[BreachExchange] 7 GDPR Requirements You Need to Know

Inga Goddijn inga at riskbasedsecurity.com
Fri Feb 9 19:18:38 EST 2018


The General Data Protection Regulation that updates the older,
pre-cloud-era data privacy rule in the European Union, will begin to be
enforced in May. And this is a regulation you ignore at your peril, with
fines that can reach up to $24 million. For more background on the
regulation, see New EU Data Privacy Rules Are Coming LINK TK. Here are the
seven specific requirements that planners need to know about now.
1. Consent

Forget the pre-checked, often vaguely worded opt-out box most event
organizers currently use in the registration process. Any EU resident or
citizen has to actively opt in and give you explicit consent to store and
use their data. You also have to explain what you will use the data for,
who you will share it with, and for how long. As the data controller, it’s
up to you to get the consent, says Kevin Iwamoto, senior consultant with
GoldSpring Consulting.

Furthermore, he says, you can’t generically ask people to give consent to
all activities around an event when they register. “You have to say
specifically who they’re giving that consent to. In addition to your
organization, that includes everyone who could have access to the personal
information, including exhibitors and sponsors. You also have to tell
participants what the suppliers are going to use it for, and when the
information is going to be purged from their systems.” And, he adds, you
have to enable attendees to opt out if they don’t want their information to
go to any of the listed third parties. “This is going to cause a lot of
disruption,” says Iwamoto. “Think about the disclosure and consent and
opting in for a hosted-buyer program, for example.”
2. Data Breach Notification

GDPR gives you just 72 hours after you discover you’ve had a breach to
notify data protection authorities and, in some cases, users. While the
fines are expected to be proportional to the level and severity of
noncompliance, and the number of people affected, if you tried to pull an
Equifax and wait months before reporting a breach, you could expect the
fines to be fairly severe, says Ian Grey, a U.K.–based information and
cybersecurity consultant with Wadiff Consulting.

“Event organizers need to show they’re doing their best to protect the
personal information of individuals to minimize the chances of it getting
into the wrong hands,” adds George Sirius, CEO, Eventsforce, an event tech
company. “Ensuring that everyone in the events team has a good
understanding of what constitutes a data breach and how to follow best
practices is key to compliance. It’s also important to think about what
processes need to be put in place once a breach has been identified,
including how to report it within three days.”
3. Access

If an EU resident or citizen wants access to his or her data, you need to
provide digital copies of it, along with where it’s being stored and what
you’re using it for. And you need to be able to do this within 30 days at
no charge,
says Iwamoto.
4. Right to Be Forgotten

Data controllers have to be able to delete an EU citizen’s data on request,
and also have your suppliers delete it as well. “They have to have ways of
minimizing errors, correcting inaccuracies, and deleting data,” says
Iwamoto. “And you have to be able to prove that it is, in fact, deleted.”
5. Portability

If requested, you need to be able to export an individual’s data to another
data controller in a commonly used format.
6. Privacy by Design

Don’t expect to get away with tacking some data privacy stop-gaps on to
your systems. Under GDPR, security must be integral to your data-collection
and management technology and processes from the get-go.
7. Data Protection Officers

Not everyone needs to have an official data protection officer, or DPO, but
most multinational organizations already do, says Iwamoto, because even
before GDPR, the EU in particular had far more stringent rules and
regulations around citizen data privacy than the U.S. “And they’re not
afraid to litigate.”

If your organization has a DPO, “You need to let them know your department
is going to be affected. Any forms or terms and conditions that they’re
putting together to protect the company also need to be incorporated into
events and meeting planning,” says Iwamoto. Adds MaryAnne Bobrow, CAE, CMP,
CMM, president of Bobrow Associates, even if you do have a DPO, you need to
have a working knowledge of GDPR requirements. “If you don’t have that
knowledge, you could be violating the rules without the DPO knowing
anything about it.”

If you don’t have a DPO, Bobrow suggests finding a company that can serve
as your “trusted advisor” to do the research for you. “It’s pennywise and
pound foolish not to have someone to walk you through the steps to make
sure you’re protected from noncompliance.”
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20180209/f4861194/attachment.html>

More information about the BreachExchange mailing list