We’ve all heard a lot lately about the EU’s new data privacy law, the General Data Protection Regulations (GDPR), which come into force on 25th May 2018. At Crystal Interactive HQ we’ve spent a lot of time over the last year bringing ourselves up to speed and set up a ‘GDPR taskforce’ to prepare our business for the new regulations.
As event planners and meeting organisers, our clients are handling event data daily, gathering delegate information at hundreds of events each year. We’ve written this short blog to explain how we’re complying with the new law and to assure our clients we’ve got every GDPR base covered.
So, what is the GDPR?
The GDPR builds on the existing data regulations, known as the Data Protection Act (DPA) and the new law regulates how the personal data of EU citizens can be collected, used and processed by businesses. The law will impact businesses all over the world as it applies to all organisations based in the EU and to those that have customers and contacts in the EU.
The GDPR aims to pass the power back to the people and give each one of us control over our data in a world where everyone seems to want it.
It’s all about consent
Up until now, companies have collected and stored as much information about their customers as possible. The new changes will ensure companies can only gather and store personal data, such as name, address, email, computer IP address, with the individual’s express permission. The GDPR will force companies to obtain explicit, opt-in consent and be clear about how an individual's data (for example, a delegate's personal data) will be used once you obtain that consent.
If you’re collecting data at an event from guests or delegates, you need to ensure that personal data is collected in a fully compliant way. Therefore, it’s vital you work with a GDPR compliant event technology provider, such as ourselves, to reduce the risk of data being collected and processed incorrectly, and any subsequent fines and claims that can be sought by an individual under the new law.
How are we ensuring we are compliant with the GDPR?
Our Head of Apps, Meeta Tailor, is taking the lead on the GDPR at Crystal Interactive. Meeta explains, “We have undertaken a detailed due diligence process on our third-party solutions, as well as our own in-house technologies, to ensure we are fully compliant. It has been a step by step process and we’ve involved key personnel from across our business to carry out full audits on the personal identifiable information (PII) we hold and all of our software systems.
“We want to make it as easy as possible for our clients to get ready for the GDPR and our taskforce has been hard at work ensuring we comply with the new laws. We have been working alongside our clients to assist them with their GDPR requirements and adapting our technologies to ensure any data we collect on our client’s behalf is fully compliant.”
How can our event technologies support our clients’ own GDPR requirements?
We have meticulously reviewed the data management processes for our own, and third-party, services and produced a series of best practice guidelines that we will share with our clients when they use our services.
We recommend that every technology service deployed at an event, whether software only or fully supported by our delivery team, has GDPR compliant welcome screens that capture a delegate’s consent before they are able to proceed with using the technology.
An example of this is with our Event App, where we advise clients that users must give consent via an ‘opt-in’ form that appears when they first access the app. This ‘opt-in’ screen will provide the event organiser with clear evidence that the delegate is willing and happy for us to store their data and record the time and date of their consent. This fully transparent process will ensure the delegate is aware what their data will be used for, how it will be stored and how long for, before they give their consent.
What happens to the data collected after the event?
Once the data has been collected and we hand it to our client after an event, it becomes the responsibility of the client to ensure the way it is stored and managed is fully GDPR compliant.
For business continuity reasons we keep the data gathered at events for an agreed period of time following the event. When this is due to expire we alert our clients that the data will be permanently deleted from our systems. If the client wishes to remove the data before the agreed date they can request this in writing.
Where is the data hosted?
All the data gathered by our current services is held in the EU.
If you have any concerns regarding GDPR and how the new regulations will affect the event technology you deploy at future events then please do get in contact and we’ll be happy to help! Please contact us on +44 1483 927 900 or email email@example.com