GDPR Compliance

GDPR Compliance

The Q&A below briefly answers some general questions about the GDPR.  In no way is it exhaustive and should not be relied on as a sole means of information.  You are strongly advised to seek advice from an independent legal representative to see how the GDPR may directly impact your organization.

What is the GDPR?

The GDPR is the European "General Data Protection Regulation". As of May 25th, 2018, this legislation harmonizes data privacy and protection laws across Europe for all EU member states. The GDPR regulates how the personal data of EU citizens can be collected, used and processed by organizations.

What are the penalties for not complying to GDRP legislation?

Those that fail to comply with the GDPR could face sanctions as follows:

  1. For the "gravest" infringements, fines of the greater of 20 million Euros, or 4% of their total annual worldwide revenue from their preceding financial year.
  2. For lesser infringements, fines of the greater of 10 million Euros, or 2% of their total annual worldwide revenue from their preceding financial year.

Who does the GDPR apply to?

Although the GDPR legislation will be implemented by the European Union, it applies to all organization regardless of their physical location. This means not only to organizations based in the EU, but also to those that reside outside the EU that have any EU contacts or customers.

How will the GDRP fines be enforceable in countries outside of the EU?

The GDPR legislation refers to the "development of international cooperation mechanisms to facilitate the effective enforcement of legislation". It remains to be seen how far the cooperation will extend between the EU and Non-EU countries, but it is in the best interest of all countries to cooperate in order that Non-EU citizens data is equally protected within the EU. If the US does not assist in the enforcement of sanction imposed under International Law it is conceivable that personal information of US citizens will be treated “in kind” and will become freely available, without sanctions throughout the world to whoever wants to use it. Inevitably there will be an outcry from aggrieved citizens as we have already seen against companies like Facebook, Equifax and others. 

How do I ensure that my organization is compliant with the GDPR?

Firstly, to ensure you are in compliance we strongly advise that you consult an independent legal representative to review your privacy policy and processes.

If you are an association, society or conference you are most likely considered a “Controller” of personal data under the GDPR. A Controller is the entity which determines the purposes and means for the processing of personal data. Controllers are primarily responsible for the protection of personal data.

To avoid sanctions as a Controller its best to avoid collecting sensitive data. If you for some reason have sensitive data in your database DELETE IT and in future DO NOT ASK your contacts for data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, national identification numbers, passport numbers, credit card numbers, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation or data leading to discrimination, identity theft or fraud, financial loss, damage to the reputation. This is not the full list and again if you have concerns consult your legal counsel.

Controllers who collect such data will be required to conduct a Privacy Impact Assessment (“PIAs”) for processing highly sensitive data and must also maintain records of processing activities.

The majority of our clients are simply collecting abstracts, papers and conference registration details and as such we don’t believe our clients will be subject to PIA’s. However, the obligation remains on the client to make their own determination based on the data they wish to collect.

Controllers are also required to erase personal data without undue delay (i) if the data is no longer needed; (ii) if an individual object to processing; or (iii) if the processing was unlawful. Where there has been a request to erase data, a Controller must take reasonable steps to do so.

X-CD provides all of our clients with the backend system tools to delete personal data and our clients may do so without our involvement should an objection to processing or a withdrawal of consent be communicated.

Who is the Processor under the GDPR and what are the obligations of the Processor?

A Processor is an entity which processes personal data on behalf of the Controller. For the purposes of the GDPR, X-CD is the Processor.

Processors are required to “implement technical and organisational measures to ensure appropriate security of processing, including encryption, maintaining confidentiality, restoration of access following physical/technical incidents and regular testing”. What is appropriate will likely be assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing.

X-CD has implemented the following to meet the GDPR legislation:

  1. Mandatory Opt-in: As of May 2018, all contacts (including speakers, authors, co-authors, chairs, track chairs, session chairs, reviewers, attendees, members or applicants to become members, etc.) must opt-in by agreeing to the terms and conditions in their initial contact form, prior to submitting any data, personal or otherwise. For more information see below.
  2. All contacts will be able to withdraw their consent by way of notice to the Controller
  3. Clients (Controllers) always have and will continue to have the tools to remove contact data from their database. Warning: If a client holds other databases at the organizations office or in other laptops or hard drives the contact details must also be deleted from these sources.
  4. In the event of data loss or cyberattack, X-CD will notify its Client within 72 hours of becoming aware of the incident
  5. Regarding financial data, X-CD is PCI complaint and therefore we do not receive, handle or store credit card information. 
  6. With regard to contact passwords X-CD has encrypted all passwords so as to render them unreadable and useless in the event of a database breach.
  7. The data security obligations above are noted in our license agreement entered into with each client.

In summary X-CD’s processes and licensed software will meet GDPR Processor obligations.

Screen Shot of Mandatory Opt-in located on the Contact Profile Form

How does X-CD ensure that consent requirements under the GDPR are complied with?

The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The GDPR, broadly, requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent.

To assist our clients in meeting the GDPR consent requirements, as of April 2018, X-CD has implemented a mandatory opt-in clause to ensure that all contacts submitting personal information agree that they are providing their information freely and with their full consent.  Contacts can not submit data unless they opt-in.  

    • Related Articles

    • Is X-CD in compliance with California State privacy laws, specifically the CCPA?

      Our system is setup to comply with the GDPR which sets a higher standard than California’s privacy policy laws.    The CCPA only applies to some companies.  Businesses must comply if they: Have gross annual revenues of $25 million or more; Have data ...
    • Server Structure and Data Security

      What is X-CD's IT Structure and Data Security Policies? Server and storage hardware To host client data X-CD utilizes Dell servers and Dell Compellent storage arrays. Server virtualization with high availability Our web servers are virtualized ...