs to be kept private, but it also needs to be kept available for team members to use in the operations of the organization. Malware like ransomware exists because hooligans understand the value associated with appropriate data access, and endeavors to block access to the data unless a ransom is paid.
• The organization’s systems need to be protected. There are some who would like to disrupt the flow of church and ministry operations by crashing the system or participating in activities that could cause authorities to remove all computers and servers for forensic investigation and, possibly, evidence in a prosecution.

When team members use the staff WiFi on their personal devices, the organization’s data and systems are put at risk.

The Next Question
So, does that mean team members should not use the staff WiFi for their personal devices? Maybe; it depends on why they need it.

One of the forum participants, Jason Powell at Granger Community Church, contributed “Figure out what need they’re trying to solve. It took a while for our staff to be coached that there is no speed difference between our staff and public WiFi. After asking why they wanted a personal device on the staff WiFi, in almost every case, it was because they assumed it gave them something that the public WiFi didn’t. A simple conversation assured them that the public WiFi would do everything they were asking for.”

What if the need is legitimate, though? Jason continued, ‘For legit needs like interns, volunteers, etc needing a personal device to have more access, build a simple BYOD network.” A BYOD (Bring Your Own Device) network is not difficult or costly to do. The cost factors involved are more to create systems that can enforce protections and recover from breaches in case they occur.

Who Decides What IT Needs are Legitimate?
This is the part often overlooked. IT is not responsible for determining what access needs are legitimate or not; that is leadership’s responsibility. IT should communicate the benefits, risks, and any mitigation costs to leadership and ask for direction. Only leadership is responsible for determining who should and who should not have access to systems and data. IT’s role is to engineer and configure, train, monitor, and enforce the decisions made by leadership.

Effects of IT Setting Policy
When IT makes decisions without leadership’s direction, those decisions usually take the form of policies and system settings that frustrate team members. In organizations where that is the case, IT often becomes the “No” people. Some church and ministry teams get dysfunctional in the wake of those policies. Team members– who feel called by God to fulfill their ministry call– often take the posture of doing whatever it takes to fulfill their call even if it means going around IT’s policies and system settings.

Effects of Leadership Setting Policy
Policies set by leadership are ultimately enforced or modified by leadership. IT has the potential of having a ministry-facilitating impact by letting leadership set policy. And leadership should fully fund whatever is required by the policy decisions it makes, which means that IT doesn’t have to try to string together inadequate strategies. If leadership doesn’t fund IT with what is needed, IT should let leadership know and ask for either a change in policy or a change in the budget.

© 2018 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

March is the month of St. Patrick’s Day, whose modern-day associated color is green. When we think ‘green’, we also think of doing things that are friendly to the environment. What are some quick tasks we can do to make IT more ‘green’?

Why the Green Focus?
Many in our congregations and ministry constituencies want us to be good stewards– not only of our financial resources, but also in the way we consume resources to accomplish ministry. I live in California, and folks– especially millennials– esteem homes, businesses, churches, and more as ‘better’ if they’re more environmentally sensitive. There are many in your congregation or ministry constituency that would be all the more pleased with associating with your organization if they knew that there are initiatives underway to help protect the environment. And that makes cost-effective green initiatives a win-win!

Green Server Rooms
A common issue we see in server rooms is that they become storage areas for all kinds of things. That happens mostly because team members don’t understand the need to keep the server room clean, cool, and secure; many perceive the space as ‘available’ even though it isn’t. Defending the space can be exhausting.

March is a great month to go through the server room and remove anything that shouldn’t be there. In addition to boxes of things others have deposited there, consider what IT-related items are stored there too! Churches and ministries sometimes have a hard time letting go of retired technology that still worked when it was retired, even though they’ll never use it again. “But what if…?”

When I visit clients, I often offer to clean out all those old CRT monitors, Pentium computers, keyboards, roller-ball mice, and cords that are gathering dust (a fire hazard) and are taking up space. Seriously, if you haven’t used it in a couple of years, it is probably trash. It’s actually good stewardship to let them go! Here are just a couple of reasons why:

1. There are many electronics recyclers that are willing to help, and usually for free! If they’re certified electronics recyclers, you can even trust them to erase hard drives, etc as they do their recycling! And recycling is a good thing.
2. The more things that are stored in a server room, the less cool air is available to absorb the heat exhausted by your servers and other electronic gear. That can contribute to running hotter and consuming more electricity, and cause a shorter life for some equipment. Clean server rooms are always best.

Green Systems
There are a few things worth considering and doing that will help make your IT systems more ‘green’ in general.

