GiveGab and GDPR
What is GDPR?
The General Data Protection Regulation (GDPR) is legislation passed within the European Union (EU) that focuses on protecting the personal data of EU citizens. The legislation is unique in that it sets forth regulations for any business that controls or processes EU citizen data, regardless of that company’s location. It grants individuals greater control over their personal information, giving them a say on how their data is handled, including what information can be used, whether it can be transferred to third parties, and when it should be erased. GDPR is effective as of May 25th, 2018.
If you’re interested in learning more, the full legislation and additional regulation details can be found here: http://www.eugdpr.org/.
What is GiveGab's role in enforcing GDPR?
GiveGab collects standard personally identifiable information (PII) on volunteers, donors, nonprofit administrators, and others that leverage our platforms to interact with nonprofit organizations. In this case, GiveGab operates as a Processor on behalf of organizations (e.g., nonprofits) which are Controllers within the context of GDPR.
GiveGab has several products that comply with GDPR in different ways. The information below is applicable to GiveGab.com, GiveGab Giving Days, and GiveGab's year-round plans.
GiveGab's Enterprise Platform (previously Kimbia platform) handles GDPR differently, and you can read about that here: GiveGab Enterprise and GDPR
How does GiveGab comply with GDPR?
We have detailed out below how, as a Processor, we comply with GDPR.
These documents outline how we use the personally identifiable data we collect.
All users that create accounts on GiveGab are consenting to our Terms and Conditions which are publicly available at GiveGab.com. Users that choose to create accounts are provided the opportunity to hide their PII, as well as adjust communication settings including unsubscribing from notifications.
Additionally, we will be enhancing consent capture during the signup process to more clearly articulate that users are agreeing to GiveGab's terms and conditions as noted above.
Right To Be Forgotten
Any user with an account, or any individual interacting with the platform where PII data has been collected, has the right to be forgotten. While we are contractually obligated to keep information about interactions and transactions with the nonprofit organizations (Controllers), we can eliminate PII via anonymization of that PII data. As the Processor, we provide the process and mechanism to do this; however, ultimately, it is up to the Controller to authorize this change.
Users can request this either directly from the nonprofit organization (Controller) with which they have a relationship or by contacting email@example.com. If the user contacts GiveGab support, we still have to interact with the Controller organization to have them approve the anonymization.
GiveGab provides the ability for users to export data about their profile. This data is exportable from the system by logging into the platform and downloading giving history in a commonly-used, machine-readable format.
For other data not extractable through this format, users can contact their nonprofit organization (Controller) which they have given to, and the nonprofit organization can pull the information out of the system by creating a report for that donor.
Security and Privacy Program Management
GiveGab’s Data Protection Officer (DPO) can be reached by emailing firstname.lastname@example.org.
Data Breach Protocol
In the event of a discovered data breach, it is GiveGab’s policy to notify exposed Controllers about the breach as well as the Data Protection Authority (DPA), within 72 hours of the discovered data breach.
Our Data Breach Protocol requires any notifications to include details about what data was stolen and how, as well as the plan or steps taken to correct the breach and potential consequences to data subjects impacted.
Limitation of Purpose and Collection
GiveGab only collects PII to support its true business needs and to support the true business needs of its nonprofit customers (Controllers). We do not sell any PII data to other vendors. We do not leverage PII data for unrelated needs outside of online fundraising, volunteer and donor management.
Data Protection by Design
GiveGab leverages Data Protection by Design (DPD) principles in its daily development and operations workflows. Our code is continuously tested including analyzing any third party libraries for security vulnerabilities so that we can ensure those are updated and addressed. We leverage single sign-on tools, public/private key encryption for system access, and all data is transmitted securely over Transport Layer Security (TLS) 1.3+ or Hypertext Transfer Protocol Secure (HTTPS).
Data for GiveGab giving day and year-round SaaS customers is encrypted at rest within highly secure cloud IaaS and PaaS. All GiveGab data is securely stored within a PCI and SOC compliant IaaS provider. Any sensitive information falling under other compliance is protected with multiple levels of authorization access. All passwords are securely hashed.
Effective April 18, 2018