How do I ensure that my organization is compliant with the GDPR?
If you are an association, society or conference you are most likely considered a “Controller” of personal data under the GDPR. A Controller is the entity which determines the purposes and means for the processing of personal data. Controllers are primarily responsible for the protection of personal data.
To avoid sanctions as a Controller its best to avoid collecting sensitive data. If you for some reason have sensitive data in your database DELETE IT and in future DO NOT ASK your contacts for data that reveals racial or ethnic origin, political opinions, religious or philosophical beliefs, national identification numbers, passport numbers, credit card numbers, biometric data for the purpose of uniquely identifying a natural person, data concerning health, data concerning a natural person’s sex life or sexual orientation or data leading to discrimination, identity theft or fraud, financial loss, damage to the reputation. This is not the full list and again if you have concerns consult your legal counsel.
Controllers who collect such data will be required to conduct a Privacy Impact Assessment (“PIAs”) for processing highly sensitive data and must also maintain records of processing activities.
The majority of our clients are simply collecting abstracts, papers and conference registration details and as such we don’t believe our clients will be subject to PIA’s. However, the obligation remains on the client to make their own determination based on the data they wish to collect.
Controllers are also required to erase personal data without undue delay (i) if the data is no longer needed; (ii) if an individual object to processing; or (iii) if the processing was unlawful. Where there has been a request to erase data, a Controller must take reasonable steps to do so.
X-CD provides all of our clients with the backend system tools to delete personal data and our clients may do so without our involvement should an objection to processing or a withdrawal of consent be communicated.
Who is the Processor under the GDPR and what are the obligations of the Processor?
A Processor is an entity which processes personal data on behalf of the Controller. For the purposes of the GDPR, X-CD is the Processor.
Processors are required to “implement technical and organisational measures to ensure appropriate security of processing, including encryption, maintaining confidentiality, restoration of access following physical/technical incidents and regular testing”. What is appropriate will likely be assessed in terms of a variety of factors including the sensitivity of the data, the risks to individuals associated with any security breach, the state of the art, the costs of implementation and the nature of the processing.
X-CD has implemented the following to meet the GDPR legislation:
- Mandatory Opt-in: As of May 2018, all contacts (including speakers, authors, co-authors, chairs, track chairs, session chairs, reviewers, attendees, members or applicants to become members, etc.) must opt-in by agreeing to the terms and conditions in their initial contact form, prior to submitting any data, personal or otherwise. For more information see below.
- All contacts will be able to withdraw their consent by way of notice to the Controller
- Clients (Controllers) always have and will continue to have the tools to remove contact data from their database. Warning: If a client holds other databases at the organizations office or in other laptops or hard drives the contact details must also be deleted from these sources.
- In the event of data loss or cyberattack, X-CD will notify its Client within 72 hours of becoming aware of the incident
- Regarding financial data, X-CD is PCI complaint and therefore we do not receive, handle or store credit card information.
- With regard to contact passwords X-CD has encrypted all passwords so as to render them unreadable and useless in the event of a database breach.
- The data security obligations above are noted in our license agreement entered into with each client.
In summary X-CD’s processes and licensed software will meet GDPR Processor obligations.
Screen Shot of Mandatory Opt-in located on the Contact Profile Form
How does X-CD ensure that consent requirements under the GDPR are complied with?
The GDPR defines consent as “any freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.” The GDPR, broadly, requires that consent be obtained to process personal data. Silence or inactivity does not constitute consent.
To assist our clients in meeting the GDPR consent requirements, as of April 2018, X-CD has implemented a mandatory opt-in clause to ensure that all contacts submitting personal information agree that they are providing their information freely and with their full consent. Contacts can not submit data unless they opt-in.