GDPR FAQ – What Conference Organisers Wanted to Know
Have you ever walked out of a presentation given by one of the smartest people you’ve ever seen, still feeling like an idiot?
I have, so don’t be too shy to admit it as well.
Usually it’s because I can’t relate the topic to something I’m already familiar with, meaning that the concept is lost on me; I have nothing to contextualise the information.
I know that, for a lot of people, traversing the GDPR waters is tough for the same reason. They get that data privacy is important, but they don’t know how this specific legislation is a) relevant to them, or b) how they can go about applying it in their own lives.
We recently sat down with Fred Logue, a data protection law specialist, to go through some of the GDPR FAQ that we’ve gotten since we started our research. The first, and most paramount was:
Do you foresee attendees knowing their rights, or is this outside their radar?
There’s a lot more awareness of privacy rights than there was 10 years ago. [One] reason for that is the Snowden revelations about surveillance; people are more aware that they’re being observed, and they’re more aware of the harm that can be done through the use of their personal data across a wide range of activities.
They’re becoming more and more concerned about it. At least a good proportion of people who are attending your events will be aware of their rights.
If something goes wrong with the relationship, people will look for ways to right that wrong, and data protection is a way of doing that.
The rest were more easily categorised under:
SPONSORSHIP
How will this affect my sponsor relationship? I usually give them the delegates info.
You need to inform people about how their personal information is being handled and who it’s being transferred to. You have to tell them why it’s being transferred to those people and you need to identify who it is, what they get, and the reason for getting it.
Give them an option to not have their information handed over. [GDPR] does make it harder to monetise the attendees’ information in terms of sponsors. Look at it on a case-by-case basis and proceed with caution on that.
Even for your own reputation, you need common sense and to use commercial common sense; even though something might be “strictly legal” does it make business sense and fit in with the values of my event?
What if the attendee’s badge is scanned at the event by the sponsor with the oral permission of the attendee on the day?
That’s fine. That’s between the sponsor and the person. It’s really not your problem at that stage, unless it’s being done without permission, secretly or covertly. It’s up to the sponsor to make sure [that data transaction is] compliant.
LOCATION
What if I’m probably not going to have any European attendees? Does GDPR still affect me?
GDPR is based on your location, and the location of the individuals whose data you’re processing. If you’re located in the EU or the EEA, then data protection law applies to the processing of individuals’ data irrespective of where they are in the world.
So, if you’re based in Ireland and you process someone’s information from China, GDPR applies to you.
If you’re not based in the EU, then the GDPR might still apply to you. Firstly, if you’re offering goods and services targeted at people who are in the European union physically. Whether or not they’re citizens.
You could be targeting Chinese citizens who are living in Germany, and you’re based in the US. In that case, GDPR still applies to that activity. Similarly, even if you’re not supplying goods and services, if you’re monitoring the behaviour of individuals who are within the EU, GDPR applies to you.
It’s a geographical delineation, it’s not based on citizenship or nationality. It’s based on their location.
What are the differences between US protection, GDPR, and the Canadian privacy protections? Will they ever be uniform?
With the US, it’s a completely different culture. There are lots of specific privacy rules sectorially and at a state level, but there’s no one, unifying privacy right like we have. In Europe, we have one fundamental, constitutional right to privacy and protection of personal data which isn’t in the US constitution.
Canada has stronger privacy rights. In many ways, it was one of the pioneering privacy countries in developing some of the concepts that are in the current GDPR, particularly when it comes to privacy impact assessments.
The good news for Canadians is that there’s what’s called an adequacy decision which means that the European Commission has reviewed data protection law in Canada and it has said that it offers equivalent protection to that of the EU which makes it safe to transfer personal data from the EU to Canada. The half-good news is that there are measures in place to transfer personal data from the EU to the US. It’s called Privacy Shield or Standard Contractual Clauses. The bad news is that they’re currently being challenged in courts in Europe. The reason for that is that no-one in the US can give a safe-guard or guarantee that personal information will not be accessed by government surveillance.
It’s likely that the desire to have equivalence between Europe and the US will meet the conflicting desire to have unlimited and State surveillance in the US. Those things are in conflict with each other.
How does the GDPR affect the people whose data we hold from outside the EU? For example, for our events outside the EU, we may get EU citizens attending.
It’s location-based, not citizenship-based. If I’m an EU citizen attending an event in the US that’s hosted by a US organiser, EU law doesn’t apply unless they store my data in the EU.
