Is Your Event Tech Ready for GDPR?
Written by CadmiumCD Contributor, Pamela Shigeoka.
If you’re involved in the events industry, you’ve probably heard of the General Data Protection Regulation, or GDPR, that’s going into effect this month. All companies that manage data from citizens of the European Union must comply with this set of laws and regulations, and if they don’t, they could be subject to large fines.
So what do you as an event planner need to think about now that GDPR is here? CadmiumCD has been preparing for GDPR, and we want to assure you that if you use our services, you are absolutely prepared to handle data in a way that meets these new regulations. We held a webinar on April 24th to discuss GDPR and what CadmiumCD is doing to make sure we and our clients are in full compliance. Jason A. Bernstein, a parter at Barnes & Thornburg LLP who specializes in data security and privacy law, discussed the basics of GDPR, and Bryan A. Scott, CadmiumCD’s chief strategy officer and data protection administrator, explained the steps CadmiumCD has taken to prepare for this legislation.
What Does It Mean To Be GDPR Ready?
The simplest explanation of GDPR is that it is a set of rules that protect individuals’ privacy. The legislation regulates the processing of EU residents’ and citizens’ personal data, including collection, use, transfer, monitoring, tracking, and even viewing of personal data. It goes into effect on May 25, 2018.
Data subjects, as individuals are called in the GDPR, have more rights to control their data. This creates a massive compliance challenge for US companies doing business in Europe. It’s critical for companies who control EU citizens’ data to know that the data processor they’re working with is compliant with GDPR. Data subjects will need to opt in to having their data collected instead of opting out after the fact. They have to consent first, before you are able to collect any of their data.
Does GDPR Apply to You?
GDPR applies to any organization that processes the data of EU residents or citizens. Your company doesn’t need to be based in the EU; it applies even if you don’t have an EU presence. It applies if you offer goods and/or services in the EU, and if you’re monitoring EU data subjects’ behavior. It does not, however, apply to collecting data from an EU resident who is outside of the EU when data is collected. For example, if you’re holding a medical conference in Kansas and a German citizen attends, the data you collect in the United States would not be subject to GDPR. Any data you collect while that German citizen is still in the EU, however, would be subject.
GDPR applies to you if you:
- offer goods/services in the EU
- monitor EU data subjects’ behavior
- collect personal data from EU residents
- collect personal data only as part of a marketing survey
- have EU customers
- target data subjects in an EU country (generic marketing, i.e. not marketing specifically to EU residents)
Basic Definitions
Personal data is any information relating to an identifiable subject, or data subject. This data doesn’t need to be sensitive or secret. Name, email, ID number, photo, location, and IP address are included under the umbrella of personal data. GDPR also includes special categories of data including “data concerning health,” meaning personal data relating to the physical or mental health of a data subject. This category includes provision of health care services, which can reveal information about health status. For categories that are more sensitive, there’s a higher bar you must reach with how you treat that data.
There are two important terms to know if you’re someone who collects or manages data: Controller and Processor. The Controller the organization which, alone or jointly with others, determines the purposes and means of the processing. The Processor processes personal data on behalf of the controller. You can be both the controller and the processor if you’re collecting and processing the data and determining what it’s for. CadmiumCD is an example of a Processor.
The Controller – Processor Relationship
The Controller:
- determines purposes and means of processing
- can only use GDPR-compliant Processors
- has primary responsibility for compliance
The Processor:
- processes data on Controller’s instructions
- assumes liability of sub-processors
- deletes/returns data on request
- works with compliance audits
- takes reasonable steps to secure data
- notifies controller of data breach
- informs controller if processing instructions infringe on data subject’s rights
What Should You Be Doing At This Point?
First things first, you need to assess whether GDPR applies to you. Know thyself, know thy data. Know how and why your data is collected, stored, used, processed, and disclosed. Under GDPR, you have to disclose what you’re collecting, how you’re storing it, and what you’re using it for in order to get consent from data subjects.
Then, you should determine what level of compliance is needed. Do a gap analysis of what you’re doing now and what the GDPR requires you to do.
Once you know your level of compliance, develop a plan for compliance. You should decide how you’re going to provide informed notice and get informed consent.
Finally, you should implement the plan, including:
- Consult with outside counsel on legal obligations to make sure your plans are fully compliant
- Update your website terms of use and privacy policy. Must present it properly that’s compliant with GDPR so that it is enforceable.
