By now, you must have heard in one form or another about the term GDPR. If you are someone that uses a number of online services, then chances are your inbox might have been inundated with updates about it over the past few weeks. If you are still unsure about this very important acronym, read on.
The General Data Protection Regulation (GDPR) is designed to give EU citizens more control over their data and aims to unify a number of existing privacy and security laws under one comprehensive law. GDPR comes into effect on May 25th, 2018 and it contains the strongest set of regulations till date in the areas of privacy and data security. And since the law is applicable to any business having a connection to EU citizens, this law has a significant effect on any business operating anywhere.
How does GDPR impact organizers?
GDPR is primarily about transparency. It’s about letting your attendee know in simple language what you intend to use their data for. We believe it’s a good thing, as it puts the privacy of the attendee first. This post, alongside listing steps taken by Eventzilla so far, will also attempt to talk about your (organizer) obligations as a data controller when collecting and managing your attendees’ personal information. GDPR means organizers will have to take additional effort to gain consent to hold, use and share people’s data.
Key GDPR Principles
GDPR focuses on the rights of individuals. It gives EU citizens more control over how their personal data is used, the right to know what data is being stored and shared and the ability to opt-out at any time. Here’s an overview of the key principles:
- Asking for consent clearly
You can’t use automatic or passive consent when someone registers for your event. Be very clear as to what you will use their personal information for. Also, note that an attendee has the right to withdraw consent at any time.
- Transparency about how you use a person’s data
If an attendee needs to use their email to purchase a ticket to your conference, what do you plan to do with their email? If you want to let them know about future events or contact them for other future marketing communications, then it’s good practice to state that clearly on your event page with a consent.
- Transparency about the retention period for someone’s data
- Provide access to user’s personal data upon request
If an attendee requests details of the information you hold on them, you must be able to provide them with electronic copies of that data within a period of 30 days.
- Portability of user’s personal data upon request
If requested/authorized by an attendee, you may have to give them or even a competitor service a copy of their personal information in a commonly used, machine-readable format such CSV, XML etc.
- Provide access to the user to update/rectify their personal data
If you’re holding incorrect personal information on an attendee you need to be able to correct it at their request or provide them with the opportunity to update it on their own.
- Delete user’s personal data upon request
In certain situations, an attendee has ‘the right to be forgotten’, or, in other words, removed. You need to be able to delete their information at their request. Note however that there are some genuine grounds including legal and financial, where you may refuse a request for removal.
- Use secure data handling practices
Best practice Data security must be built into your processes from their inception. Decide and keep track of who has access to attendee data and restrict transmission of this information. Don’t share with third parties like sponsors or hotels unless the attendee has consented for you to do so. Put in place a system to revoke access to former employees and consultants to your database. And probably the most obvious one. Don’t share passwords.
- Notify users and authorities upon a data breach
With GDPR in effect, you will need to report any data breach to the relevant authority and to the user(s) concerned, when you discover the breach within 72 hours.
- Ensure GDPR compliance of vendors and other third parties.
Vendors and third parties come in all shapes and sizes. They could include hotels, sponsors, event registration platforms like Eventzilla, CRM software, etc. You should find out if they are GDPR compliant. Then make sure that you have a contract with them in place reflecting their GDPR compliance.
Eventzilla’s obligations and how we can help?
Below is a quick rundown of some useful tools we provide, that can assist you with ensuring compliance as the controller of your attendees’ personal information.
- Eventzilla’s “Consent” tool
- Allow Attendees to edit their data using self-service portal
When attendees register for your event, we also provide them with the opportunity to register for the “Attendee portal” to manage their event registrations, re-print their tickets etc. This portal provides a convenient mechanism for an attendee to review the personal information they supplied at the time of registration. In the event of an inaccuracy, they can be enabled to update and rectify this data themselves. It is, however, your prerogative to enable or disable this capability. If you chose to disable this capability, you will be solely responsible for updating information on their behalf or to request the same through us.
- Export attendees data to extract personal information
The comprehensive export facility provided by Eventzilla will allow you to export all of the information provided by attendees to you with a single click. You can then use this to extract a particular attendee’s information and/or passing it over to another service if the same was requested/authorized by your attendee.
Reach out to us
We are here to help and to navigate this journey alongside you, so please do not hesitate to get in touch should you have any questions.