Recently, Aventri hosted a webinar "GDPR: What You Need to Know Before May 25." With GDPR on the minds of event planners around the world, there were several questions we received, but were unable to answer due to a technical issue during the Q&A portion of the webinar. Whether you attended or not, check out the answers to some of the most burning GDPR-related questions event planners are asking today.
**This is only intended to convey general information. Please see our legal disclaimer below.
Who is legally liable in the event of a breach? Presumably this is the controller - and it is their responsibility to ensure that their ecosystem is compliant?
If a personal data breach happens there are different processes for both the data controller and the data processor.
A data controller must notify their supervisory authority within 72 hours of becoming aware of the breach. It should clearly outline the nature of the breach, the relevant people at the organization for them to contact (DPO), the consequences of the breach and how you plan to solve it. Additionally, for customers/attendees you need to communicate the nature of the breach and how you plan to solve it if you think this breach is a high risk scenario for data leakage.
A data processor needs to notify data controllers as soon as they become aware of any breach but they have no other obligations under GDPR. If a data processor changes who they use to process their data or if a breach happens they will notify the controller.
Additionally, yes, it is up to the data controller to ensure that their ecosystem is compliant. That is why you should be asking for the security documentation that each of your data processors have so you can ensure that they are taking the necessary steps to make sure your data is safe.
Do you know if this regulation is only for EU citizens or also EU residents? What happens if a EU citizen is living in another country, so their address is not within the EU?
GDPR covers all EU citizens. It does not matter where they are located it matters what citizenship they hold. For example, if someone from the EU is living in the United States but they still hold citizenship from their EU country then they fall under the GDPR law. That is why on registration forms instead of asking for their address, you should be asking for their citizenship.
If someone's information is publicly listed online under their company or association's website, can you freely solicit them?
This doesn’t specifically fall under GDPR as it is publicly listed information. However, you shouldn’t be freely adding these people to distribution lists. Instead, it should be making a one off email or phone call to them that directly relates to the area of focus for their department.
In regards to hotels with transferring data for sleeping rooms - assuming they are compliant, should we be putting clauses in the hotel agreements to cover out clients - same question for audits?
Good question. It is probably best practice to add in some language in your agreements with hotels to cover this information and making sure that they are not using the data for future outreach. Again, they would need to follow the same process and policies as any other vendor or organization after May 25th. I would suggest following up with a hospitality professional to get their opinion on this.
What about paper records?
I would assume this to mean that you are using paper records to collect information on your attendees and that you are using excel spreadsheets as well. If that is the case, this is not the best way to be managing or collecting your data. No matter what you need to comply with this law if you have EU citizens at your event. If you are still using paper it will be very labor intensive to update or remove any information on your attendees. Additionally, if they ask to receive a copy of all the information that you have on them you will need to take the time to scan many of these documents, etc. Another point as well, at your events if you are printing paper delegate lists this could easily be left behind with personal data on it. Consider moving to a technology platform to house all this information.
How long should data be stored? Is there a maximum length of time?
There is no minimum or maximum amount of time for data to be stored. Instead it states personal data processed shall not be kept for longer than is necessary for the original purpose or purposes.
I'm not clear on how this impacts EU citizens vs. US citizens?
This law only impacts EU citizens, and not US citizens. However, if you are based in the US and your event has even one person that attends that is an EU citizen then you need to comply with GDPR. It applies to all companies that gather and process data on EU citizens.
And if you missed the webinar, watch it on demand at the link below!
Legal Disclaimer - please always consult an attorney or expert before moving forward with anything related to GDPR.
This is intended to convey general information only and is not intended as legal advice. The information presented here is not guaranteed to be correct, complete or up-to-date and the responses above should not be relied upon in any particular situation. You should consult a licensed attorney or regulatory expert to discuss your specific legal, compliance and GDPR-related issues.