260 likes | 267 Views
Learn all about GDPR, its policies, data subject rights, and implications for businesses globally. Get insights on compliance steps and industry effects. Experts weigh in on the significance of GDPR. Stay informed and compliant.
E N D
TABLE OFCONTENTS 04 Introduction 05 1. What is GDPR? What is the purpose ofGDPR? 06 06 07 • Policies and Data Subject Rights underEU GDPR • Increased TerritorialSpace • Penalties 07 2.3Consent 07 07 2.4 BreachNotification 2.5 Right toAccess 07 • Data Erasure/Right to beforgotten • DataPortability 08 2.8 Privacy bydesign 08 2.9DPO 08 3.Industries that will majorly get affected by EU GDPR Regulations 10 11 4. EUCompliance 11 11 11 11 4.1 DataControl 4.2 DataSecurity 4.3 DataBreach 4.4 Risk ReductionStrategy
TABLE OFCONTENTS 5.StepsforEUComtpliance13 13 13 13 13 14 14 • UnderstandGDPR • Create a DataMap • Classification ofData • Begin DataEvaluation • Access Document and RiskManagement 5.6 Revise andRepeat 6. Some HelpfulStatistics 15 17 7. Effects of GDPR on EventsIndustry 19 8. Effects on Event-TechCompanies/vendors 21 9. Expert’sOpinions 23 Resources 24 Conclusion AboutHubilo
One of the EU’s biggest law that is coming into action from 25th May is all organisations and companies across the globe are worried about. Agreed, it is a revolutionary change that is impactful for all thecompanies in EU and those dealing with EU clients. So awareness about the same is quite essential. Inthiswhitepaper,we have coveredallthebasicknowledgeoneneedsto know about GDPR i.e. General Data Protection Regulations. We have also coveredafew basics fortheimplicationsoftheseregulationsonEventIn- dustry and Event TechProviders. INTRODUCTION ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER1 WHAT IS GDPR ? WHAT ISTHE PURPOSE OF GDPR? These questions have been a hot topic of discussion for a past few weeks now. In the year of 1995, European Union adopted a directive in order to protect the privacy of their citizens and is now altering the directive’s rules andregulationswiththecurrentworldscenario.Hence,tosolvetheprivacy issues, GDPR came intolight. GDPR:GeneralDataProtectionPolicyisoneofthemajorpolicy changesthatwilleffectivelyimplementfrom25thMay’2018. GDPR is basically a set of rules and regulations that digitally monitors and keeps a tab on how the citizen’s data is being processed and for what pur- poses.ItisamatterofprotectingpersonaldataofpeopleresidingwithinEU. GDPR creates transparency between various businesses that collect the citi- zen’s dataandthepeoplewhowouldliketohave accesstohowtheirdatais beingused. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER2 POLICIES ANDDATA SUBJECT RIGHTS UNDER EUGDPR EU General Data Protection Regulation is a massive change in thebusiness community all around the world. What are the policies of GDPR that must be adhered to and kept a count for if your event or business involves collecting data? 2.1 Increased TerritorialSpace Oneofthemajorpolicychangesthatare comingwiththedataprivacyreg- ulation is that it is applicable to all the companies that can or will require data of EU’sresidents. Previously,thispolicywasn’tmadeclearsopeopleacrosstheglobedidn’t take it seriously until recently. So, all the businesses must complete their paperwork in accordance withthe laws and rules established. This EU GDPR policy is also applicable to the organisations outside EUwho are currently engaged with business in EU or maybe in future will have business ties in theUnion. EUbusinesseswhotendtoprocessdataofthecitizensarealsosupposedto have a representative to back them up to check the legitimacy of their activities. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER2 • Penalties • IfanorganizationisfoundguiltyofbreachingtheGDPRpoliciesthenitwill beliabletopay4%oftheAnnualGlobalTurnoveror€20Million. • Consent • The conditions under this section have been legalized and a company will nolongerbeableto use illegitimateorunauthorizedformsinanymannerto collect EU citizen’s data. Consent for the data must be legal, clear and written in plain language for easyunderstanding. • Breachnotification • Under EU GDPR regulations, notification for breach will be mandated from 25th May onwards and it must be notified within 72 hours of first having becomeawareofit.Data ProcessorOfficerwillbein-chargeofinformingall thecustomersandcontrollersaboutthebreachwithoutanydelay. • Right toAccess • Under the policies laid by the EU government forGDPR, the data subjects • i.e.thecitizensoftheUnionareentitledtoaccesstheprocedureofhow theirdataisbeingprocessedandthepurposeforthe same. • Inadditiontoaccessingtheirinformation,thedatasubjectswillalsobepro- vided a copy of their personal data in a digital format, free ofcharge. • 2.6 Data Erasure/Right to beforgotten • Itisoneofthecrucialandafairpointonthepartofdatasubjects.Datasub- jects can have data controller erase all their personal data and have authorities stop any processing of their data via thirdparties. