Ioan Popovici
Chief Software Engineer
In the first article of this series, I have briefed some of the main points that need review before thinking about turning your event GDPR compliant and mentioned that in doing so, you will obtain, as a happy byproduct, a nice fingerprint of your event.
Now, as a side note, and as you probably have already figured out, this series of articles is not necessarily addressing those environments that already have a data governance framework in place. If this is your case, I am sure you already have the procedure and tools in place. This series may become interesting for you when we get to talk about some specific tools, information security topics and some disaster scenarios.
There are still some grounds to cover regarding this topic, so let’s go!
Most probably, your main focus in the beginning is: let’s cover some the costs using sponsors, and let’s fire that registration & call for content procedures right away. Now, let’s not just rush into that. In order for you to collect data from participants and speakers (in short), you must have a legal basis for doing that. The legal basis for doing the processing – in this case just collecting it – may not be much of a choice, even though it seems so. In our experience, given the specific of our activity, you may have as a choice: consent, and fulfillment of a contract. Probably you will want to have a homogenous legal basis for all of your participants. Let’s assume the consent as legal basis for processing.
Consent
In order to be provided with consent, you are obligated to notify to the person offering consent several pieces of information:
- Recipients of the personal data
- Intention to transfer data to a third country or international organization
- Storage Period, or criteria used to determine it.
- How is automated decision making present in processing?
Just to name a few. I will not detail the full challenges of what a consent should be here, because this may become boring to you. You may know all this already. After all, you are already in this business.
Several of these topics are easy to pinpoint if you went to the process detailed in the first article of the series. (e.g. identifying the recipients of the personal data). Still, some of the topics did not derive from that first process.
Establishing Data-Flow and assessing the tools
In order for you to be able to answer some questions like:
Are these data going to travel outside EU? Where exactly?
Are we going to profile anybody, or do some automated decision making?
First, you need to define a data-flow associated with personal data, and even more, start thinking about the tools you are going to use.
Remember, in our first article, we have talked about the need to think about some third party software that may help you with some of your activities? Where does this software maintain its data? Is it outside EU? Can you control this?
You see where I am going with this: formalizing the data-flow, knowing what tools touch your data is of uttermost importance before even asking anybody for consent.
But don’t panic! These are anyway things you needed to do for your event, now, you just need to do them earlier. And if you ask me, just at the proper moment in order to benefit at the maximum from them. You do not want to start thinking about what tools you need when you already have 300 attendees registered by phone. That would be a bummer.
Next time, we are going to take a deeper look into tools and some basic security requirements that we recommend! Be safe!