On the 25th of May, 2018, the General Data Protection Regulation (GDPR) will become law in all European Union member states. In this blog post, we explain how we make sure Accredion is GDPR-compliant and what you can — and must! — do as event organiser to ensure you are compliant as well.
The GDPR replaces the Data Protection Directive (95/46/EC) and was designed to harmonise data privacy laws across the European Union, to protect and empower EU citizens’ data privacy and to reshape the way organizations across the EU approach data privacy.
The GDPR affects nearly every organisation in the EU that processes people’s personal data. If your organisation is determining the purpose of the storage or processing of personal information, it is considered a controller. If your organisation stores or processes personal data on behalf of another organisation, it is considered a processor. It is possible for your organisation to have both roles. Accredion is such organisation with both hats on, while most event organisers will be a controller.
What we did to become GDPR-compliant
The GDPR is an extensive piece of legislation, which cannot be summarised in a few bullet points. But its principles can be easily categorised:
- Valid ground — There must be a ground upon which you collect data;
- Organisational measures — An organisation should take various organisational measures to protect people’s privacy;
- Practical measures —An organisation should take various practical measures to protect people’s privacy;
- The user in control — People must have access to their personal data and the should be able to edit or delete it.
Let’s explore how at Accredion we implemented the four key principles of the GDPR.
First of all, applicants’ privacy has been a fundamental consideration when creating Accredion. That is why Accredion only asks for data that is necessary to make it work and for event organisers to professionally handle their accreditation process. Let’s illustrate this with a few good examples of ‘privacy by design’:
- The possibility for event organisers to export data, for example to Excel, is limited. This helps to prevent personal data going on a journey through people’s inboxes, on thumb drives and to other places well beyond the control of the user who provided his or her personal data;
- When asking for highly sensitive data like applicants’ passport details, Accredion is designed to only show these details to people who actually need them;
- Accredion doesn’t ask for personal data that we don’t need and we recommend event organisers who use Accredion to apply the same standard.
Our developer team has also gone at length to securely receive, send and store personal data. Accredion is being served over a secure SSL connection, SHA-256 encrypted and RSA-coded, which is indicated by the green lock in your browser, right next to the address bar. We store our data on servers within the European Union with parties that are GDPR-compliant as well.
All the technological aspects aside, developing a tool like Accredion and processing personal data is, in the end, a human job. To ensure our team being fully on board with GDPR, we are in the process of appointing a Data Protection Officer, whose task is to keep oversight over which data we store and process, why and with what purpose. We are also frequently training our team to keep the protection of privacy of our users a top priority.
Should, despite all measures taken, personal data be compromised, the GDPR requires a data breach to be reported when it is likely to “result in a risk for the rights and freedoms of individuals”. Such report must be done within 72 hours of first having become aware of a breach. Of course, the data processing party will also be required to notify customers and the controllers without undue delay after first becoming aware of a breach. In our case, being a Netherlands-based company, we are subject to reporting to the Dutch Data Protection Authority.
What you can do to become GDPR-compliant
If you are legally based or operational in the European Union, it is highly likely the GDPR will impact your work as event organiser. Accreditation, ticket sales, crew registration and your press contact list — they all touch upon the registration of personal data. And while some may tell you that the GDPR is not applicable to professional data, such as people’s office phone number or email address, this is not the case. Any information relating to an identified or identifiable natural person is considered personal data.
Our first and most important recommendation would be this: Take the GDPR seriously. It is about people’s privacy. And, not in the last place, as of 25 May 2018, it is the law of the land in all EU member states. Violating the GDPR can lead to serious financial penalties and irreparable damage to your reputation.
Before you engage on your GDPR journey, ask yourself the following questions:
- What personal data do we collect and why?
- Have people given explicit permission to store their personal data?
- Where do we store personal data?
- How do we protect people’s personal data?
- Do we have procedures in place to deal with requests from people about what personal data we have in our possession?
- Do we have procedures in place to deal with requests from people to have their personal data deleted?
- How would we deal with a data breach, such as a hack or a lost USB stick with personal data on it?
To get started, we recommend this online checklist, which quickly gives you overview of what to do to make your event organisation GDPR compliant.
While big organisations that deal with large volumes of personal data may consider hiring an outside firm or consultant to secure GDPR compliance, you can and should do a lot yourself when that is out of reach for you.
- The full text of the General Data Protection Regulation
- The GDPR Checklist
- A 12-step preparation guide by the British Information Commissioner’s Office
- Privacy impact assessment code of practice by the British Information Commissioner’s Office
Nothing in this blog post constitutes legal advice. If you seek professional legal advise in relation to the General Data Protection Regulation, we recommend you contact a law firm specialised in data protection and/or information management.