Organizations that violate the GDPR might face fines of up to €20 million, or 4% of their annual global revenue, whichever is higher. Therefore, investing in personnel and technology is worthwhile to ensure that your company complies with GDPR. Even while this law protects residents and citizens of the UK and the EU, you must nevertheless abide by it if your event takes place elsewhere. Do you still want to make it possible for UK and EU persons to participate, or do you want them to access your online material while giving you their personal information? Since the EU has some of the strictest privacy laws, it might be beneficial to follow them. Legal Jobs reports that 66% of Americans may favour US personal privacy regulations that are similar to the GDPR.
The GDPR has several concerns, including the safety of websites, the right of customers to have their data destroyed, the accessibility of their data, and more. Let's say you discover that your current scenario does not adhere to the GDPR. In that situation, you may need to audit the personal data you have acquired and update your policies and procedures to guarantee you treat data appropriately and securely. GDPR impacts most of your actions as a conference planner because it is essential to your work to acquire sensitive data from your clients. Per the legal jobs, over 1000 online sites -in the US and other countries outside Europe- have blocked EU viewers because they are not ready to comply with the GDPR. As a result, they forfeit up on the less attractive EU market.
Why is GDPR necessary?
A company-wide approach to managing the lifetime of personal data is the goal of changes made under GDPR, which are intended to help businesses move away from a tick-box compliance mentality toward the protection and privacy of personal information. These are the top ten crucial points:
- GDPR covers a larger geographic area. It doesn't matter where you live—it applies. Any business that transacts with citizens of the EU is subject to GDPR. If you gather IP addresses or use tracking cookies, you might be subject to GDPR even if you provide a free service, like a website that people in the EU can access.
- The authority to impose substantially harsher sanctions for personal data breaches will be granted to Data Protection Authorities (DPAs). Under GDPR, fines are applied in a graduated manner. For the most egregious infractions, such as processing consumer data without proper consent.
- Online identifiers like IP addresses and the identities of mobile devices are now clearly included in the concept of "personal data," which has been expanded.
- Companies will no longer be permitted to use lengthy, difficult-to-read terms and conditions, and organizations will need to obtain explicit consent from people before processing their data. Just two of the additional rights that people will have about how their data is treated are the freedom to have their information destroyed (often alluded to as the "right to be forgotten") and, indeed, the correct to have their data transmitted to another controller.
- The GDPR outlines expected procedures and make certain technical and organizational safeguards for the protection of personal data essential. The ability to guarantee confidentiality, integrity, availability, and policies to evaluate the efficiency of security measures are all related to the hashing and encryption of personal data.
- The use of data processing organizations will be required. As a result, businesses will need to maintain written (or electronic) records of all operations involving the processing of personal data, including the data's lifecycle and the identity and contact information of the data controller.
- Security risk assessments will be necessary for technologies or procedures, such as data profiling, this is expected to pose a significant danger to individuals.
- Reporting of breaches involving personal data will be required. Organizations must notify the DPA of personal data breaches under Article 33 of the GDPR within 72 hours of becoming aware of them. Individuals must be notified "without delay" if a breach involves a great danger to them, such as unencrypted personal data.
- If your company observes individuals on a large scale or processes unique categories of data, the DPO must directly report to the company's top management and make sure the business complies with the rules. They must carry out their duties independently and are not subject to discipline or punishment for doing so.
- The Act aims to achieve data security by design and default. The GDPR is the first law to make privacy by design a requirement, although the concept has existed for some time. Fundamentally, "privacy by design" calls for data protection to be integrated into system design from the beginning rather than added later.
The GDPR doesn't just apply to companies bombarding you with updated Ts & Cs emails earlier this summer; anybody who has access to another person's data is subject to the new data protection law. Additionally, managing a research conference requires access to a lot of personal data. Your conference could face astronomically high fines if you don't make the data policies and procedures compliant. Even if you host a conference outside of the EU, you might not be exempt. The GDPR comes with extended jurisdiction, which implies that every EU citizen has the same rights regardless of where their data is processed. Therefore, as a conference organizer, the GDPR applies to you if your conference accepts papers or registrations from academics who are nationals of the EU.
The GDPR intends to safeguard EU citizens from breaches involving their personal information, including names, addresses, and organizations. It's important to remember that conference submissions' titles, contents, and reviews don't comprise personal data.
9 GDPR Guidelines For Conference Organisers
Conference organizers may now find themselves in hot water due to current practices of obtaining permission to use authors' and delegates' data and how this data is frequently handled. Requesting individuals to register your conference email lists is just the first step towards making your educational event compatible.
