GDPR regulation is taking affect May 25th. While many event planners are nervous for what this means for their events, they don't have to be. This presentation gives an overview of the new regulation and what you need to do to stay compliant.
2. Why am I speaking?
Tried and tested end to end event management software.
We have seen it all before.
200+k
Events
launched
180m
Marketing
emails sent
20m
Registrations
processed
2500
Customers
(logos)
40k
Regular
users
3. Before we get started
This presentation regarding GDPR is intended to convey general information only,
and should only be used as a starting point in your understanding of issues relating
to GDPR.
This is not intended as legal advice, nor is it meant to convey legal facts or
opinions. You should consult a licensed attorney or regulatory expert to discuss
your specific legal, compliance, and GDPR-related obligations.
4. What roles are there in GDPR?
Data Processor. Data Controller. Data Ecosystem.
This is etouches or
most other vendors
in your software
ecosystem.
The Data ControllerThe Data Processor
Is this you? Do you own the
data? Whether you are a
corporation, an association,
etc., if you own the data
and the responsibility of
protecting your customers’
data, regardless of the
technology you use to
handle it.
The Data Ecosystem
7. GDPR key principles
Transparency, fairness, and lawfulness in the handling and use of personal data.
You will need to be clear with individuals about how
you are using personal data and will also need a “lawful
basis” to process that data.
The Data Controller
Obtain consent to capture and use
the individual’s data early in the
registration flow.
Setup an “Opt-in” question and
make it required
How?
8. Art. 6 GDPR Lawfulness of processing
1Processing shall be lawful only if and to the extent that at least one of the following applies:
• the data subject has given consent to the processing of his or her personal data for one or more specific
purposes;
• processing is necessary for the performance of a contract to which the data subject is party or in order to take
steps at the request of the data subject prior to entering into a contract;
• processing is necessary for compliance with a legal obligation to which the controller is subject;
• processing is necessary in order to protect the vital interests of the data subject or of another natural person;
• processing is necessary for the performance of a task carried out in the public interest or in the exercise of
official authority vested in the controller;
• processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party,
except where such interests are overridden by the interests or fundamental rights and freedoms of the data
subject which require protection of personal data, in particular where the data subject is a child.
GDPR key principles
Transparency, fairness, and lawfulness in the handling and use of personal data.
12. GDPR key principles
Limiting the processing of personal data to specified, explicit, and legitimate purposes.
You will not be able to re-use or disclose personal data for
purposes that are not “compatible” with the purpose for
which the data was originally collected.
Minimizing the collection and storage of personal data to that
which is adequate and relevant for the intended purpose.
The Data ControllerThe Data Processor
Obtain consent to capture and use
the individual’s data early in the
registration flow.
Link to your Privacy Policy
How?
13. GDPR key principles
Limiting the processing of personal data to specified, explicit, and legitimate purposes.
Ditch the
spreadsheet
14. GDPR key principles
Ensuring the accuracy of personal data and enabling it to be erased or rectified.
The Data ControllerThe Data Processor
Leverage features within your vendor.
Cross event attendee search
Purge data function
How?
You will need to take steps to ensure that the personal
data you hold is accurate and can be corrected if errors
occur.
Limiting the storage of personal data. You will need to
ensure that you retain personal data only for as long as
necessary to achieve the purposes for which the data
was collected.
15. GDPR key principles
Ensuring security, integrity, and confidentiality of personal data.
The Data ControllerThe Data Processor
Review data security policies.
Request documents
Ask to speak with your vendors
DPO if you have any questions
about specific situations
2 Factor Authentication
Links to reports
Activate fingerprint login on event
apps
How?
Your organization must take steps to keep
personal data secure through technical and
organizational security
16. Your GDPR Commitment
Data controllers must make certain disclosures to data subjects before collecting their personal information
The identity of the controller
The purpose for processing
Any recipients of the data
How long the data will be stored
If the data is being transferred to another country: where is it going,
and which transfer safeguard is being relied upon
The ability to withdraw consent at any time
The right to request access to data, correction of data or limitation
of processing
The right to lodge a compliant with the supervisory authority.
The Data Controller
These disclosures
must be in an easy
accessible form and
written in plain
language
19. etouches GDPR Commitment
What we will be doing for our data controllers
The Data Processor
Only process data in accordance with a controller’s instructions
Provide controllers with notice and information of new sub-processers
Support controllers in managing data subject requests
Abide by the GDPR breach notification requirements
Assist controllers with data protection impact assessments and related
consultations
Ensure the security of processing in accordance with the GDPR.