- Make sure your vendor agreements cover data processing
- Update internal processes documentation
- Review your cyber insurance policy
What Is CadmiumCD Doing To Be GDPR Ready?
Data privacy and processing transparency is very important to CadmiumCD, and GDPR is allowing us to take privacy and transparency to the next level. Here’s what we’re doing to make sure we’re compliant with GDPR so you won’t need to worry.
Website Privacy Policy and Consent
Our privacy policy is located on all of our corporate websites and related forms. We’ve updated it to clearly explain how we collect and use information and users’ rights. The privacy policy is easy to locate and is written in easy to understand language. It outlines how we’re using your data and what your rights are in regards to your data. We provide affirmative opt-in to consent to data processing.
Our privacy policy outlines the scope of information that we collect: how we use the data we collect, including personal data; how data subjects have a choice in how we use their information; the tracking technology that we use on our sites; how long we retain data; the collection of affirmative consent; and the ability to withdraw consent. It also affirms that we will never sell any data we collect through our website to a third party.
We’ve also updated our website forms so affirmative opt-in consent is required to receive additional communications. We’ve provided multiple means for you to opt out of marketing communications, and the unsubscribe link is easy to find.
In order to be fully compliant with GDPR, we’ve created a data request form where an individual can request their data be removed from our servers. Located at cadmiumcd.com/mydata, this form is easy to access and benefits our clients to assist in standardizing how we collect, process, and help manage requests on their behalf. This form helps facilitate communications between ourselves and our clients.
Product Data Notices
CadmiumCD has also updated each product data notice on each of our product websites and mobile apps across our entire line of products. We have product data notices for both our clients and their data subjects (speakers, attendees, exhibitors). The notice shows up immediately after a user logs into our platform.
For each consent we receive, we collect and store it in our data subject’s profile. The profile includes who signed it, the version of the privacy notice, and when it was signed. The data subject can also retrieve their signed consents on their profiles within our platform.
If a data subject is interested in receiving a copy of their data, having their data removed or transferred, or having themselves removed from our marketing communication list, they can do any of those things through the Data Request Form. We’ve implemented a process to handle requests that we receive: we verify the identity of the data subject, then notify the Controller that we have received a request and what’s being requested. Upon receiving consent from the Controller, we process the request and record the action that was taken.
Data Retention Period
Our data notices also include an agreement between our clients as Controller and CadmiumCD as Processor as to how long we will retain data after our relationship ends with a client. This allows an individual to still come into our platform to use their information even after we’ve stopped working with a particular client.
Data Processing Agreement
CadmiumCD’s Data Processing Agreement details how we’re going to process clients’ data. The agreement includes:
- how we safeguard client data
- the purposes of collection for the products the client is subscribed to
- our data retention period
- the sub-processors we’re currently using and how we will go about working with new sub-processors for the processing of client’s personal data
- our process for transferring data to third parties with written consent
- our data breach notification policies
- what we’ll do with data when our relationship with a client ends
Clients will start receiving this agreement beginning May 2nd.
Data Transfers to Third Parties
CadmiumCD will only transfer data with consent from you as the Controller. We will only transfer data to countries with adequate data protection laws and to countries with a contract or corporate binding policies outlining data protection safeguards.
Data Breach Policy
We have an internal team of 5 members who are qualified to handle data breaches, whether they are intentional or unintentional. An intentional breach would be someone hacking into our database to access data. An example of an unintentional breach would be if a manager unintentionally provided the wrong log in information, so a user accidentally sees someone else’s personal data.
We will notify the Controller without undue delay upon becoming aware of or suspecting a data breach. For any data breach, our data breach response team will follow our data breach and response and notification procedures.
GDPR Employee Training
We’ve instituted GDPR training for our employees. All employees are required to pass this course and receive certification, so you can be assured that your event technology will be compliant with GDPR.
Making Sure You’re Ready for GDPR
If you have any questions or concerns about how CadmiumCD is preparing to GDPR compliance, please contact us at any time.
About Pamela
I am a freelance writer who enjoys dipping my toes into a wide variety of writing subjects. I have an M.A. in English but found that teaching wasn’t for me, so I’m applying my training to writing instead. I’ve been blogging for ten years and have written everything from book reviews to pop culture essays to business topics. In my spare time, I enjoy writing fiction, playing games, and learning new crafts. I live in Corvallis, Oregon, with my husband, daughter, and dog.