In our background article we discussed the new European Union (EU) General Data Protection Regulation (GDPR) that goes into effect on May 25, 2018 and what it means to meeting and event planners. One of the key takeaways from this article is that if you have just one participant who is an EU data subject involved in your event, your organization is impacted by GDPR.
EventRebels believes that GDPR is a step in the right direction to protect the privacy of all Internet users. Despite the regulation being created specifically for EU citizens, we are structuring our software to allow you to provide the same rights to all participants that use our online forms.
EventRebels is unrolling a series of changes before the May 25th deadline to help you comply with GDPR. This article describes the key tenets of GDPR and the tools we are implementing to meet these requirements.
We are aware that many of our users have local U.S.-only events and may find some GDPR processes to be obtrusive and against the grain of EventRebels’ ability to totally customize your online form. For this reason, we have a full compliance “GDPR mode” for some of the stronger GDPR-related features. Other software functions, such as consents, are improvements that we think should be applicable for all online forms, EU or not, and so we have implemented these across the board. In light of recent events, the privacy rights of our participants should be paramount and EventRebels wants to be in the forefront of privacy-centered event management software.
DISCLAIMER: This or any of our website articles is neither a comprehensive study on EU data privacy nor legal advice for your company to use when complying with EU data privacy laws like GDPR. Instead, we provide a general background review to help you better understand how EventRebels has addressed some important legal points. This information is not legal advice. Privacy protection and cybersecurity law and regulations are very complicated. Therefore, it is best that you seek the professional counsel of a qualified attorney that specializes in those specific areas of law and can help you to more fully understand how such laws may apply to your specific circumstance. Do not rely on this paper as legal advice, nor as a recommendation of any particular legal understanding.
What do You Need to Do?
Besides reading this article, you should do your own research on GDPR. We have provided a number of references at the end of this article.
Most importantly, you should confer with your counsel in regards to the many legal implications of GDPR.
A few GDPR Terms
The data subject is the person that is the subject of the data in question (e.g. an EU citizen, etc.)
Data Controller
The data controller is the person or organization that decides what and how information is to be collected and its purposes. If you or your organization is planning an event with EU participant(s), then you will be a data controller.
Data Processor
The data processor is a person or organization that processes personal data for the controller. In the case of this article, EventRebels will be one of your processors.
Data Protection Officer
The data protection officer (DPO) is an independent expert on data privacy who works to ensure that your organization is following the policies and procedures described in the GDPR.
Clear Consent and Transparency
Meaning
The data subject must consent to the use of their data. The acceptance of this data includes:
- A description of how the data will be used in a clear and unambiguous manner.
- Active opt-in to the data usage. No more pre-ticked checkboxes or “silent consent.”
- Descriptions of how data will be used must include all systems where the data will be transferred, including third-party suppliers.
- Ability to contact the data controller.
EventRebels has created a Consent Manager that allows all participants who fill out online forms to give consent on how their data will be processed. For the EventRebels engine, we will ask for consent for three types of uses:
- Receiving promotional emails. EventRebels will now ask you to define blast Emails as either promotional or informational.
- If informational, all participants will receive the email (even if they have “unsubscribed” from your list), because it is a legitimate business interest. Examples include “Know Before You Go” messages, speaker acceptance or exhibitor invoices.
- If promotional, the subject will only receive the email if they have provided consent.
- Sharing data on online lists. This includes such areas as mobile and online attendee lists. Subjects will need to give explicit approval to appear on such lists.
- Data Controller Consents. This is the EventRebels customer (you). You will need to inform the subject of how EventRebels data will be used by your internal systems, including third-party data transfers. You will be able to create as many consents as needed.
The Email address of your data controller will also appear on the consent page.
The data subject will be able to change consents at any time. Links to the Consent Manager will appear at the bottom of all Emails.
For full GDPR mode meetings, all consents will be opt-in. If not in GDPR mode, non-EU subjects will have the consents pre-checked, whereas EU subjects (based on country provided) will need to give active consent.
The consents will appear on the summary (or equivalent) pages of the forms.
When additional individuals are being entered on a form, as in group registrations or speaker management, these participants will have a chance to see their consents via their email confirmations. If they are from the EU, the consents will be turned off by default.
In Progress – Available late-May
Cookies and Privacy Policy
Meaning
Users of online forms need to be informed when these forms use cookies. The privacy policy and cookies policy of the controller also needs to be clearly available for review.
What EventRebels is doing
If the meeting is in GDPR mode, there will be several additional changes:
- The EventRebels customer will be required to provide their privacy policy and cookies policy.
- On the first page of any form there will be a consent popup screen where the subject can review and acknowledge the EventRebels cookie policy, as well as the customer’s privacy policy.
In Progress – Available late-May
Right to be Forgotten
Meaning
Data subjects have the right to have their personal information removed from an organization’s information systems, including third parties. It is important to note that exceptions to this is any data that is needed to fulfill financial transactions or that is needed for legal, tax, or audit obligations.
What EventRebels is doing
EventRebels will provide a button in the administrative system to anonymize subject’s contact information (name, organization, title/department, address, phone, fax, email). This anonymization process will leave all auditable data (such as financials) alone. A log record will indicate when and who anonymized the data. Administrative users can still manually clear out additional data such as User-defined fields.
In Progress – Available late-May
Data Portability
Meaning
A data subject may ask for any relevant personal information you possess in a common digital format. For example, the subject may ask for a digital copy of the event registration information you possess.
What EventRebels is doing
As part of the Consent Manager, the user may view all online data collected about them as well as download the information in a digital format (JSON). Hidden and encrypted fields will not be displayed, but the data will mention that we have these fields. The Consent Manager will include logs of all data interactions as required by GDPR.
In Progress – Available late-May
Data Security
Meaning
Organizations need to protect personal data in a way that reflects the highest technology standards.
What EventRebels is doing
EventRebels is working to take our already PCI-compliant processes and strengthen every aspect of our security infrastructure. In addition to industry standard practices around security, we are also improving our systems for authentication, authorization, and auditing to better protect our customer’s data. We will provide additional details on these security measures as they are implemented.
Ongoing
API
We will be requiring all third-party vendors that use our API to sign disclosures acknowledging adherence to GDPR principles. Existing access tokens will be revoked and replaced by a new set of API tokens.
In Progress – Summer 2018
New Feature – Email Categories!
As part of upgrading our e-Marketing system to adhere to GDPR guidelines, we are also adding a new feature that many have requested. Besides categorizing email messages as Informational or Promotional, you will also have the ability to assign an email to your own custom categories. These categories can be such things a News, Updates, and so forth. Recipients of your emails can opt-in or out of each of these categories via an email preferences screen.
In Progress – Available late-May
Resources