GDPR: the Steps Event Planners Need to Follow
•
0 likes•125 views
GDPR regulation is taking affect May 25th. While many event planners are nervous for what this means for their events, they don't have to be. This presentation gives an overview of the new regulation and what you need to do to stay compliant.
Recommended
More Related Content
What's hot
What's hot (20)
Similar to GDPR: the Steps Event Planners Need to Follow
Similar to GDPR: the Steps Event Planners Need to Follow (20)
More from etouches
Recently uploaded
Recently uploaded (20)
GDPR: the Steps Event Planners Need to Follow
- 1. Paul Harris Senior Solutions Consultant etouches GDPR: the Steps Event Planners Need to Follow
- 2. Why am I speaking? Tried and tested end to end event management software. We have seen it all before. 200+k Events launched 180m Marketing emails sent 20m Registrations processed 2500 Customers (logos) 40k Regular users
- 3. Before we get started This presentation regarding GDPR is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR. This is not intended as legal advice, nor is it meant to convey legal facts or opinions. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance, and GDPR-related obligations.
- 4. What roles are there in GDPR? Data Processor. Data Controller. Data Ecosystem. This is etouches or most other vendors in your software ecosystem. The Data ControllerThe Data Processor Is this you? Do you own the data? Whether you are a corporation, an association, etc., if you own the data and the responsibility of protecting your customers’ data, regardless of the technology you use to handle it. The Data Ecosystem
- 5. 5 Steps to Approaching GDPR
- 6. SECURITY CONSENT PORTABILITY PRIVACY ACCESS DATA PROTECTION OFFICER KEY PRINCIPLES OF GDPR
- 7. GDPR key principles Transparency, fairness, and lawfulness in the handling and use of personal data. You will need to be clear with individuals about how you are using personal data and will also need a “lawful basis” to process that data. The Data Controller Obtain consent to capture and use the individual’s data early in the registration flow. Setup an “Opt-in” question and make it required How?
- 8. Art. 6 GDPR Lawfulness of processing 1Processing shall be lawful only if and to the extent that at least one of the following applies: • the data subject has given consent to the processing of his or her personal data for one or more specific purposes; • processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; • processing is necessary for compliance with a legal obligation to which the controller is subject; • processing is necessary in order to protect the vital interests of the data subject or of another natural person; • processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; • processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. GDPR key principles Transparency, fairness, and lawfulness in the handling and use of personal data.
- 9. Document your decision GDPR key principles Transparency, fairness, and lawfulness in the handling and use of personal data.
- 10. GDPR key principles Transparency, fairness, and lawfulness in the handling and use of personal data.
- 11. GDPR key principles Transparency, fairness, and lawfulness in the handling and use of personal data.
- 12. GDPR key principles Limiting the processing of personal data to specified, explicit, and legitimate purposes. You will not be able to re-use or disclose personal data for purposes that are not “compatible” with the purpose for which the data was originally collected. Minimizing the collection and storage of personal data to that which is adequate and relevant for the intended purpose. The Data ControllerThe Data Processor Obtain consent to capture and use the individual’s data early in the registration flow. Link to your Privacy Policy How?
- 13. GDPR key principles Limiting the processing of personal data to specified, explicit, and legitimate purposes. Ditch the spreadsheet
- 14. GDPR key principles Ensuring the accuracy of personal data and enabling it to be erased or rectified. The Data ControllerThe Data Processor Leverage features within your vendor. Cross event attendee search Purge data function How? You will need to take steps to ensure that the personal data you hold is accurate and can be corrected if errors occur. Limiting the storage of personal data. You will need to ensure that you retain personal data only for as long as necessary to achieve the purposes for which the data was collected.
- 15. GDPR key principles Ensuring security, integrity, and confidentiality of personal data. The Data ControllerThe Data Processor Review data security policies. Request documents Ask to speak with your vendors DPO if you have any questions about specific situations 2 Factor Authentication Links to reports Activate fingerprint login on event apps How? Your organization must take steps to keep personal data secure through technical and organizational security
- 16. Your GDPR Commitment Data controllers must make certain disclosures to data subjects before collecting their personal information The identity of the controller The purpose for processing Any recipients of the data How long the data will be stored If the data is being transferred to another country: where is it going, and which transfer safeguard is being relied upon The ability to withdraw consent at any time The right to request access to data, correction of data or limitation of processing The right to lodge a compliant with the supervisory authority. The Data Controller These disclosures must be in an easy accessible form and written in plain language
- 17. Do you need a DPO?