23. EBOOK ON GDPR
The impact of GDPR on meetings & events
What the role of meeting and event planners is in
GDPR
What events and meetings data falls under GDPR
The impact of point solutions in event technology
What a Data Protection Officer is
The path to compliance with an event technology
officer
https://offers.etouches.com/gdpr-for-meetings-and-events
Editor's Notes
Today, we’ll be talking about the hot topic everyone is hearing: GDPR. What is it? What does it mean for your organization? Your events? In this session, we will aim to focus specifically on how GDPR is effecting the meetings & events industry.
Before we start, I need to let you know that this presentation regarding GDPR is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR. This is not intended as legal advice, nor is it meant to convey legal facts or opinions. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance, and GDPR-related obligations.
As we talk about GDPR today, it’s important for you to first understand a few key definitions as it relates to GDPR compliance and process changes.
-Data Processor
This is etouches
Any other vendor in your software ecosystem
Anytime you move customer data into those platforms – they represent processors
-Data Controller
This is you
Without data controllers there would be no need for processors
GDPR looks at you as the owner of customer data
If something were to happen its incumbent on you to manage the process and ensure you are doing the right thing for your customers
-Data Ecosystem
Without this wouldn’t need data controllers
Example of what a typical enterprise client might have for their ecosystem
GDPR is focuses on data and it starts with inbound data and how it flows within the processors and how it comes out on the outbound side
Important to think about the different ways that the data will follow between them
In summary, there is ONE simple rule: the Data processor (again, us, etouches or any vendor) is here to work hand in hand with YOU, the controller, to help you achieve compliance based on your own organization’s standards & policies.
A good data processor is the one that has documented policies and state of the art practices on data management (privacy, security, access, hosting, data transfer, encryption, etc..) and proactively offers tools (data purge, data queries) to the controller. A vendor shouldn’t claim it is GDPR compliant – it is up to the controller to achieve compliance.
Now that we’ve clarified who’s who and who does what, let’s dig deeper into GDPR, but before getting too specific, Let’s review some of the key concepts that will hopefully help you understanding better the philosophy of the law.
GDPR focuses on giving any EU citizen the private info that you may have on them, upon their request. This 5 step process will help you along the way to uncover & share that information.
Discover: Think back to that ecosystem diagram…. Where do you have data stored and how is it moved between systems?
Manage: You need clear guidelines on how your data is being used (in case your clients ever ask for it). You also need to be able to access it easily in the event someone requests it. The Burdon on proof is on you now.
Protect: How secure is your information? Outlining how your data is protected in transit, at-rest etc. Think of your PCI compliance or Safe Harbour Act.
Reveal: This is somewhat related to the “Manage” step in the process. You need to be able to give your EU citizens access to their data when they want it and be able to remove it quickly for them as well (i.e. data purge). The right to be forgotten.
Report: Making sure that you have all of your processes in place to comply with the new standards. You need to know where you are receiving your data from and how it is being used at any time because if your client asks where they originally gave you consent to email them you need to know what date, time and how!
All of this will be covered in the next few slides that Vince and I will discuss so you will have a better idea of how this all fits into the event process.
Here we are not talking steps, from a project standpoint like with the previous slide, rather key compliance achievements,
Security : this is PARAMOUNT. We will talk about few security aspects later on but your vendor needs to be strong : hosting, encryption, password management, PCI certification, etc…
Consent is the second most important, and from a meetings and events standpoint, this is going to be a central topic for planners. We will cover this in detail.
Portability, means you need to make sure you allow data transfer to another provider ( or competitor), privacy needs to be understood as privacy by design or by default. It goes together with the consent, again the concept of transparency where you need to contain data usage to what’s been disclosed. This one is a challenge : how often have you clicked on the bottom of a 10 paragraph disclosure.. Well. Same here. It reminds me of a story in terms of password protection : super highly secured password policy : renew every 90 days, 1 special character, one letter, a cap letter and never reuse the same password twice.. Results.. All password were written on pos it notes.. Highly secured !!
Access means that you need to grant access to any EU citizen. Ok you don’t have to give him your admin password, it means that you need to map the data across systems to export ( and eventually delete) all his information.
Finally, and a DPO a data protection officer should be appointed to handle most of this ! We will talk later about the DPO.
The very reason I insist on the fact that YOU are the one to comply to GDPR is because ( and we already briefly touched on this) event and meeting is just one aspect of an often broader ecosystem. And it is the ecosystem, which is specific to you, that must comply.
