GDPR: the Steps Event Planners Need to Follow

Editor's Notes

• #2: Today, we’ll be talking about the hot topic everyone is hearing: GDPR. What is it? What does it mean for your organization? Your events? In this session, we will aim to focus specifically on how GDPR is effecting the meetings & events industry.
• #4: Before we start, I need to let you know that this presentation regarding GDPR is intended to convey general information only, and should only be used as a starting point in your understanding of issues relating to GDPR.  This is not intended as legal advice, nor is it meant to convey legal facts or opinions. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance, and GDPR-related obligations.
• #5: As we talk about GDPR today, it’s important for you to first understand a few key definitions as it relates to GDPR compliance and process changes. -Data Processor This is etouches Any other vendor in your software ecosystem Anytime you move customer data into those platforms – they represent processors -Data Controller This is you Without data controllers there would be no need for processors GDPR looks at you as the owner of customer data If something were to happen its incumbent on you to manage the process and ensure you are doing the right thing for your customers -Data Ecosystem Without this wouldn’t need data controllers Example of what a typical enterprise client might have for their ecosystem GDPR is focuses on data and it starts with inbound data and how it flows within the processors and how it comes out on the outbound side Important to think about the different ways that the data will follow between them In summary, there is ONE simple rule: the Data processor (again, us, etouches or any vendor) is here to work hand in hand with YOU, the controller, to help you achieve compliance based on your own organization’s standards & policies. A good data processor is the one that has documented policies and state of the art practices on data management (privacy, security, access, hosting, data transfer, encryption, etc..) and proactively offers tools (data purge, data queries) to the controller. A vendor shouldn’t claim it is GDPR compliant – it is up to the controller to achieve compliance. Now that we’ve clarified who’s who and who does what, let’s dig deeper into GDPR, but before getting too specific, Let’s review some of the key concepts that will hopefully help you understanding better the philosophy of the law.
• #6: GDPR focuses on giving any EU citizen the private info that you may have on them, upon their request. This 5 step process will help you along the way to uncover & share that information. Discover: Think back to that ecosystem diagram…. Where do you have data stored and how is it moved between systems? Manage: You need clear guidelines on how your data is being used (in case your clients ever ask for it). You also need to be able to access it easily in the event someone requests it. The Burdon on proof is on you now. Protect: How secure is your information? Outlining how your data is protected in transit, at-rest etc. Think of your PCI compliance or Safe Harbour Act. Reveal: This is somewhat related to the “Manage” step in the process. You need to be able to give your EU citizens access to their data when they want it and be able to remove it quickly for them as well (i.e. data purge). The right to be forgotten. Report: Making sure that you have all of your processes in place to comply with the new standards. You need to know where you are receiving your data from and how it is being used at any time because if your client asks where they originally gave you consent to email them you need to know what date, time and how! All of this will be covered in the next few slides that Vince and I will discuss so you will have a better idea of how this all fits into the event process.
• #7: Here we are not talking steps, from a project standpoint like with the previous slide, rather key compliance achievements, Security : this is PARAMOUNT. We will talk about few security aspects later on but your vendor needs to be strong : hosting, encryption, password management, PCI certification, etc… Consent is the second most important, and from a meetings and events standpoint, this is going to be a central topic for planners. We will cover this in detail. Portability, means you need to make sure you allow data transfer to another provider ( or competitor), privacy needs to be understood as privacy by design or by default. It goes together with the consent, again the concept of transparency where you need to contain data usage to what’s been disclosed. This one is a challenge : how often have you clicked on the bottom of a 10 paragraph disclosure.. Well. Same here. It reminds me of a story in terms of password protection : super highly secured password policy : renew every 90 days, 1 special character, one letter, a cap letter and never reuse the same password twice.. Results.. All password were written on pos it notes.. Highly secured !! Access means that you need to grant access to any EU citizen. Ok you don’t have to give him your admin password, it means that you need to map the data across systems to export ( and eventually delete) all his information. Finally, and a DPO a data protection officer should be appointed to handle most of this ! We will talk later about the DPO. The very reason I insist on the fact that YOU are the one to comply to GDPR is because ( and we already briefly touched on this) event and meeting is just one aspect of an often broader ecosystem. And it is the ecosystem, which is specific to you, that must comply.