- 18. etouches GDPR Commitment What we will be doing for our data controllers
- 19. etouches GDPR Commitment What we will be doing for our data controllers The Data Processor Only process data in accordance with a controller’s instructions Provide controllers with notice and information of new sub-processers Support controllers in managing data subject requests Abide by the GDPR breach notification requirements Assist controllers with data protection impact assessments and related consultations Ensure the security of processing in accordance with the GDPR.
- 20. etouches GDPR Commitment What we will be doing for our data controllers The Data Processor
- 21. etouches GDPR Commitment What we will be doing for our data controllers
- 22. etouches GDPR Commitment What we will be doing for our data controllers
- 23. EBOOK ON GDPR The impact of GDPR on meetings & events What the role of meeting and event planners is in GDPR What events and meetings data falls under GDPR The impact of point solutions in event technology What a Data Protection Officer is The path to compliance with an event technology officer https://offers.etouches.com/gdpr-for-meetings-and-events
Editor's Notes
- Today, we’ll be talking about the hot topic everyone is hearing: GDPR. What is it? What does it mean for your organization? Your events? In this session, we will aim to focus specifically on how GDPR is effecting the meetings & events industry.
- Before we start, I need to let you know that this presentation regarding GDPR is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR. This is not intended as legal advice, nor is it meant to convey legal facts or opinions. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance, and GDPR-related obligations.
- As we talk about GDPR today, it’s important for you to first understand a few key definitions as it relates to GDPR compliance and process changes. -Data Processor This is etouches Any other vendor in your software ecosystem Anytime you move customer data into those platforms – they represent processors -Data Controller This is you Without data controllers there would be no need for processors GDPR looks at you as the owner of customer data If something were to happen its incumbent on you to manage the process and ensure you are doing the right thing for your customers -Data Ecosystem Without this wouldn’t need data controllers Example of what a typical enterprise client might have for their ecosystem GDPR is focuses on data and it starts with inbound data and how it flows within the processors and how it comes out on the outbound side Important to think about the different ways that the data will follow between them In summary, there is ONE simple rule: the Data processor (again, us, etouches or any vendor) is here to work hand in hand with YOU, the controller, to help you achieve compliance based on your own organization’s standards & policies. A good data processor is the one that has documented policies and state of the art practices on data management (privacy, security, access, hosting, data transfer, encryption, etc..) and proactively offers tools (data purge, data queries) to the controller. A vendor shouldn’t claim it is GDPR compliant – it is up to the controller to achieve compliance. Now that we’ve clarified who’s who and who does what, let’s dig deeper into GDPR, but before getting too specific, Let’s review some of the key concepts that will hopefully help you understanding better the philosophy of the law.
- GDPR focuses on giving any EU citizen the private info that you may have on them, upon their request. This 5 step process will help you along the way to uncover & share that information. Discover: Think back to that ecosystem diagram…. Where do you have data stored and how is it moved between systems? Manage: You need clear guidelines on how your data is being used (in case your clients ever ask for it). You also need to be able to access it easily in the event someone requests it. The Burdon on proof is on you now. Protect: How secure is your information? Outlining how your data is protected in transit, at-rest etc. Think of your PCI compliance or Safe Harbour Act. Reveal: This is somewhat related to the “Manage” step in the process. You need to be able to give your EU citizens access to their data when they want it and be able to remove it quickly for them as well (i.e. data purge). The right to be forgotten. Report: Making sure that you have all of your processes in place to comply with the new standards. You need to know where you are receiving your data from and how it is being used at any time because if your client asks where they originally gave you consent to email them you need to know what date, time and how! All of this will be covered in the next few slides that Vince and I will discuss so you will have a better idea of how this all fits into the event process.
