How to comply with the GDPR as an event organizer
Privacy and data laws have been rapidly changing over the past several years and will only continue to increase and play a major role in business operations in the coming years. One of the most comprehensive and strict laws to be put forth thus far has been the GDPR.
The GDPR, which stands for General Data Protection Regulation, is a legal framework that establishes guidelines for the collection and processing of personal information of individuals within the European Union (EU). This framework also provides principles for data management and outlines the rights of the individual.
The GDPR was adopted in April 2016 but legally came into effect across the European Union on May 25, 2018. Any individual, business, company, or organization that collects, processes, or controls individuals' data is subject to fines and penalties if they do not comply with the GDPR.
How the GDPR Affects Other Parts of the World?
If you live, reside, or do business within the European Union, you must comply with the GDPR unless you want to risk penalties and fines.
If you live outside of the EU, the GDPR may or may not apply to you and how you run your business. The depending factor boils down to whether you have any users, clients, or customers in the EU.
For example, if you live in the United States but run global events where people from any part of the world, including Europe, can register, you also need to abide by the GDPR. If, on the other hand, your audience and business reach is strictly confined to the United States, then you do not need to comply with the GDPR. But even in this latter case, it is a good idea to both familiarize yourself with the GDPR and run your business with the highest level of data privacy and security in mind, as it is likely that other countries will follow suit in various manners. Canada already has PIPEDA — the Personal Information Protection and Electronic Documents Act and the state of California has the CCPA — California Consumer Privacy Act. Both of these are similar to the GDPR and must be abided by accordingly.
At Corsizio, even though we operate from outside of Europe, in Canada, given that we have European users, we must also comply with the GDPR.
Your Role versus Our Role
As a simple summary, the GDPR has two categorizations for anyone who deals with other people's data: Data Controllers and Data Processors.
Let's apply this in practical terms to help you understand where you fit in. If you have an account with Corsizio, you are considered an event organizer, meaning that you create events for which Corsizio facilitates registrations. When you create registration forms via a service like ours, you control what information you require from your event registrants or attendees, and you control how you will use that information. This makes you the data controller. Depending on the nature of your business, you may also be a data processor. By facilitating your event registration process, Corsizio predominantly acts as the data processor, as it processes the data on your behalf.
Our job is to ensure that any data that passes through our system be it yours or your customers' is safe and treated with utmost security. From its inception, Corsizio has been built based on the foundations of Privacy by Design and is fully committed to operating with transparency, accountability, and choice regarding the collection and use of any personal data. The benefit of the GDPR coming into effect means that we apply the strictest data privacy protocol for all of our account holders, regardless of where they live or operate from in the world.
For more information, you can read:
- Our Privacy Statement
- Our Data Processing Addendum, which takes into account the GDPR.
- Google Cloud Platform's Approach to the GDPR is the service Corsizio uses to run our servers and store all of our data securely.
- Stripe's Approach to the GDPR is the service Corsizio uses to facilitate all online payments on our platform.
- SendGrid's Approach to the GDPR is the service Corsizio uses to send out all communications, like emails, memos, and event notifications to you and your attendees.
- Our Corsizio help doc How to include a terms and conditions policy on your registration forms
Responsible Data Use By Data Controllers (Event Organizers)
As part of your responsibilities, there are several things you should keep in mind to (a) comply with the GDPR if you are required to and (b) operate your business with utmost integrity and security when it comes to protecting the data of your customers, also referred to as data subjects. (If you are an EU citizen, operate within Europe, or have any European users/customers, you need to familiarize yourself with the full scope of the GDPR beyond this article alone and/or contact your legal counsel.
As a data controller, you understand that:
- Any of your subject's data that is personally identifiable is subject to privacy laws.
- Certain data categories are prohibited from being processed, such as race or sexual orientation, unless they fall under one of the exemptions.
- Data subjects must give you their informed consent freely to collect any data about them. This consent must be collected in a clear, specific, and unambiguous way that requires clear affirmative action on their part.
- There must be a legitimate interest in the data being collected, as stipulated by the regulations.
Also, as a data controller, you need to provide your data subjects with the following rights:
- Right to Access Data: Data controllers are required to provide data subjects with a copy of their processed personal data upon request. This means you need to provide your customers with information about what data you collected and why, the categories of the data processed, if any third parties have access to this data, and how long it will be stored.
- Right to Update Data: Data controllers need to allow their data subjects to update or correct any data about them in a timely manner.
- Right to Be Forgotten: Data controllers need to have a process in place where data subjects can request for their data to be deleted, erased, or removed. If any of your customers (data subjects) ask to be removed from any of your Corsizio-facilitated event records, we have in place an expunge option, which will remove all of their personally identifiable information without negatively impacting your and our financial and statistical reporting.
- Right to Data Portability: Data controllers are required to provide data subjects with the data collected and/or processed about them in commonly used, machine-readable formats, such as a CSV or TXT file. Data controllers may be required to transfer that data, on behalf of the data subject, to another data controller/processor in a timely manner.
Responsibilities of Data Processors
Data processors, which applies to Corsizio and may or may not apply to you depending on the nature of your business, are required to notify data controllers in the event of any data breaches in a timely manner. Of course, you should have proper security measures in place so that your customer data does not become released, directly or indirectly, to any public or third parties.
The most important security practices include:
- Always use highly secure passwords for any services you use to collect or store your customer data.
- Do not share your password with anyone.
- Do not store your passwords in any unsecured ways.
Final Quick Tips
- Only collect the bare minimum data needed on your registration form to run your event(s).
- Avoid collecting unnecessary data on your registration forms for the purpose of market analysis, advertising, or marketing campaigns, etc. Such information would be best collected via anonymous surveys or questionnaires or in ways that do not associate them with personally identifiable data.
- Keep your customer's data highly secured at all times, specifically when you export it out.
- Only use reputable, trustworthy, and complaint data processors.
- Treat your customer data with the utmost respect.
- Be responsible with how you use your customer data.
Most of all, remember, having access to other people's data is a big privilege and not a right.