1. Virtualize your servers. Virtualization is a software technology that makes it possible to reduce the number of physical servers in your organization. It uses an app called a hypervisor that allows you to install more than one virtual server on each of your physical servers, which we then call hosts. In addition to saving money by not having to purchase a bunch of physical servers, virtualization reduces the amount of electricity consumed because the number of physical servers is smaller. It also helps reduce electricity consumption by reducing the amount of heat in a server room that must be overcome by air conditioning systems because there are fewer electronic devices exhausting heat!
2. Move Servers to The Cloud. In addition to virtualizing your local servers, consider going a step further by determining whether their roles can be moved to a hosted cloud service provider. In recent years my firm has moved many clients’ entire group of local servers into our cloud infrastructure, dramatically reducing electrical consumption while also outsourcing the responsibility to maintain those servers. The cloud is a terrific way to make your systems more green, while also reducing capital expenses.
3. Clean Dust from Inside Computers. It’s amazing how much dust accumulates in computers. For those computers that remain on-site (servers, workstations, etc), consider cleaning their cooling fans. Perhaps organize a volunteer work party that goes to each workstation and cleans their insides! Cleaning them out every March as part of your ‘green’ initiative will reduce their electrical consumption and may extend their life because they’ll run cooler!

St. Patrick’s Day! What a great time of year to clean up server rooms– or maybe even eliminate them by moving into the cloud! And a great time to clean the dust from inside your servers and workstations (before the weather begins to warm up).

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

SPAM email can be dangerous and painful to the recipient and to any data they have access to. Whether it’s ransomware, phishing, pushing of malware, or impersonation, a strategy is needed to protect ourselves. I’ll address these different types of SPAM, and how each should be strategically managed.

SPAM Comes in Many Flavors
In addition to what many think is a tasty lunchmeat, SPAM also refers to unsolicited email, and those emails are usually intended to do the recipient harm. Sometimes the pain is small, but often it is big and costly. The most costly to an organization are usually ransomware and business email compromise; the most costly to an individual are usually phishing scams.

Here are some categories of email SPAM and how to respond to them:

• Business Email Compromise (BEC), a.k.a. Impersonation Emails
  • Form: These SPAM emails used to only target businesses working with foreign suppliers and businesses who use financial wire transfer methodology. But in the last year we have seen many occurrences hit churches and ministries using checks! The form of the attack, as it affects churches and ministries, is usually an email supposedly from a pastor or executive in the organization directing the recipient to immediately transfer funds or cut a check. These attacks are usually well researched (we are welcoming and friendly environments, and we give them all of our staff structure and names on our websites!), and can feel legitimate.
  • What To Do: Never comply with the request. Always, require a live voice confirmation of the request in person or via live telephone call.
• Ransomware
  • Form: Ransomware is malware installed on your computer that usually gets introduced through a SPAM email, compromised website, or even through a bot (internet program) that looks for Remote Desktop Protocol vulnerabilities. Once infected with the ransomware malware, data is encrypted and held for ransom.
  • What To Do: One of the best defenses against ransomware is to keep multiple days (we prefer a full month) of full data backups so your system can be ‘reset’ if an infection gets through your defenses. In addition to ensuring good backups:
    1. Never click on a link or graphic in an email you weren’t expecting. Even if it came from someone you know, do not click any links. If you think the email and its links may be legitimate and want to click them– before clicking on them– hover your mouse pointer over the link without clicking. Doing so should show the destination of the link. I recently did this on an email I received from Microsoft that looked legitimate, but the link would have taken me to a very different location than what I expected. Best rule: if you’re not sure that it’s okay to click, do not click!
    2. Make certain your computer has a good anti-malware program running on it. That’s true whether you’re using a Windows or a MacOS computer. The solution my firm recommends is www.thirtyseven4.com… doing so will help prevent you from accessing most compromised websites.
• Phishing
  • Form: Phishing has a few forms, almost all of which happen through email SPAM. Phishing is the attempt to get the recipient to provide personal information about themselves that could be used to accomplish some form of identity theft. Phishing is sometimes referred to as clone phishing (a previously legitimate email that has been recreated with malware embedded or in links and re-sent to the same list of recipients as the original), whaling (phishing attacks aimed at executives and high-profile targets), and spear phishing (attacks targeting specific individuals that may even contain information about them discovered through websites, social media, and other sources.
  • What To Do: Never respond to a request for personally identifying information in an email without first confirming the source. I even take this a step further if I get a phone call from my bank about possible fraudulent activity in my credit card account! In the call they ask for my password to prove I am who they intended to reach. I decline their request and tell the caller they need to tell me my password to prove they are who they say they are since they initiated the call! They’re not allowed to tell me, of course, so that’s when I disconnect and call the number on my credit card– that way I know I’m talking to my bank.