- Here we are not talking steps, from a project standpoint like with the previous slide, rather key compliance achievements, Security : this is PARAMOUNT. We will talk about few security aspects later on but your vendor needs to be strong : hosting, encryption, password management, PCI certification, etc… Consent is the second most important, and from a meetings and events standpoint, this is going to be a central topic for planners. We will cover this in detail. Portability, means you need to make sure you allow data transfer to another provider ( or competitor), privacy needs to be understood as privacy by design or by default. It goes together with the consent, again the concept of transparency where you need to contain data usage to what’s been disclosed. This one is a challenge : how often have you clicked on the bottom of a 10 paragraph disclosure.. Well. Same here. It reminds me of a story in terms of password protection : super highly secured password policy : renew every 90 days, 1 special character, one letter, a cap letter and never reuse the same password twice.. Results.. All password were written on pos it notes.. Highly secured !! Access means that you need to grant access to any EU citizen. Ok you don’t have to give him your admin password, it means that you need to map the data across systems to export ( and eventually delete) all his information. Finally, and a DPO a data protection officer should be appointed to handle most of this ! We will talk later about the DPO. The very reason I insist on the fact that YOU are the one to comply to GDPR is because ( and we already briefly touched on this) event and meeting is just one aspect of an often broader ecosystem. And it is the ecosystem, which is specific to you, that must comply.
- Read subtitle This is incumbent on the data controller to take the lead Need to be clear on how you will use personal data And you need a lawful basis to process this (straight from GDPR regulations) Many are already doing but you should set up an opt in question during reg flow and make it required Will vary from business to business and event to event Important to get consent of customer right up front before your capture any key data from them Don’t have your check boxes on forms automatically accepted they need to check this themselves Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
- Read subtitle This is incumbent on the data controller to take the lead Need to be clear on how you will use personal data And you need a lawful basis to process this (straight from GDPR regulations) Many are already doing but you should set up an opt in question during reg flow and make it required Will vary from business to business and event to event Important to get consent of customer right up front before your capture any key data from them Don’t have your check boxes on forms automatically accepted they need to check this themselves Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
- The burden of proof is on you. Can you mitigate the risk of prosecution?
- The burden of proof is on you. Can you mitigate the risk of prosecution?
- The burden of proof is on you. Can you mitigate the risk of prosecution?
- Read subtitle Collaboration between processor and controller comes into play When you ask for consent you are doing so by explaining how you are using it and ensuring that you are using it for a legitimate purpose Need to minimize the storage of personal data so its relevant for that purpose As the processor we will help you to ensure we don’t track individuals on the website in a personally identifiable way How to handle this? Obtain consent Let them know what you will use it for Privacy policies come into play Make sure you have one and link in your event website We have one that you can use as a reference and you can always link to ours as well but it is limited to us as a processor
- Re subtitle Collaboration is key Individual is going to ask to be removed from data base they will ask you the controller – come to you first and you need the tools to comply with their request We (etouches) have added the ability to data purge on the individual level and event level Done in a way that complies with regulation by removing personal data but not removing all data that is relevant for your business like financials and attendance counts
- Read subtitle Collaborative process Broad in principle and topic – goes into all data We have produced a lot of data security documents Data at rest Regional data centers Not transferring data if it needs to stay local Encourage you to look at our data security documents and send along to people at your organization that need to be made aware We have worked with customers in a very direct way We have a data protection officer at etouches Working with customers to answer questions that go beyond the scope of what is documented or more specific to their requirements
- You need to tell people what you are going to do with the data that you have. These are all things that you need to have in your disclosures so that it covers any questions that your attendees or clients may have on what you are doing with the information with your forms. Read off the bullets and then focus on bullet 5 with the below comment: with etouches we combat this with our data centers in US EU and APAC. Depending on where yours is hosted – example you are a US company but you host events in Europe you may be on etouches US server so you will need to make it clear to your attendees that it will be transferred over seas but you can reference all of etouches data privacy documents to let them know how it is being protected at rest and in transit.
- DPO – need to nominate someone to handle data privacy management to be liaison btwn the company and eu citizens Employee New role Freelancer (external) Expert coordinates policies and processes and makes sure they are enforced. They also help with the reporting, maintenance of data, etc. You need to make sure thy have the authority and bandwidth to access the c level of your organization They are there to protect your organization They are not mandatory – check with your organizations own policies to see if you think this is necessary. For example we have one at etouches because we know this is something that many of you are going to be asking about so we want a team member dedicated to help you through these requests.
- What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
- What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
- What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
- What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
- What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
- This eBook was created by etouches at the end of 2017 to help planners prepare for May 25th. The book focuses directly on how this will impact event and meeting professionals specifically. It also outlines how etouches will assist planners on their journey to understand GDPR. This is available via a link in our resrouces section in your navigation below our slides or you can follow the URL listed in the slides.