CyberGrants Position Statement: EU General Data Protection Regulation (GDPR)
CyberGrants’ mission is to help our Clients achieve their philanthropic goals by providing innovative software and services in the most secure and efficient way. Since our inception nearly 20 years ago, we have been committed to protecting our clients’ data, including information about their donors, employees, retirees, and the non-profit organizations they support. We regularly review and evolve our processes and procedures to meet or exceed the applicable regulations.
Similar to current legal requirements, compliance with the EU General Data Protection Regulation (GDPR) will require a collaborative partnership between our Clients (the Data Collectors) and CyberGrants (the Data Processors).
CyberGrants recently updated our internal policies to insure compliance with the EU General Data Protection Regulation (GDPR), prior to its official launch on May 25, 2018. Specifically:
- Right to Access -- CyberGrants will ensure the clients’ users (i.e. employees and charities) that log into CyberGrants’ systems understand what type of personal data is collected, how their data is processed, where the data is stored, who will have access to the data, and consent to use of their data.
- Right to be Forgotten (Data Erasure) -- CyberGrants has formalized its policy for data deletion:
- Client’s employees and grantseekers should first contact the Client’s philanthropic program administrator (or Human Resources Department) to erase the personal data from the files collected by the program administrator.
- If necessary, the program administrator will send a request in writing to the appointed Client Management Service POD at CyberGrants to have the personal data deleted from CyberGrants systems.
- If the employee or grantseeker is unable to have their data deleted after contacting the philanthropic program administrator or the Human Resources department, then they may contact CyberGrants’ to submit a request to have their data deleted at email@example.com. The request will be routed to the CyberGrants Compliance Department for processing.
- Data Portability -- CyberGrants has formalized its policy for portability requests:
- The CyberGrants systems can respond to portability request through the self-service application available to the internal administrators for the program.
- The data can be provided in commonly used formats such as XML and PDF.
- The employee or grantseeker would contact the program administrator or the Human Resources department to request an update, correct, or erase an employee’s personal data.
- If the self-service application available to the program administrator does not properly update, correct, or erase an employee’s personal data, the program administrator will contact the appointed Client Management Service POD at CyberGrants to fulfill the request.
- Privacy by Design – CyberGrants will proactively work with our clients to focus on collecting only the necessary information to administrate the philanthropic program, while preventing additional special or highly sensitive personal data from being collected under the goal of data minimization.
- Data Protection Officer -- CyberGrants has appointed a Data Protection Officer, who will oversee our data processing operations and insure compliance with GDPR and other relevant regulations.
- Data Anonymization and Encryption -- Finally, any personal data that is stored in CyberGrants’ systems will be anonymized or encrypted under current industry standards.
In 2017, CyberGrants became a member of the EU-US and Swiss-US Privacy Shield Frameworks under the GDPR requirement to have a data protection mechanism to transfer personal data from the EU.
While GDPR has increased standards regarding how personal data can be used for marketing purposes, CyberGrants does not use or redistribute any of our clients’ data for such purposes.
Similarly, none of the personal data collected by our Clients is subject to an automated decision-making process as our Clients control how their employees’ funds and volunteer activities are processed under each Client’s philanthropic program.
If you have any questions regarding CyberGrants compliance under GDPR, please email firstname.lastname@example.org.
To learn more about the GDPR: https://ec.europa.eu/info/strategy/justice-and-fundamental-rights/data-protection_en