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER2 • This comesintoactionwhentheprocessingofdatabecomesirrelevantto thepurposeorwhenthedatasubjectswithdrawtheirconsent. • Dataportability • Under the EU GDPR policies, data subjects have the right toreceive their personaldatainadigitalformatand shareitwithanothercontroller. • Privacy bydesign • Though it has existed as a concept on paper for years, but, is now getting implemented. Privacy by design focuses on designing the systems soas the data is secured and not adding features to the existing systems to protect thedata. • DPO • The introduction of a Data Protection Officer is a new addition tothe GDPR regulation. DPO’s position will be provided to such an individual that’ll look uponthatthenewlaidlawsandpractices are beingfollowed. • DPOwillhavetobeappointedinalltheofficesthatinanywaywilldobusi- ness with European Union or collect the EU citizen’s data at any point of time. The following are the roles ofa DPO- • To ensure security and safety ofdata • To conduct privacy assessmentsinternally • Toreportthosewhowon’tcomplywiththenewrules ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER2 • Tomonitordataactivitiesinordertoprotectitand haveallthenecessary security and risk management aspectssorted • Beincontactwiththesuperiorsifinanycircumstancesomeone’sdatais beingprocessed • To manage and view all the legaldocumentation • AllthecompaniesonwhichGDPRrules aregoingtoimplymustappointa DPO to meet the policyrequirements. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER3 INDUSTRIES THAT WILLMAJORLY GET AFFECTED BY EU GDPR REGULATIONS Companies are bifurcated in separate categories, one is “controllers” andthe other is “processors”. Companies that fall under the category of“processors” actually deal with the personal data of data subjects. For “processors” it is essential to maintain all the personal data records and how they are being processed. The companies that fall into this category are more legally liable to held responsible in case of a databreach. Theothercategory,“controllers”althoughdoesn’tprocessthedatabutare obligatedtofollowthetermsandconditionsoftheGDPRpolicyoncethey forward the data to the “processors”. The companies under this category must also have full compliance withGDPR. Regardless of where the organization is physically located, if it has a web presence and offers goods and services within EU boundaries, it must fol- lowGDPRguidelines.Significantlytheindustriesthat are goingtobemajor- ly affected by GDPR are service providers, marketing and service providers, automobile industry, finance and ITindustry. Companies based outside of EU are also headed towards a deadline for EU GDPRcompliance.So,waitnomoreandmovetothenextsectiontoknow more about EUCompliance. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER4 EUCOMPLIANCE • The main motive of the EU Government for strongly implementing GDPR is toreturncitizensrighttotheirdatasharingandsecurity.UndertheEUGDPR compliance, following have been mandated forthe organisations: • DataControl • Inordertoensurethesecurityofthecitizen’sdata, use itfortheauthorized purposeonly,whichinturnsreduces it’sexposuretothethirdpartyentities. • DataSecurity • Implement high data security measures to preserve the information collect- edofthedatasubjects.Fortech-basedindustries,dataencryptionmustbea priority. • DataBreach • In case the organisation is under a threat of security breach necessary measuresmustbetakenattheearliesti.e.authoritiesmustbenotifiedwithin 72 hours without unduedelay. • Risk ReductionStrategy • Implement the compliance measures properly and ask all the third party customerstocomplywithitaswell.Theremusta riskmanagementpolicy preparedbyallthecompaniesinordertohandleanycriticalsituation. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER4 • Fewextrapointerstokeepinmind • Organisations complying with GDPR must only process datafor authorizedpurposes • Organisations and companies should make sure of data accuracyand integrity • Update all the policy documents and legalizeit • Create awareness of the GDPR policies and distribute the noticeabout the changes to one andall • Makesuretohavetheconsentto use datainavalidformordocument • Createadatabasewithalltheentriesofthedatareviewedindetail • Implement all necessary data security measures—Encryption ofEU citizensdata ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER5 STEPS FOR EUCOMPLIANCE • Itisa6stepprocessfororganizationstoprepareforGDPRcompliance- • UnderstandGDPR • It’snotjustsecuringdatabutmanyotherregulationsanddatafeaturesare implicated in businesses and corporations under EU Government. The EU legislation has laid down all the rules of collecting and processing its citizen’sdata. • Create a datamap • Research, discover and document every little detail you comeacross which includes all the decisions, all the acts under regulation and the risk factors related todata. • Classification ofdata • GDPR legislation has categorized the data (whether privacy factor appliesto it or not), determine whether the data collected by your organization falls under any special category defined by GDPR. If yes, then how toaccess and processitfurtherandtowhomthedatabesharedwith? • Begin dataevaluation • Evaluate the data collected by setting a priority to it. Research in-depth abouttheprivatedata, itsreviewpoliciesandprocedures.Applytherequired security measures to protect any data breach and secure it in the repositories onceassessed. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER5 • Access document and riskmanagement • Have a risk management strategy for all thedata that your organization has collected. Investigate the data thoroughly and made proper documents aboutit. • Revise andRepeat • Last but notthe least, repeat the above 5 steps whenever necessary. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER6 SOME HELPFULSTATISTICS As the deadline for the GDPR enforcement is approaching, many organi- sationsaremakingattemptstounderstandthepoliciesandtocomplywith them ifapplicable. But a few months before, various companies lacked the understanding of EU GDPR policies and rules. A survey was taken at that time whichdepicted thelackofglobalunderstandingamongstpeopleforGDPR. Few statistics here show the results of theuniversal survey: 3% 42% 32% Just 3% of professionals whose role involvescon- sumer data collection, storage, or processing fully understandwhat is covered bythe upcomingGDPR Only four in everyten say their company will use independent legaladvice One-thirdanticipate a significant impact, despite a lack of understanding ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER6 • Another survey conducted by PwC of 200 IOs, CISOs, General Counsels, CCOs, CPOs and CMOs from US companies showed the followingresults: • 54% reported that GDPR readiness isthe highest priority on their data privacyand securityagenda. • Another 38% said GDPR is one ofseveal toppriorities. SURVEY • 77% plan to spend $1 million or moreon GDPR • 54% of respondents plan to de-identify European personal data to reduceGDPR riskexposure ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER7 EFFECTSOFGDPRONEVENTS INDUSTRY This is a question widely asked by the event professionals over the courseof time since the GDPR came into limelight. The event industry has an upper hand in collecting and storing data of all the attendees of any event across the globe. To secure and safeguard the data of EU citizens, the government approved the General Data ProtectionRegulation. The events being held after 25th May’2018 has already signed up forGDPR regulations i.e. any event planner who collects the data of EU citizens regardless of the event location is supposed toabide by the GDPR policies. Event Planners or Event Planning Companies fall under the category of “controllers”butthevendorslikesales,marketing,andevent-techpeople and so on are “processors” which makes Event Industry follow the GDPR policies. Meetings, events, and exhibitions are a base of collecting innumerable data which is vulnerable to a security breach. The GDPR regulations havebrought majorchangesinwhichthedataisgoingtobecollectedfortheeventforms and ticketing procedure so it might not be used for unnecessary marketing purposes as well without getting the consent of the users. The consent also brings a clause of sharing the attendee’s information with third-party orga- nizationsthatmayevenbesponsors,vendorsortechproviders. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER7 Under the safe umbrella of GDPR, all the event organizations will have to appoint a DPO which will act as a moderator for which data should be collectedandhowtosecureitbythetermsdefinedundertheregulations.It is to assure the clients that trust the event planning and management companies that their data won’t bemisused. There are afewstepsthateventplannerscanfollowinordertoensurethe safetyofthedatabeingcollectedforregistrationpurposes. Identificationofthepersonaldataandwheredoesitresideinthesystem Documentingthein-depthanalysisofhowthedataisbeingprocessed and used for theevent Taking all the required measures, like appointing a DPO to supervise the activitiesinordertopreventdatabreachesbyencryptingthedigitaldata Providing access and rights to the EU citizens oftheir data Tracking the event data for documentation andaudits Meetings, exhibitions, events, trade shows and conferences are a topfront ofdatacollectionandmanagementandtheymustcomplywithGDPR.As the deadline is approaching, and many events are already in the queue of beingheldin2018sowithoutanyunduedelay,getyourcompliance. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER8 EFFECT ON EVENT-TECH COMPANIES ANDVENDORS Event Tech Companies like event website and app providers falls underthe category of “processors”. Hence, these vendors orcompanies are required to comply with the GDPR guidelines and prove that the event data with them is safe and secure. Here are certain rules that all the event-tech providersmusttakeintoaccounttomeetthestandardssetbyEUGDPR: The companies residing outside EU, can host their data on non-EUserv- ers but the data transfers and storage need to meet the required proto- cols of GDPR safety. All the legitimate actions must be taken in order to explaintheeventdataprotectionbeingusedbytheorganisation. Data servers and location do play a vital part inensuring event data safety but at the end, it comes down to the person-in-charge of accessing theinformation. For the authorities who’ll access and process thepersonal data, must abidebythesecuritypoliciesandmakesurenottoinvolveanythird- party entity init. ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER8 • For companies providing event registration and ticketing software, must include a disclaimer note with a consent box, intended toask permission before storing their information in the database. Also, capture the IP ad dressofthe systems fromwhichthedataisbeingfilledwiththeconsent for futuresafety. • Thetechteammustbereadywithahands-onsysteminordertodelete the data of the user whenever requested. Set up a policy statement for EU users so they can trust the organisation with theirdata. • Theorganisationsmustdevelopapropermethodologyinordertofollowall the above providedpoints. • Theevent-techpartnersfortheeventsmustcomplywiththefollowingrules for dataprotection: • TrainalltheemployeesaboutGDPRandhowitshouldbemadeeffective in event datacollection • Useofencryptiontechnologiestosecurethedatafromundergoingany breach • Get necessary securitycertifications ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER9 HEARITFROMTHEEXPERTS Let’shearwhatpeoplehave tosayaboutthenewlawbeingpassedbythe EU government for data protection of itscitizens But a few months before, various companies lacked the understanding of EU GDPR policies and rules. A survey was taken at that time whichdepicted thelackofglobalunderstandingamongstpeopleforGDPR. Few statistics here show the results of theuniversal survey: HELLENBEVERIDGE Privacy Lead at DataOversight “This is the first time for many organisations that they have come directly into contact with compliance as a business process and it is not a simple tick box ‘do this’ exercise. If we think back to when health and safety regu- lationswereintroducedwearegoingthroughthesameprocesswithGDPR. Panic prevents thoughtful, and meaningful consideration ofwhat is required and how to effectchange” ALL YOU NEED TO KNOWABOUT GDPR
CHAPTER9 An interesting comment that was mentioned inMICE blog, KEVINJACKSON Business Growth Specialist “We all want to be treated as individuals. It’s about protecting people’s privacy,protectingpeople’sdataandtreatingpeopleasyouwanttobe treatedyourself” ELIZABETH DENHAM Information Commissioner for the UnitedKingdom “The GDPR is a step change for data protection. It’s still an evolution, nota revolution” ALL YOU NEED TO KNOWABOUT GDPR
RESOURCES • https://www.itgovernance.co.uk/ • https://www.eugdpr.org/eugdpr.org.html (Official Website ofGDPR) • http://www.wired.co.uk/article/what-is-gdpr-uk-eu-legislation-compli- ance-summary-fines-2018 • https://gdpr-info.eu/ -All the articles of GDPR (official document) • https://www.csoonline.com/article/3239786/regulation/6-steps-for-gd- pr-compliance.html • https://martechtoday.com/guide/gdpr-the-general-data-protection-reg- ulation • https://ico.org.uk/ • https://www.lexology.com/library/detail.aspx?g=1426e18d-f687-45a0- b779-4aeb362a03ac –For Tech Requirements • https://safenet.gemalto.com/data-protection/data-compliance/europe- an-union-eu-compliance/ • https://ec.europa.eu/info/law/law-topic/data-protection_en • https://www.exchangewire.com/blog/2017/10/30/3-data-profession- als-understand-implications-gdpr/ • http://www.themiceblog.com/gdpr-events-industry/ ALL YOU NEED TO KNOWABOUT GDPR
For those who haven’t yet started off with the GDPR compliance must start now. Especially for the event tech organisations who have already taken up the deals for providing their products and services for the upcoming events in 2018 must get their security systems updated and well-documented to avoid any issues fromEU government. CONCLUSION ALL YOU NEED TO KNOWABOUT GDPR
ABOUTHUBILO With a vision of building a one-stop solution for any type of event - may it be a conference, a seminar, a workshop or an off-site event, Hubilohelps youinexecutingadynamicallyinteractiveeventbysettinguptheentireon- linemanagementsuitrequiredfortheeventwithinafewminutes! Say goodbye to the mundane task of doing things manually and allow the eventmanagementsoftwaretodoitaneasierandmuchmoreefficientway. AutomatethewholeprocessandgetyoureventpoweredbyHubilo. Say goodbye to the mundane task of doing things manually and allow the eventmanagementsoftwaretodoitaneasierandmuchmoreefficientway. AutomatethewholeprocessandgetyoureventpoweredbyHubilo. Book aDemo Get Started withHubilo