Aside from our own such email, here at Corsizio, which has been sent out to all of our account users, we want to help you understand how the GDPR may impact you as an event organizer, who collects data from individuals via your event registration forms.
What is the GDPR?
The GDPR, which stands for General Data Protection Regulation is a legal framework that establishes guidelines for the collection and processing of personal information of individuals within the European Union (EU). This framework also provides principles for data management and outlines the rights of the individual.
The GDPR was adopted in April 2016, but legally comes into effect across the European Union on May 25, 2018. Any individual, business, company or organization that collects, processes or controls data of individuals is subject to fines and penalties, if they do not comply with the GDPR.
How the GDPR affects Other Parts of the World?
If you live, reside or do business within the European Union, the answer is obvious that you must comply with the GDPR, unless you want to risk penalties and fines.
If you live outside of the EU, the GDPR may or may not apply to you, and how you run your business. The depending factor boils down to whether you have any kind of audience, users, clients or customers in the EU.
For example, if you live in the United States but run global events where people from any part of the world, including Europe can register, then you also need to abide by the GDPR. If on the other hand, your audience and business reach is strictly confined to the United States, then you do not need to comply with the GDPR. But even in this latter case, it is a good idea to both, familiarize yourself with the GDPR and run your business with the highest level of data privacy and security in mind, as it is likely that other countries will follow suit in various manners. For example, Canada already has PIPEDA — the Personal Information Protection and Electronic Documents Act , which is similar to the GDPR.
At Corsizio, even though we operate from outside of Europe (in Canada), due to the fact that we have European users, we must comply with the GDPR.
Your Role vs. Our Role
As a simple summary, the GDPR has two categorizations for anyone who deals with the data of other people: Data Controllers and Data Processors. Let’s apply this in practical terms to help you understand where you fit in. If you have an account with Corsizio, you are considered an event organizer, meaning that you create events for which registrations are facilitated by Corsizio. When you create registration forms via a service like ours, you control what information you require from your event registrants or attendees, and you control how you will use that information. This makes you the data controller. (Depending on the nature of your business you may also be a data processor.) By facilitating this event registration process, Corsizio predominantly acts as the data processor, who processes data on behalf of you, the controller.
Our job is to ensure that any data that passes through our system, be it yours or your customers’ is safe and treated with utmost security. From its inception Corsizio has been built based on Privacy by Design and fully committed to operating with transparency, accountability and choice regarding the collection and use of any personal data. From this perspective, not much is changing within our internal framework and policies in how we deliver our service to you and deal with your data. The benefit of the GDPR coming into effect simply means that we apply the strictest data privacy protocol for all of our account holders, regardless of where they live or operate from in the world.
For more information, you can read:
- Our Privacy Statement.
- Our Data Processing Addendum, which takes into account the GDPR.
- Google Cloud Platform’s Approach to the GDPR, which is the service Corsizio uses to run our servers and store all of our data securely.
- Stripe’s Approach to the GDPR, which is the service Corsizio uses to facilitate all online payments on our platform.
- SendGrid’s Approach to the GDPR, which is the service Corsizio uses to send out all communications, like emails, memos and event notifications to you and/or your attendees.
- Our Corsizio help doc: How to include a terms and conditions policy on your registration forms.
Responsible Data Use By Data Controllers (Event Organizers)
On your end, there are several things you should keep in mind in order to (a) comply with the GDPR, if you are required to, and (b) operate your business with utmost integrity and security when it comes to protecting the data of your customers, also referred to as data subjects. (If you are an EU citizen, operate within Europe and/or have any European users/customers, please familiarize yourself with the full scope of the GDPR beyond this article alone and/or contact your legal counsel.)
As a data controller you understand that:
- Any of your subject data that is personally identifiable is subject to privacy laws.
- Certain categories of data are prohibited from being processed, such as race or sexual orientation, unless they fall under one of the 10 exemptions.
- Data subjects must give you their informed consent freely for the purpose of collecting any data about them. This consent must be collected in a clear, specific and unambiguous way that requires clear affirmative action on their part.
- There must be a legitimate interest for the data being collected, as stipulated by the regulations.
In addition, as a data controller, you need to provide your data subjects with the following rights:
1. Right to Access Data
Data controllers are required to provide data subjects a copy of their processed personal data upon request. This means you need to provide your customers with information about what data you collected and why, the categories of the data processed, if any third parties have access to this data, and how long that data will be stored.
2. Right to Update Data
Data controllers need to allow their data subjects to update or correct any data about them in a timely manner.
3. Right to Be Forgotten
Data controllers need to have a process in place where data subjects can request for their data to be deleted, erased or removed.
If any of your customers (data subjects) ask to be removed from any of your Corsizio-facilitated event records, we have in place an expunge option, which will remove all of their personally identifiable information, without negatively impacting your and our financial and statistical reporting.
4. Right to Data Portability
Data controllers are required to provide data subjects with the data collected and/or processed about them in a commonly used, machine-readable format, such as a CSV or TXT file. Data controllers may be required to transfer that data, on behalf of the data subject, to another data controller/processor in a timely manner.
Finally, data processors, which applies to Corsizio and may or may not apply to you depending on the nature of your business, are required to notify data controllers in the event of any data breaches within a timely manner. Of course, you should have proper security measures in place so that your customer data does not become released, directly or indirectly, to any public or third parties. One of the most important things to do is always use highly secure passwords for any services, which you use to collect or store your customer data, and not share your password with anyone or store your passwords in any unsecured ways.
Final Quick Tips
- Only collect the bare minimum data needed on your registration form to run your event(s).
- Avoid collecting unnecessary data on your registration forms for the purpose of market analysis, advertising or marketing campaigns, etc. Such information would be best collected via anonymous surveys and/or questionnaires, or in ways that do not associate them with personally identifiable data.
- Keep your customer’s data highly secured at all times, specifically when you export it out.
- Only use reputable, trustworthy and complaint data processors.
- Treat your customer data with utmost respect.
- Be responsible with how you use your customer data.
Most of all remember, having access to other people’s data is a big privilege, and not any kind of right.
If you have any other questions about how Corsizio can help support you as an event organizer to meet your data privacy needs, contact us anytime.
The Corsizio Team
p.s. If you have not signed up to Corsizio yet, register for your own free account today to explore how it can enhance your events!