Per May 25th, 2018, the General Data Protection Regulation (GDPR) will become active. From then on, EU will have one privacy law for all member states, which overwrites existing in-country laws. What exactly does this change mean for event organisations?
As event organisations, you deal with personal data. All information about an identified or identifiable person is considered personal data. The moment it is possible to identify someone, it is considered personal data. Even pseudonymised data is personal data, as it is still possible to identify that person.
Under GDPR law you will have to deal with this information even more carefully. Organisations must be able to prove that they save and handle personal data compliant with the new regulations.
When are you GDPR proof? To start with, when you can answer “yes” to the following three questions.
1.Can you prove compliance to GDPR?
As organisation, you will have to be able to quickly and easily prove that you have taken steps to be compliant with GDPR conditions. When asked, you need to be able to immediately hand over information and supporting documentation to supervisors. This means you will have to disclose:
what kind of information you save (or process);
who this information is from;
where you save this;
how this is secured.
2. Do you have process agreements with all parties, and do they comply with the regulations?
This law does not only cover the ownership of personal data, but also the processing of this data. Persons, companies or organisations that merely process this data will need to comply with the new law too. When you work with a service provider (like We Cross) that processes personal data, you, as an organisation, are obliged to make written agreements about the processing of this data. This is called a process agreement, and these have to fully comply with GDPR regulations.
3.Do you ask for permission in the right manner?
To process personal data, you need the permission of the person concerned. GDPR has more stringent demands for permission. Permission under GDPR law means: a “voluntary, informed and unequivocal will expression”. In a future blog post, we will elaborate on this subject.