GiveGab Enterprise and GDPR

What is GDPR?

The General Data Protection Regulation (GDPR) is legislation passed within the European Union (EU) that focuses on protecting the personal data of EU citizens. The legislation is unique in that it sets forth regulations for any business that controls or processes EU citizen data, regardless of that company’s location.  It grants individuals greater control over their personal information, giving them a say on how their data is handled, including what information can be used, whether it can be transferred to third parties and when it should be erased.  GDPR is effective as of May 25th, 2018.

If you’re interested in learning more, the full legislation and additional regulation details can be found here: http://www.eugdpr.org/

 

What is GiveGab's role in enforcing GDPR?

GiveGab collects standard personally identifiable information (PII) on volunteers, donors, nonprofit administrators, and others that leverage our platforms to interact with nonprofit organizations.  In this case, GiveGab operates as a Processor on behalf of organizations (e.g. nonprofits) which are Controllers within the context of GDPR.

GiveGab has several products that comply with GDPR in different ways.  The information on this page below is applicable to GiveGab's Enterprise Platform (prev. Kimbia Platform).

GiveGab.com, GiveGab giving days, and GiveGab's year-round plans handle GDPR differently and you can read about that here: GiveGab and GDPR

 

How does GiveGab Enterprise comply with GDPR?

We have detailed out below, how we comply with GDPR as a Processor.

Transparency

GiveGab's terms and conditions and privacy policies are readily available at: http://info.givegab.com/givegab-legal-documentation.
These documents detail out how we use personally identifiable data which we collect.

 

Consent

GiveGab’s Enterprise Platform (prev. Kimbia Platform) is leveraged by organizations to build giving forms and embed those on various websites.  Our terms, with the organizations that use our platform in this manner, state that it is the responsibility of the organization (Controller) to communicate their privacy policy around how they are leveraging the PII data collected.

Additionally, Enterprise Platform allows organizations to include a link to their privacy policies on forms and/or at the bottom of all email receipts.

 

Right To Be Forgotten

Individuals interacting with the platform where PII data has been collected, have the right to be forgotten.  This is typically donors providing information to the organizations that they are donating to. While we are contractually obligated to keep information about interactions and transactions with the nonprofit organizations (Controllers), we can eliminate PII via anonymization of that PII data.  As the processor, we provide the process and mechanism to do this; however, ultimately, it is up to the Controller to authorize this change.

Users can request this either directly from the nonprofit organization (Controller) which they have a relationship with or by contacting support@givegab.com.  If the user contacts GiveGab support, we still have to interact with the Controller organization to have them approve the anonymization.

 

Data Portability

An individual may request that their personal data be provided in a commonly-used, machine-readable format.  Users can contact their nonprofit organization (Controller) to which they have given funds, and GiveGab will provide a support process to pull this information out of the system.

 

Security and Privacy Program Management

GiveGab’s Data Protection Officer (DPO) can be reached by emailing dpo@givegab.com.

 

Data Breach Protocol

In the event of a discovered data breach, it is GiveGab’s policy to notify exposed Controllers about the breach as well as the Data Protection Authority (DPA), within 72 hours of the discovered data breach.

Our Data Breach Protocol requires any notifications to include details about what data was stolen and how, as well as the plan or steps taken to correct the breach and potential consequences to data subjects impacted.

 

Limitation of Purpose and Collection

GiveGab only collects PII to support its true business needs and to support the true business needs of its nonprofit customers (Controllers).  We do not sell any PII data to other vendors. We do not leverage PII data for unrelated needs outside of online fundraising, volunteer and donor management.

It is important for donors to understand the privacy policy and limitation of purpose and collection of the organizations to which they give.

 

Data Protection by Design

GiveGab leverages Data Protection by Design (DPD) principles in its daily development and operations workflows.  Our code is continuously tested including analyzing any third party libraries for security vulnerabilities so that we can ensure those are updated and addressed.  We leverage single sign-on tools, public/private key encryption for system access, and all data is transmitted securely over Transport Layer Security (TLS) 1.2+ or Hypertext Transfer Protocol Secure (HTTPS).

All GiveGab Enterprise Platform data is securely stored within a PCI DSS Level 1 compliant environment.

Effective April 18, 2018