These are a few SPAM categories. It is imperative that every organization use a high-quality SPAM filter on its email server to eliminate most of the SPAM from being delivered to email account holders. There are a lot of SPAM filter solutions available; our favorite is from Barracuda. They are the gold standard and best-of-breed in that industry.

Just an fyi… we host SPAM filtering for churches and ministries nationwide using a Barracuda SPAM Filter 600. We process more than 90,000 emails daily, and it blocks about 80%. That means about 80% of the email pointed toward your email inbox is unwanted! And some of it is dangerous!

Using a solid SPAM filter won’t stop all SPAM from getting to users’ email inboxes, but doing so will stop almost all of it. That reduces the likelihood that someone will click on something they shouldn’t. But the best protection will only come from repeated training to all team members. I recommend reminding the team of the danger on a monthly basis during all-staff meetings. And if you know a story in which an organization was hurt as a result of SPAM, tell the story! Doing so will help those who don’t take threats and threat-mitigation seriously to re-consider.

© 2017 by Nick B. Nicholaou, all rights reserved
President, Ministry Business Services, Inc.
Reprinted from MinistryTech Magazine

The world of computing is going through more changes, thanks to the cloud and its ability to make data–and access to it–pervasive. Anywhere and everywhere! How does a church or ministry decide what technologies to adopt? The answer is surprisingly Old School.

New & Exciting Technologies
There are so many new ways to access and process data! iPads and Androids are changing everything! Or they at least want to! Between those devices and our smartphones, it doesn’t seem like we need desktop and notebook computers anymore.

There are two issues worthy of addressing here: 1) the hardware, and 2) where our data is located in the cloud.

Hardware
Tablets are terrific tools, but are they the right tools for those jobs we are called to in The Church? For some jobs they are, but for some they aren’t. How can you tell which is correct for your organization?

My perspective is impacted by my degree and subsequent studies in management. That affects how I approach and strategically use technology. I told a member of our team recently that I like to manage as though I were a NASCAR driver: I want maximum RPMs and output, but I need to be equally focused on maintenance and care. With regards to maintenance, different members of the crew need different tools to get their job done (imagine giving the jackman’s jack to the engine tuner, or the engine tuner’s computer to the jackman!). This relates to the hardware options available today.

Depending on someone’s role, they may be best to use a tablet (iPad or Android) rather than having a desktop or notebook computer. This might be true for those who rarely work in accounting or databases, for example. Tablets are terrific for email, browsing, organizing thoughts in preparation to teach or lead a meeting, and so on.

Others, however, can only be efficient with a desktop or notebook computer. This might be true for those who work in accounting or databases, as well as graphic design and audio/video editing. Those roles need full keyboards, mice or trackpads, and monitors (displays in the Apple world). While it’s true that some of this work can be done on a tablet, the process will very likely take a big hit in efficiency. As those who want to hear “Well done” at the end of this earthly journey, good management means balancing efficiency with maintenance and care.

Data Location in The Cloud
The cloud is the vehicle driving us toward more use of tablets and smartphones to do the operational side of ministry. To be fair, some solutions have focused on creating very good and efficient apps to help us do more on those devices. But some solutions, like accounting systems and databases, are so large and intense that apps only access a subset of all that the computer version of the solutions have to offer.

There’s another issue that should be strategized when trusting our data to the cloud. The issue is the safety and availability of our data. The practical issue is whether our data will be available to us when we need it.

Let’s break this into two categories: how the data is available, and the safety of the data.

• Churches and ministries function most efficiently and safely when certain kinds of data are sharable among members of a group or department. For instance, the children’s or youth department of a church may have multiple team members on staff, and those team members each need to access the same data. Their data needs to be in a shared folder. The administrative or human resource departments may have similar needs, but their data is sensitive and needs to be secure so that only the members of those departments can get to their data.

  It is important that whoever we’re entrusting the hosting of our data to can meet those sharable and security needs. There are some providers that can’t, and thus may not be good candidates to host our data.

• Not all datacenters are created equal. The key issues are how they protect the data stored within their buildings (physical and technical security), and how redundant the necessary systems are to ensure uptime. The redundancy is the easiest to score. I created the following chart for my book, Church IT: Strategies and Solutions:

I recommend only entrusting your data to a certified Tier 3 or Tier 4 datacenter. Anything less may mean you can’t get to your data when you need or want to. Remember, your busiest day of the week is when many others might schedule maintenance!

There are so many exciting technologies we can use today! Good management means getting optimal output from our team members, and that is dependent on providing them with the right tools based on their role in our organization.