↩ Back to CITN 2019

The ABCs of Compliance for Churches

Why is compliance important?

  • Legal risk
  • Contracts with providers (CC merchants)
  • If regulations don’t apply…stewardship!

Regulatory Standards, Policies, Processes

  • Regulatory: states what you need to do (not how!)
  • Policies: these are yours; address your specific response to requirements
  • Processes/procedures address how you implement policies (how we will do it)

What is PII?

  • Combination of two or more points of info about you
  • With three pieces of info about you, almost guaranteed to be able to positively identify an individual
  • Almost all regulations will cover this somehow


  • Merchant: if you process cards, you’re a merchant (in any form…face to face, mail/telephone, e-commerce, etc)
  • Organization may require multiple SAQs; this is per-environment (online giving, in-person environments, etc.); need to evaluate and fill out appropriate SAQs for your environments
  • Getting things out of scope is key!


  • Applies to anyone who creates, receives, maintains, or transmits ePHI (electronic protected health information)
    • Generally, from a HIPAA perspective, covered entities are ones providing care
    • If you have ePHI, even if not a provider, you should be taking appropriate steps (stewardship, reputation protection, etc.)
      • If this is in your ChMS, probably should be dialoging with your provider about this (especially if it’s in something like a free text field/custom fields, etc.)
  • Example when church might be covered:
    • Church-operated health clinics
    • Licensed counseling clinkics (esp. if take insurance)
    • Self-administered/funded insurace plans
  • Three focus areas:
    • Administrative: who sees/touches it (analyze and inventory)!
      • Training, policy
    • Physical: access controls, media control, device control, etc.
    • Technical: Authentication, encryption, emergency access, audit control, etc.
  • There is no technical specification for a product to be HIPAA compliant; it can help an org be compliant, but a product itself cannot be compliant


  • What are people’s rights with regards to their data?
  • General entities:
    • Individual (whose data is being stored)
    • Entities who collect/process data
    • Entities who process on behalf of primary entitie
    • Apply to data on citizens of: EU, State of CA, Washington State (or data stored in those jurisdictions)
  • No examples of orgs without presence in Europe having GDPR legal action taken (yet)
  • Right to be forgotten…you need to be able to remove someone’s data!
  • GDPR: Children’s consent (under 16 need parent’s approval, between 16 and 13 need both parent and child’s approval)

General Compliance Take-aways

  • You have responsibility to steward data!
  • All about securing personal data
  • Start with defining [and enforcing!] policies for securing your data
  • Encrypt everywhere
  • Attendance and engagement data can get murky, especially if no explicit consent!! 👈


  • https://enableministry.com/citn2019