kchopson

GDPR and EventRebels – What We are Doing to Help You Comply

In our background article we discussed the new European Union (EU) General Data Protection Regulation (GDPR) that went into effect on May 25, 2018 and what it means to meeting and event planners. One of the key takeaways from this article is that if you have just one participant who is an EU data subject involved in your event, your organization is impacted by GDPR.

EventRebels believes that GDPR is a step in the right direction to protect the privacy of all Internet users. Despite the regulation being created specifically for EU citizens, we are structuring our software to allow you to provide the same rights to all participants that use our online forms.

EventRebels has unrolled a series of changes to help you comply with GDPR. This article describes the key tenets of GDPR and the tools we have implemented to meet these requirements.

We are aware that many of our users have local U.S.-only events and may find some GDPR processes to be obtrusive and against the grain of EventRebels’ ability to totally customize your online form. For this reason, we have a full “GDPR toolkit” privacy mode for some of the stronger GDPR-related features. Other software functions, such as consents, are improvements that we think should be applicable for all online forms, EU or not, and so we have implemented these across the board. In light of recent events, the privacy rights of our participants should be paramount and EventRebels wants to be in the forefront of privacy-centered event management software.

DISCLAIMER: This or any of our website articles is neither a comprehensive study on EU data privacy nor legal advice for your company to use when complying with EU data privacy laws like GDPR. Instead, we provide a general background review to help you better understand how EventRebels has addressed some important legal points. This information is not legal advice. Privacy protection and cybersecurity law and regulations are very complicated. Therefore, it is best that you seek the professional counsel of a qualified attorney that specializes in those specific areas of law and can help you to more fully understand how such laws may apply to your specific circumstance. Do not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.

What do You Need to Do?

Besides reading this article, you should do your own research on GDPR. We have provided a number of references at the end of this article.

Most importantly, you should confer with your counsel in regards to the many legal implications of GDPR.

A few GDPR Terms

Data Subject

The data subject is the person that is the subject of the data in question (e.g. an EU citizen, etc.)

Data Controller

The data controller is the person or organization that decides what and how information is to be collected and its purposes. If you or your organization is planning an event with EU participant(s), then you will be a data controller.

Data Processor

The data processor is a person or organization that processes personal data for the controller. In the case of this article, EventRebels will be one of your processors.

Data Protection Officer

The data protection officer (DPO) is an independent expert on data privacy who works to ensure that your organization is following the policies and procedures described in the GDPR.

Clear Consent and Transparency

Meaning

The data subject must consent to the use of their data. The acceptance of this data includes:

  • A description of how the data will be used in a clear and unambiguous manner.
  • Active opt-in to the data usage. No more pre-ticked checkboxes or “silent consent.”
  • Descriptions of how data will be used must include all systems where the data will be transferred, including third-party suppliers.
  • Ability to contact the data controller.

What EventRebels has done

EventRebels has created a Consent Manager that allows all participants who fill out online forms to give consent on how their data will be processed. For the EventRebels engine, we will ask for consent for three types of uses:

  • Receiving promotional emails. EventRebels will now ask you to define blast Emails as either promotional or informational.
    • If informational, all participants will receive the email (even if they have “unsubscribed” from your list), because it is a legitimate business interest. Examples include “Know Before You Go” messages, speaker acceptance or exhibitor invoices.
    • If promotional, the subject will only receive the email if they have provided consent.
  • Sharing data on online lists. This includes such areas as mobile and online attendee lists. Subjects will need to give explicit approval to appear on such lists.
  • Data Controller Consents. This is the EventRebels customer (you). You will need to inform the subject of how EventRebels data will be used by your internal systems, including third-party data transfers. You will be able to create as many consents as needed.

The Email address of your data controller will also appear on the consent page, if provided.

The data subject will be able to change consents at any time. Links to the Consent Manager will appear at the bottom of all Emails.

For meetings with Privacy Mode set to “Full-GDPR Toolkit”, all consents will be opt-in. If not in “Full-GDPR Toolkit” mode, non-EU subjects will have the consents pre-checked, whereas EU subjects (based on country provided) will need to give active consent.

The consents will appear on the summary (or equivalent) pages of the forms.

When additional individuals are being entered on a form, as in group registrations or speaker management, these participants can see their consents via their email confirmations. If they are from the EU, the consents will be turned off by default.

Cookies and Privacy Policy

Meaning

Users of online forms need to be informed when these forms use cookies. The privacy policy and cookies policy of the controller also needs to be clearly available for review.

What EventRebels has done

If the meeting is in “Full-GDPR Toolkit” mode, there are several additional changes:

  • The EventRebels customer will be required to provide their privacy policy and cookies policy.
  • On the first page of any form there will be a consent popup screen where the subject can review and acknowledge the customer’s cookie policy, as well as the customer’s privacy policy.

Right to be Forgotten

Meaning

Data subjects have the right to have their personal information removed from an organization’s information systems, including third parties. It is important to note that exceptions to this is any data that is needed to fulfill financial transactions or that is needed for legal, tax, or audit obligations.

What EventRebels has done

EventRebels provides a button in the administrative system to anonymize subject’s contact information (name, organization, title/department, address, phone, fax, email). This anonymization process will leave all auditable data (such as financials) alone. A log record will indicate when and who anonymized the data. Administrative users can still manually clear out additional data such as User-defined fields.

Data Portability

Meaning

A data subject may ask for any relevant personal information you possess in a common digital format. For example, the subject may ask for a digital copy of the event registration information you possess.

What EventRebels has done

On the administrative side of the system, the Data Controller may send the Data Object all online data collected about them (based on E-mail) as well as download the information in a digital format (JSON). Hidden and encrypted fields will not be displayed, but the data will mention that we have these fields. The Consent Manager will include logs of all data interactions as required by GDPR.

Data Security

Meaning

Organizations need to protect personal data in a way that reflects the highest technology standards.

What EventRebels has done

EventRebels is continuing to take our already PCI-compliant processes and strengthen every aspect of our security infrastructure. In addition to industry standard practices around security, we are also improving our systems for authentication, authorization, and auditing to better protect our customer’s data.

New Feature – Email Categories!

As part of upgrading our e-Marketing system to adhere to GDPR guidelines, we have added a new feature that many have requested. Besides categorizing email messages as Informational or Promotional, you are able to assign an email to your own custom categories. These categories can be such things a News, Updates, and so forth. Recipients of your emails can opt-in or out of each of these categories via an email preferences screen.

Resources

EventRebels intro to GDPR

Full text of the regulation.

MPI’s GDPR Review