So, if it’s completely outside the EU, it doesn’t matter what passport I hold. [Then,] you not only need to be compliant, you have to be demonstrably compliant. So that if you are investigated, you should be able to open your file and say, “These are the things we did to be compliant.”
Have good records so you have decision making and record keeping to show that you’ve taken the necessary steps to be compliant.
SYSTEMS
Can I use a paper check-in list?
Yes is the short answer.
GDPR applies to all forms of electronic data, and paper or hard-copy personal data that’s organised. A printed out copy is personal data, but there’s nothing wrong with using it to administer your event, and people will expect that.
You don’t need consent necessarily; you just need to tell them what you’re doing. The principal with data protection is that it shouldn’t come as a surprise to people [when it comes to] how you use their data.
With paper, you just have to make sure you don’t leave it lying around, and no one walks out the door with it.
[It can be an] unnecessary risk. (And obviously Tito has an app for check-in.) A lot of organisations with have an opt-in/opt-out to the circulation of the attendee list. Some people want their name circulated and some don’t.
What’s the story with RFID and the systems that can track people’s movements at events?
Any tracking or profiling raises at least a yellow flag, if not a red flag. You need to understand why that’s being done, who’s doing it, and where the data ends up.
Is that purpose legitimate? Is the tracking done in a limited way? Are other third parties we don’t know about getting access to this information?
If somebody wants to [use these systems] at your event, I’d definitely ask some more questions about what they’re trying to do. And the other thing is that they’re obliged to tell people what they’re doing.
You can’t put an RFID on a badge without telling people. You can’t have some unknown person tracking them around a conference.
[Informing people about it] has to be in a tangible medium. Just announcing it at an event isn’t enough. You’ll need to have all this planned in advance. People need to know about it when they sign up.
Is it recommended to only use EU-based software?
It’s not where the software is based, it where the data is stored and processed. So, if you’re processing the data of people based in the EU, try to do it in so far as possible within the EU. [If that’s not possible,] you’ll have to look at the basis for processing it to another country.
If you’re transferring it to the US, you need to check if the recipient is signed up to Privacy Shield, and whether there’s a contract in place that meets the requirements [of GDPR].
There are certain countries where it’s really tricky like Russia and China where there’s less of a rule of law [when it comes to data privacy] and they don’t have the same safe guards, even with the Standard Contractual Clauses.
DATA COLLECTION & STORAGE
What do I do with my existing email list? In it are emails I got from field marketing, events, our blog, tickets, and I bought a list.
You need to do diligence on your marketing list to make sure that it already meets data protection law. The first thing to do is to check it meets today’s data protection requirements.
If you got a list from somewhere and you don’t know where it’s come from and you don’t know what those people were told, the likelihood is you can’t use it. The likelihood is that it’s not particularly valuable as well.
You need to make sure that when you gathered information from your own events, and your blog, that the people who gave you that information were aware that you would contact them for marketing and that they’re at least given the option to opt-out of receiving marketing communications.
Most people view tick boxes as an obligatory step, which means that consent hasn’t been given freely because it’s tied to something else. Is that an issue?
The Privacy Policy is there to make people aware of something. It’s there so people can understand what data is being processed for what purpose. There are specific rules in the GDPR about what specific information must be in a privacy policy.
It’s not like a T&C [where] you need to acknowledge that you’ve read it. It should be apparent to someone who’s using your service or on your website that they can go and look it up. The obligation is to express it in a way that it’s easy to find before they decide whether or not to submit any personal data to you. Or at least at the point at which they submit it.
The point is that they know what they’re letting themselves in for and they can make a choice whether or not to provide the data, and they know who you are and who to contact if they have a problem.
Think of privacy policy as an information mechanism rather than a consent mechanism.
What info do you need to present at the time of data collection?
You have to use a common sense view as to whether people will be able to find [your privacy policy and terms and conditions data] before they sign up.
There is guidance on what you have to write in GDPR articles 13 and 14 that tell you what should be in a privacy policy at the very minimum. And you can get advice on that from your lawyer or consultant.
You have to take your audience as they are. If you’re dealing with people with disabilities then you’re going to have to find another way. If they’re elderly or they’re children, or visually impaired, you have to find a way to communicate the information to them before they provide their personal data to you.
A Quick Note
While this information has been vetted for accuracy, each individual circumstance is different and you should contact your own lawyer before implementing anything related to GDPR. Tito isn’t liable for this information’s impact on your own GDPR compliance.
A special thank you to Fred Logue who provided the answers to these FAQs. If any conference-related concerns are still top of mind for you, we’ve created a comprehensive guide to GDPR compliance accessible through this link.