The 25 May 2018 deadline for the entry into force of the GDPR regulation is fast approaching. It’s therefore time for your organisation to get ready for the new regulation so that you can continue your activities as an event professional safely, legally and efficiently.
On Wednesday 11 April, Halito! held a hands-on webinar in conjunction with Mundo Digitalis and Ghys Projects on the practical applications of GDPR. It dealt with the basic principles of GDPR, the obligations for organisations and the opportunities that GDPR entails.
During the webinar, many questions were asked about the regulation. We have made a selection of the most important questions for you.
1. Is the creation of a data register obligatory for every business?
The Belgian and Dutch Data Protection Authorities both recommend that you create a data register. It is a practical way to provide proof on request that you have a legal basis for the processing of personal data (accountability). It’s useful to have a concise overview in one central location of which third parties are all involved in the processing of data, and this is done in a data register.
2. As a business organising an event, should you draw up a processing agreement in which a software supplier such as Halito! is included?
Yes, as a data controller you are obliged to draw up a processing agreement with a data processor. In this case Halito! is the processor. The processing agreement sets out, among other things, exactly what the processor may do with the personal data.
3. After how many days do you have to delete guest lists containing personal data?
GDPR does not give any instructions on this. It is up to businesses themselves to determine how long they want or need to store the data for. In deciding on a retention period, take account especially of questions such as: Why am I keeping these data? What’s the point? If storage isn’t necessary, or has ceased to be necessary, delete the data as soon as possible.
Guest lists which have been imported into Halito! are never kept for longer than necessary. When an event is archived, personal data are automatically deleted after 14 days. This gives the event professional enough time to export the guest lists before they are removed, if necessary.
4. Can a programme booklet with the names, photos and brief CVs of the participants be distributed by email?
At the point where you want to process personal data, you need permission from the people concerned. To create a programme booklet and distribute it by email or on an event site, you first need the explicit permission of the participants. The easiest way to do this is to request permission from the guest at the time of registration.
Want more information on handling personal data?
5. If someone has previously given an explicit opt-in for a newsletter, do you have to ask their permission again to keep the data?
It depends on how permission was obtained. If the person has explicitly signed up for a certain offer, clearly indicating what can and will be done with the data, then new permission is not required.
Want to know more about what’s in GDPR? Read about the most important GDPR concepts here.