• #8: Read subtitle This is incumbent on the data controller to take the lead Need to be clear on how you will use personal data And you need a lawful basis to process this (straight from GDPR regulations) Many are already doing but you should set up an opt in question during reg flow and make it required Will vary from business to business and event to event Important to get consent of customer right up front before your capture any key data from them Don’t have your check boxes on forms automatically accepted they need to check this themselves Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
• #9: Read subtitle This is incumbent on the data controller to take the lead Need to be clear on how you will use personal data And you need a lawful basis to process this (straight from GDPR regulations) Many are already doing but you should set up an opt in question during reg flow and make it required Will vary from business to business and event to event Important to get consent of customer right up front before your capture any key data from them Don’t have your check boxes on forms automatically accepted they need to check this themselves Silence does not constitute consent, so if you send out an email asking people to opt in and they don’t respond that doesn’t mean you can reach out to them they need to physically say yes in some way Always assume someone needs to opt in rather than opt out – some of us call it double opt in. So just because you got someone business card at a show doesn’t necessarily mean you can add them to your newsletter list. Sure you can email them to talk business, etc. but if you are going to market to them you need them to opt in into receiving that communication.
• #10: The burden of proof is on you. Can you mitigate the risk of prosecution?
• #11: The burden of proof is on you. Can you mitigate the risk of prosecution?
• #12: The burden of proof is on you. Can you mitigate the risk of prosecution?
• #13: Read subtitle Collaboration between processor and controller comes into play When you ask for consent you are doing so by explaining how you are using it and ensuring that you are using it for a legitimate purpose Need to minimize the storage of personal data so its relevant for that purpose As the processor we will help you to ensure we don’t track individuals on the website in a personally identifiable way How to handle this? Obtain consent Let them know what you will use it for Privacy policies come into play Make sure you have one and link in your event website We have one that you can use as a reference and you can always link to ours as well but it is limited to us as a processor
• #15: Re subtitle Collaboration is key Individual is going to ask to be removed from data base they will ask you the controller – come to you first and you need the tools to comply with their request We (etouches) have added the ability to data purge on the individual level and event level Done in a way that complies with regulation by removing personal data but not removing all data that is relevant for your business like financials and attendance counts
• #16: Read subtitle Collaborative process Broad in principle and topic – goes into all data We have produced a lot of data security documents Data at rest Regional data centers Not transferring data if it needs to stay local Encourage you to look at our data security documents and send along to people at your organization that need to be made aware We have worked with customers in a very direct way We have a data protection officer at etouches Working with customers to answer questions that go beyond the scope of what is documented or more specific to their requirements
• #17: You need to tell people what you are going to do with the data that you have. These are all things that you need to have in your disclosures so that it covers any questions that your attendees or clients may have on what you are doing with the information with your forms. Read off the bullets and then focus on bullet 5 with the below comment: with etouches we combat this with our data centers in US EU and APAC. Depending on where yours is hosted – example you are a US company but you host events in Europe you may be on etouches US server so you will need to make it clear to your attendees that it will be transferred over seas but you can reference all of etouches data privacy documents to let them know how it is being protected at rest and in transit.
• #18: DPO – need to nominate someone to handle data privacy management to be liaison btwn the company and eu citizens Employee New role Freelancer (external) Expert coordinates policies and processes and makes sure they are enforced. They also help with the reporting, maintenance of data, etc. You need to make sure thy have the authority and bandwidth to access the c level of your organization They are there to protect your organization They are not mandatory – check with your organizations own policies to see if you think this is necessary. For example we have one at etouches because we know this is something that many of you are going to be asking about so we want a team member dedicated to help you through these requests.
• #19: What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
• #20: What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
• #21: What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
• #22: What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
• #23: What are we doing for you? How can we ensure you are compliant We will give you the tools to empower you as a data controller to be compliant Not going to do anything you control the data flow what you are collecting how you are using it Requirement in regulation: we establish who we use to process our data it is AWS we will notify you if this changes If you have someone who comes to you and want their info wiped we give you the tools to do it in the system and we will help train you on how to do it yourself If you do have a specific question on GDPR reach out and we will help you answer it
• #24: This eBook was created by etouches at the end of 2017 to help planners prepare for May 25th. The book focuses directly on how this will impact event and meeting professionals specifically. It also outlines how etouches will assist planners on their journey to understand GDPR. This is available via a link in our resrouces section in your navigation below our slides or you can follow the URL listed in the slides.