Hourglass App and the GDPR

[Stoffer]

Seeing as the original thread, voicing the poster's concern, was closed (https://jwtalk.net/forums/topic/24844-hourglass-app/) I have started this new one.

The new European Data Protection Law comes into play this Friday (25th May 2018) so ALL companies and individuals who hold data about European citizens have to comply by this date.

 

My concern with Hourglass is that it holds what the Spanish Data Protection Agency (AEPD) classes as Super-protected data: sex, telephone numbers, personal address etc etc. This would be fine if it was stored on the secretary's own computer with adequate protection or on JW's own servers (this is in the works with the new Publisher ID program) but it is stored on Jon Snyder's server.

 

What happens if he were to get disfellowshipped or leave the organisation for whatever reason? That's a heck of a lot of personal data he has access to. Plus, the majority of brothers and sisters aren't aware that he even HAS their data as it is the congregation secretaries who input it all. I don't have an account for example with him but my data is in his program because our secretary uses it. That's a breach of the GDPR right there as I never gave my consent. Plus there is no way to delete your data unless you have a personal account with Hourglass. Breach number two. For every person he has stored in his database, he has to by law, send them an updated consent form explaining how he will use their data, for how long for, in what format and inform them of their right to access, modify, oppose or delete their data. he has not done this, breach number three.

 

What's all the fuss?,  you might be asking. The fact that our organisation is getting the GDPR forms filled out ASAP shows you they mean business as hefty fines abound for non-compliance. Even though CCJW is based in America, they hold data on European citizens so they have done their due diligence and rolled out these forms. If it was a trivial matter, then they wouldn't have bothered.

 

So brother Joao from Portugal raised a legitimate concern two years ago that is even more relevant today.

 

Last of all, here is a list of the fines for non-compliance:

Up to €20 million, or 4% of the worldwide annual revenue of the prior financial year, whichever is higher, shall be issued for infringements of:

• The basic principles for processing, including conditions for consent, under Articles 5, 6, 7, and 9
• The data subjects’ rights under Articles 12-22
• The transfer of personal data to a recipient in a third country or an international organisation under Articles 44-49
• Any obligations pursuant to Member State law adopted under Chapter IX
• Any non-compliance with an order by a supervisory authority (83.6)

 

The value of the fine to be imposed is not clear-cut and the behaviour of the organisation will be taken into account when determining the value of the fine. This means that organisations certainly have the opportunity to influence the reduction of any fines by acting to fully comply with the Regulation. This includes promoting a culture of data protection and being able to show the steps taken to comply. Organisations that proactively report breaches will be given more credit, showing that the intention and attitude of a company will be considered.

Edited May 21, 2018 by Stoffer
Additional info on the fines

[Brandon]

Yikes! what shall we do?