Sidebar Right Pappa

#GDPRforEvents – the real advice

The May issue of EN magazine just dropped through my letterbox. I was about to ‘file’ it when I noticed a headline on the front cover about GDPR. I’m always interested in another point of view – but the number of mistakes in the articles were too huge to ignore.
Here are the most prominent ones – with some explanation as to why they are erroneous.
Organisers sharing delegate information with sponsors and event third party providers. They must now make it explicitly clear who they will be sharing delegate data with.

Well not really – and it depends. The word ‘explicitly’ is often bandied about – but it only applies in the legislation to the processing of sensitive categories of data. If you have to share data with a 3rd party processor in order to fulfil their booking that is one thing, sharing with sponsors and other third parties is another. The first is handled under contract, the latter under legitimate interest or consent depending upon what you are doing and how you are notifying the delegate. Processors and parties are two completely different types of entities.

If a delegate list was to be taken or mislaid, delegates must all be notified of the breach within 72 hours.

No. No. No and No. Individuals only need to be notified of a data breach if the data that was lost represents a significant risk of harm to the rights and freedoms of the individual and the 72 hour obligation is the timeframe for notifying the ICO. Tell people who didn’t need to know and you could find yourself part of a class action for causing distress. And you look like a fool.

If a delegate should contact the organiser and ask to be removed from all communications, the organiser must inform all parties with whom the data was shared and ask it is removed. However, if secondary consent was granted afterwards to individual third parties by the delegate this is not necessary

Firstly – this is the right to object or possibly even the right to the restriction of processing, not the right to be forgotten – which is actually part of the right to erasure. If someone tells you to stop communicating with them, that is what you need to do, stop communicating with them. You need to have a mechanism to ensure this happens – a global suppression list or something similar. If they are enacting their right to erasure, then you need to work out how you are going to uphold this right on your own database, and if they are actually exercising their right to be forgotten then the legislation says that you need to take all reasonable steps to ask third parties to remove the data – mainly because it might not actually be possible or practical to tell everyone who has the data.

It’s really important that you understand what right someone is actually exercising when they ask you to do something – otherwise you will end up doing something tortuous you didn’t need to – and you will look a fool.

Entering a prize draw By putting their business cards in a jar, delegates must be made aware of what their information will be used for and by whom… …they consent to their data being shared and used.

Ummm… put my business card in a jar to enter a prize draw – I’m consenting to my data being used to… enter a prize draw by the entity that put the jar on their stand. Where did sharing come into this?

Written sign-up forms on stands. These no longer comply.

In whose world are written forms no longer legal? Nowhere in the GDPR does it say that you can’t collect information on paper. If this is how you want to do it, go ahead. The obligations are that you keep it safe and secure, you know where it is, who has access to it and how long you are going to keep it (and don’t use paper to collect credit card/bank details). Admittedly electronic data collection is going to be the thing moving forwards – but the GDPR does not legislate for it.

The GDPR replaces the 1995 Data Protection Directive… …to protect all EU citizens from privacy and data breaches..

EU Residents – not Citizens – it’s an important distinction – it covers the American in Paris. And the legislation is about much, much more than privacy and data breaches.

After May, anyone asking is entitled to see the personal data you hold on them and you have 40 days to comply

Kind of. Anyone can ask to see the personal data you hold on them, but there are certain circumstances when you wouldn’t necessary comply in full. For instance if someone else’s data is involved. And you have one month or less – essentially 28 days to comply. So get those skates on.

How do you acquire data… … you must have explicit consent to legally acquire and use it.

It’s that dratted word again. Just to be clear – normal consent is specific, informed, freely given and unambiguous. Only the processing of sensitive categories requires explicit consent. There’s a reason it was taken out of the original draft – consent is hard enough without making it explicit in all cases.

You must have explicit consent to transfer data internationally.

Repeat after me. Unambiguous consent. And there are caveats for when there are legal instruments in place to protect the data, or the transfer is necessary for the performance of a contract. ‘No you can’t transfer my data to Uganda – then I’m very sorry you can’t board the ‘plane sir.’

What happens if there’s a breach? You have 72 hours to report a data breach to your lead supervisory authority.

You should be able to answer this one yourself now. Elizabeth Denham said a few short weeks ago “You do not need to report every data breach. Please don’t.” You have 72 hours to report a breach which ‘represents a significant risk of harm to the rights and freedoms of the individual’. Report the loss of a bit of paper and you are likely to get short shift from the supervisory authority – not a great return for the sleepless nights you will have endured.

One thing that the ‘experts’ have got right though is the need to do the right thing because it is the right thing to do. Remember what GDPR is really about:

Give Data Proper Respect

Source: www.linkedin.com