Here are nine guidelines to help you make sure your delegate data complies with GDPR.
Utilize Data In A Clear, Permissible, And Suitable Manner.
You must obtain explicit, unambiguous agreement from researchers before storing and utilizing their personal information as a conference organizer. Pre-checked boxes on signup forms won't be accepted anymore. Instead, be upfront with your contacts about how you intend to use their information (such as informing them of upcoming conferences or sharing it with sponsors) and get specific approval for each one, for example, by including a custom question on your submission form.
Only Use The Info You Have Received For The Intended Purpose.
According to the GDPR, you should only keep data for as long as necessary to fulfil the purposes for which you were given access to it. For instance, you don't need a delegate's dietary restrictions; you need their email address if they attended the conference the year before. Remove copies of this useless information from all computers after the conference.
Verify That Your Conference Software Complies With GDPR
It would be best to incorporate data security into the tools and procedures you use to collect and manage personal data. This means that all providers who handle your attendees' data must comply with GDPR for your conference to be GDPR compliant.
If You Handle Personal Data, Do So Securely.
Keeping your delegate data in a safe software environment is good practice. However, periodically you'll need to handle researchers' data outside of a software environment (and the more you can keep it inside one piece of software, the better). When doing so, consider where it will be held, who will have access to it, and the hazards. Put procedures in place for data protection so that you don't share passwords, store data on unencrypted hard drives, or leave printed registration lists at conferences unattended.
Handle Sensitive Information With Great Caution.
The less information you gather when dealing with sensitive data, such as details on a person's sexual orientation, ethnicity, or medical issues, the better. If possible, avoid collecting or storing this type of data because the GDPR imposes much harsher penalties for its misuse or breach. And if you believe that gathering this kind of data is necessary for your conference, consult a lawyer about the best way to proceed under the GDPR.
Permit Users To Access Their Data
Any EU citizen may, for no cost, get a copy of all the personal information you have on them per the GDPR. Create a procedure to assist you in giving people their data within 30 days of their request in a machine-readable format, such as an Excel file.
Fix Mistakes When Prompted
Additionally, residents of the EU are entitled to the rectification of inaccurate personal data. For instance, the co-author now has the opportunity to request that a mistake be made if one of your authors adds a co-author but spellings their name incorrectly. When someone submits a change request, you must set up a process to update all the systems you use to manage your delegate data.
Remove Personal Information When Prompted
European Union meeting attendees now also have the right to be forgotten. Which means that you have 30 days to remove all personal information about someone if they request it. This also holds for any data that your providers process, including registration and database management software. Therefore, be careful to have a contract in place with providers like these that requires them to abide by deletion orders. Under the GDPR, you will be held responsible if your suppliers cannot delete delegated data or refuse to comply with requests like these.
It's crucial to remember that academic work that has been presented at a conference is regarded as existing in the public domain. Therefore, under the GDPR, the fact that a specific author published a particular work is not regarded as private personal data. This exemption, however, does not cover sensitive information like a person's dietary preferences; it only covers information like a published author's name, affiliation, and country.
Alert All Those Impacted By A Security Breach
Because of the GDPR, it is now required to alert conference contacts and data protection authorities within 72 hours of learning of a security breach. Here, keeping your delegate data in a safe software environment can make a difference. We also have the communication resources you'll need to reach those affected during the crucial 72-hour window if there is a breach. As a result, carefully analyse all the tools you'll need to handle and store delegate data and establish a procedure for resolving security breaches.
Final Words
We've talked about how the GDPR affects both you and your company. You could safeguard your client's right to privacy by strictly adhering to it. This protection enables you to behave within the bounds of the law, improves your company's reputation, and aids in preventing costly penalties or negative publicity brought on by non-compliance. When working within the UK/EU or with UK/EU residents or nationals, it's imperative to follow the rules strictly. However, using it worldwide would improve your company's reputation. Nearly 8 out of 10 US companies, according to legal jobs, have taken action to comply with the GDPR.
As a conference organizer, you must guard against fines for breaking privacy laws, especially in light of the growing awareness of individuals' rights regarding the information they share with organizations. You may achieve this by ensuring that all the information you gather through event registrations, surveys, and other sources is secure and doesn't violate users' privacy. To prevent privacy concerns, one of the regulations you must seriously adhere to is GDPR.
References
- GDPR For Event Planners âž¡ EventsCase.com
- What does GDPR mean for you? (digitalguardian.com)