It’s GDPR Time, Do You Know Who Your Third-Party Processors Are?
This is the third blog in our GDPR series. To catch up on the GDPR series read our GDPR and the Event Professional and Getting Ready for GDPR – It’s All About Consent
Come May 25, enforcement begins for GDPR. The General Data Protection Regulation.
You know, that set of regulations put forth by the European Union, protecting the data privacy rights of its citizens?
Yeah, that one…
While the new set of regulations affects just about any business that collects personal information,
the impact on the meetings industry is pretty big. Why? It’s all about the Third-Party Processors.
That’s a fancy term that describes all the vendors and businesses you, as the meeting planner, deal with when organizing and putting on an event.
Anyone who receives an exported spreadsheet, receives a report by email, anyone who is doing something for your attendees, is a third-party processor. And it’s really, really important to stay on top of who they are and what they are looking at.
That’s because if your transportation vendor receives a list of attendees and their travel arrangements, they have taken possession of personal data. And the rights of your attendees to know who is looking at their personal information, and to know what they are doing with it, are job number one.
It’s a right under GDPR, and as the meeting manager, you have obligations to be on top on the situation.
So, what exactly are your obligations?
You are obligated to maintain control of your attendees’ personal information. This means that if you share this data with any third parties, you need to be able to know who they are, authorize them to see your attendees’ personal information, and to know what data they are seeing and when they are seeing it.
Pretty simple, right?
Depending on the size and complexity of your event, it’s not always an easy thing to accomplish.
You share your attendee’s data with lots of third parties. Hotels, transportation, golf tournaments, planned activities, and much more. They all want lists of attendees they are working with, transporting, housing, or whatever. It can get pretty busy keeping it all organized!
It doesn’t end there!
Under GDPR, you are also obligated to completely delete personal data after a reasonable time frame after your event ends. More than that, you also obligated to remove and delete personal data for any attendee who asks you to do so. By extension, so do your third-party vendors.
Now, you are not legally responsible for their actions. But, you are required to inform your third-party vendors of any request to remove and delete personal information.
That’s where things can keep you busy.
So, smart meeting planners are developing internal processes to identify their third-parties, to track whenever they access and view the personal details of your attendees, and most important, have processes in place to generate communications if and when you receive a request to delete personal information.
YOUR obligation is to inform your third parties. It is up to your vendors to figure out how to comply with the request. But, you definitely need to make sure you are informing them of the request.
Many event planners are partnering with technology solutions that understand the needs of managing the data privacy requirements found in GDPR as well as other regulations that are assuredly coming in the next few years.
Centium Software, the publishers of the popular event management platform, EventsAir thought long and hard about helping their clients manage the issues surrounding GDPR and data privacy.
“We knew that the issues surrounding GDPR were complex and intimidating to our clients,” said Alec Sonenthal, Director of Technology for Centium Software. “We have clients in over 50 countries, and many of them were directly affected by these GDPR requirements.”
“We decided to create something really new for the meetings industry – a fully realized set of tools and processes designed to help our clients meet and exceed the many obligations they have under GDPR. We call it the Data Protection Toolkit, and it’s a fully integrated set of tools and processes that our clients can use in meeting their GDPR obligations.”Alec Sonenthal
Mr. Sonenthal noted that the management of third party vendors was an especially challenging situation for meeting planners.
“It’s easy for third party vendors to run reports, receive exports and access details about attendees,” Mr. Sonenthal said. “What we did with the Data Protection Tool was track every time a third-party vendor accessed a report or export, logged that data, and made sure our clients could communicate that information to their attendees whenever requested.”
Mr. Sonenthal went on to explain that third party notifications is a crucial aspect for complying with GDPR.
If any attendee requests that your delete, or ‘forget’ their personal data, you must comply in a reasonable time,” Mr. Sonenthal said. “That obligation also requires you to inform any third party that has access that attendee’s personal data of the request to delete their information.”
According to Mr. Sonenthal, the Data Protection Tool can generate email communications to third party vendors that are written by the meeting planner to reflect their organizations requirements and processes.
One Company’s Solution
EventsAIR by Centium Software has been producing event management software for over 30 years. As technology pioneers for the meetings industry, EventsAir has been fully GDPR compliant since its inception. The platform is built around the Microsoft Azure Cloud and offers a powerful Cloud App structure that includes highly secure and private databases for every client as well as incorporating the highest degree of PCI Security to assure all personal data and credit card details are fully protected.
The team behind EventsAir has recently released the EventsAir Data Protection Toolkit – a fully integrated set of tools and processes designed to help meeting organizers provide superior data protection for their client’s personal data. In addition, the Toolkit provides a series of tools and processes to help EventsAir clients achieve full compliance with GDPR regulations.
Applying the processes and tools to ongoing registration and event management efforts will provide excellent protection of personal data along with the reporting, logging and tracking requirements that are required from many of today’s data privacy regulations.