Read subtitle
This is incumbent on the data controller to take the lead
Need to be clear on how you will use personal data
And you need a lawful basis to process this (straight from GDPR regulations)
Many are already doing but you should set up an opt in question during reg flow and make it required
Will vary from business to business and event to event
Important to get consent of customer right up front before your capture any key data from them
Don’t have your check boxes on forms automatically accepted they need to check this themselves
Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way
Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
Read subtitle
This is incumbent on the data controller to take the lead
Need to be clear on how you will use personal data
And you need a lawful basis to process this (straight from GDPR regulations)
Many are already doing but you should set up an opt in question during reg flow and make it required
Will vary from business to business and event to event
Important to get consent of customer right up front before your capture any key data from them
Don’t have your check boxes on forms automatically accepted they need to check this themselves
Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way
Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
The burden of proof is on you. Can you mitigate the risk of prosecution?
The burden of proof is on you. Can you mitigate the risk of prosecution?
The burden of proof is on you. Can you mitigate the risk of prosecution?
Read subtitle
Collaboration between processor and controller comes into play
When you ask for consent you are doing so by explaining how you are using it and ensuring that you are using it for a legitimate purpose
Need to minimize the storage of personal data so its relevant for that purpose
As the processor we will help you to ensure we don’t track individuals on the website in a personally identifiable way
How to handle this?
Obtain consent
Let them know what you will use it for
Privacy policies come into play
Make sure you have one and link in your event website
We have one that you can use as a reference and you can always link to ours as well but it is limited to us as a processor
Re subtitle
Collaboration is key
Individual is going to ask to be removed from data base they will ask you the controller – come to you first and you need the tools to comply with their request
We (etouches) have added the ability to data purge on the individual level and event level
Done in a way that complies with regulation by removing personal data but not removing all data that is relevant for your business like financials and attendance counts
Read subtitle
Collaborative process
Broad in principle and topic – goes into all data
We have produced a lot of data security documents
Data at rest
Regional data centers
Not transferring data if it needs to stay local
Encourage you to look at our data security documents and send along to people at your organization that need to be made aware
We have worked with customers in a very direct way
We have a data protection officer at etouches
Working with customers to answer questions that go beyond the scope of what is documented or more specific to their requirements
You need to tell people what you are going to do with the data that you have. These are all things that you need to have in your disclosures so that it covers any questions that your attendees or clients may have on what you are doing with the information with your forms.
Read off the bullets and then focus on bullet 5 with the below comment:
with etouches we combat this with our data centers in US EU and APAC. Depending on where yours is hosted – example you are a US company but you host events in Europe you may be on etouches US server so you will need to make it clear to your attendees that it will be transferred over seas but you can reference all of etouches data privacy documents to let them know how it is being protected at rest and in transit.
DPO – need to nominate someone to handle data privacy management to be liaison btwn the company and eu citizens
Employee
New role
Freelancer (external)
Expert coordinates policies and processes and makes sure they are enforced. They also help with the reporting, maintenance of data, etc.
You need to make sure thy have the authority and bandwidth to access the c level of your organization
They are there to protect your organization
They are not mandatory – check with your organizations own policies to see if you think this is necessary.
For example we have one at etouches because we know this is something that many of you are going to be asking about so we want a team member dedicated to help you through these requests.
What are we doing for you? How can we ensure you are compliant
We will give you the tools to empower you as a data controller to be compliant
Not going to do anything you control the data flow what you are collecting how you are using it
Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes
If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself
If you do have a specific question on GDPR reach out and we will help you answer it
What are we doing for you? How can we ensure you are compliant
We will give you the tools to empower you as a data controller to be compliant
Not going to do anything you control the data flow what you are collecting how you are using it
Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes
If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself
If you do have a specific question on GDPR reach out and we will help you answer it
What are we doing for you? How can we ensure you are compliant
We will give you the tools to empower you as a data controller to be compliant
Not going to do anything you control the data flow what you are collecting how you are using it
Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes
If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself
If you do have a specific question on GDPR reach out and we will help you answer it
What are we doing for you? How can we ensure you are compliant
We will give you the tools to empower you as a data controller to be compliant
Not going to do anything you control the data flow what you are collecting how you are using it
Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes
If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself
If you do have a specific question on GDPR reach out and we will help you answer it
What are we doing for you? How can we ensure you are compliant
We will give you the tools to empower you as a data controller to be compliant
Not going to do anything you control the data flow what you are collecting how you are using it
Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes
If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself
If you do have a specific question on GDPR reach out and we will help you answer it
This eBook was created by etouches at the end of 2017 to help planners prepare for May 25th. The book focuses directly on how this will impact event and meeting professionals specifically. It also outlines how etouches will assist planners on their journey to understand GDPR. This is available via a link in our resrouces section in your navigation below our slides or you can follow the URL listed in the slides.