The GDPR is the European "General Data Protection Regulation". As of May 25th, 2018, this legislation harmonizes data privacy and protection laws across Europe for all EU member states. The GDPR regulates how the personal data of EU citizens can be collected, used and processed by organizations.
Those that fail to comply with the GDPR could face sanctions as follows:
Although the GDPR legislation will be implemented by the European Union, it applies to all organization regardless of their physical location. This means not only to organizations based in the EU, but also to those that reside outside the EU that have any EU contacts or customers.
The GDPR legislation refers to the "development of international cooperation mechanisms to facilitate the effective enforcement of legislation". It remains to be seen how far the cooperation will extend between the EU and Non-EU countries, but it is in the best interest of all countries to cooperate in order that Non-EU citizens data is equally protected within the EU. If the US does not assist in the enforcement of sanction imposed under International Law it is conceivable that personal information of US citizens will be treated “in kind” and will become freely available, without sanctions throughout the world to whoever wants to use it. Inevitably there will be an outcry from aggrieved citizens as we have already seen against companies like Facebook, Equifax and others.
If you are an association, society or conference you are most likely considered a “Controller” of personal data under the GDPR. A Controller is the entity which determines the purposes and means for the processing of personal data. Controllers are primarily responsible for the protection of personal data.
To avoid sanctions as a Controller its best to avoid collecting sensitive data. If you for some reason have sensitive data in your database DELETE IT and in future DO NOT ASK your contacts for data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, national identification numbers, passport numbers, credit card numbers, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation or data leading to discrimination, identity theft or fraud, financial loss, damage to the reputation. This is not the full list and again if you have concerns consult your legal counsel.
Controllers who collect such data will be required to conduct a Privacy Impact Assessment (“PIAs”) for processing highly sensitive data and must also maintain records of processing activities.
The majority of our clients are simply collecting abstracts, papers and conference registration details and as such we don’t believe our clients will be subject to PIA’s. However, the obligation remains on the client to make their own determination based on the data they wish to collect.
Controllers are also required to erase personal data without undue delay (i) if the data is no longer needed; (ii) if an individual object to processing; or (iii) if the processing was unlawful. Where there has been a request to erase data, a Controller must take reasonable steps to do so.
X-CD provides all of our clients with the backend system tools to delete personal data and our clients may do so without our involvement should an objection to processing or a withdrawal of consent be communicated.
A Processor is an entity which processes personal data on behalf of the Controller. For the purposes of the GDPR, X-CD is the Processor.
Processors are required to “implement technical and organisational measures to ensure appropriate security of processing, including encryption, maintaining confidentiality, restoration of access following physical/technical incidents and regular testing”. What is appropriate will likely be assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing.
X-CD has implemented the following to meet the GDPR legislation:
In summary X-CD’s processes and licensed software will meet GDPR Processor obligations.
Screen Shot of Mandatory Opt-in located on the Contact Profile Form
The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The GDPR, broadly, requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent.
To assist our clients in meeting the GDPR consent requirements, as of April 2018, X-CD has implemented a mandatory opt-in clause to ensure that all contacts submitting personal information agree that they are providing their information freely and with their full consent. Contacts can not submit data unless they opt-in.
CAVEAT:The Q&A below briefly answers some general questions about the GDPR. In no way is it exhaustive and should not be relied on as a sole means of information. You are strongly advised to seek advice from an independent legal representative to see how the GDPR may directly impact your organization.