Are you ready for May 25, 2018? That is the date that the new European Union (EU) General Data Protection Regulation (GDPR) goes into effect. While GDPR consolidates and builds upon prior EU regulations on privacy and data security, it is noteworthy both in its scope within the EU and its impact abroad.
Does GDPR apply to my organization?
The goal of GDPR is to protect the personal data of EU citizens. For organizations that process this data, the regulation seeks to ensure that personal information is handled in a secure, private and transparent fashion. At the heart of GDPR are a series of principles that are designed to protect the human right to privacy. Any organization collecting data of an EU citizen is subject to these principles, regardless of size. In short, if you have just one participant from the EU involved in your event, your organization is impacted by GDPR.
The large possible penalties are meant to give GDPR some real teeth for enforcement. Fines can be up to 4% of annual global revenue or €20 Million, whichever is greater.
The data subject is the person that is the subject of the data in question (e.g. the EU citizen.)
The data controller is the person or organization that decides what and how information is to be collected and its purposes. If you or your organization is planning an event with EU participant(s), then you will be a data controller.
The controller has a series of obligations to the data subject, many of which will be discussed in more detail below. However, the heart of these obligations consist of protecting the personal data and being transparent about the purposes for which the data will be used.
The data processor is a person or organization that processes personal data for the controller. For example, if you are planning a conference but are using a third party software company for online registration, the latter is a data processor for you. In all likelihood, an event planner will be using many data processors.
Once common source of confusion is that an organization can be both controller and processor. For example, a software company can be both a data processor and a data controller (namely, the information of its customers.) Regardless, the data processor has some of the same basic responsibilities of the controller, namely data security, privacy and transparent use.
As a controller you always want to make it contractually clear what the responsibilities are of your processors.
Data Protection Officer
Both the controller and processor must designate a data protection officer (DPO.) The DPO is an independent expert on data privacy who works to ensure that the organization is following the policies and procedures described in the GDPR. While the DPO may be in-house or outsourced, the DPO must have the time and resources necessary to complete the required work. The DPO must also not have a conflict of interest with the organization that may compromise his or her duties.
While the GDPR has many principles, there are number of provisions that stand out in their explanatory power of the regulation.
Clear Consent and Transparency
The data subject must consent to the use of their data. The acceptance of this data includes:
- A description of how the data will be used in a clear and unambiguous manner.
- Active opt-in to the data usage. No more pre-ticked checkboxes or “silent consent.”
- Descriptions of how data will be used must include all systems where the data will be transferred, including third-party suppliers.
- Ability to contact the data controller.
In effect, this means the end of list re-purposing. If someone signs up for your online newsletter, you cannot give that email address to another party without the EXPLICIT permission of that person.
Right to be Forgotten
Data subjects have the right to have their personal information removed from an organization’s information systems, including third parties. It is important to note that exceptions to this is any data that is needed to fulfill financial transactions or that is needed for legal, tax, or audit obligations.
A data subject may ask for any relevant personal information you possess in a common digital format. For example, the subject may ask for a digital copy of the event registration information you possess.
Organizations need to protect personal data in a way that reflects the highest technology standards. Any data breaches need to be reported to impacted data subjects within 72 hours.
Privacy by Design
At the heart of GDPR’s mission is that software systems should be designed with privacy-first thinking. In other words, the protection of the individual’s data should not be an afterthought, but instead embedded at the core of the design and continuing maintenance of personal information systems. This includes the notion of data minimization, which implies only retrieving and holding on to data as is absolutely necessary.
EventRebels views GDPR as an opportunity for the software industry to place privacy-first systems that respect the data rights of the individual in the forefront. While GDPR is an EU initiative and may seem heavy-handed at times, it is a long needed change and will shape the face of technology for many years.
GDPR is a complex package and the implementation of its regulations promise to evolve rapidly over the upcoming months and years. It is imperative that you include your legal team as part of your organization’s plan to adhere to the GDPR standard.