GDPR sounds like a complex topic. It can be. But sometimes you just want a bite-size explanation. Here’s a quick overview …
What is GDPR?
GDPR, the General Data Protection Regulation, is an EU regulation that unifies data protection regulations and strengthens data protection for citizens or residents of the European Union. GDPR was approved by the European Parliament on April 14, 2016 and started being enforced on May 25, 2018. GDPR replaces the earlier data protection directive that was implemented in 1995.
Who does GDPR apply to?
GDPR applies to all member states of the EU. GDPR applies to almost all companies operating in the EU if they meet the following requirements.
• The company has an establishment in the EU
• Provides goods and services to EU residents or citizens and/or
• Monitors the behavior of EU residents or citizens.
The regulation applies to companies operating outside the EU if they collect or process personal data of EU residents or citizens.
What can’t applicable organizations do?
Under GDPR, applicable companies cannot capture, store or process personal data without a legitimate interest or someone’s explicit consent..
What is personal data?
Personal data is defined as any information related to a person like an email address, posts on social networking websites, photos, or data that can be used to identify the person, directly or indirectly, like an IP address or medical information. It’s far reaching, and really protects any information that someone could use to identify an individual (Personally Identifiable Information).
What happens if there is a breach?
Data breaches which may pose a risk to individuals must be reported to affected individuals “without undue delay”, and to the data protection authorities within 72 hours. In case of a data breach, organizations can be fined 4% of global turnover or up to 20 million euros, depending on which is higher.
Can individuals find out about data use?
Individuals can find out if their data is being processed by an applicable company, where and for what purpose, and a copy of their personal data must be provided free of charge when requested within one month. An individual is also entitled to have his or her personal data erased, under certain conditions.
Additionally, public authorites and organizations that engage in large-scale monitoring or processing of sensitive personal data must appoint a Data Protection Officer.
How can this apply to Event Organizers?
If any of your attendees are EU citizens or residents you need to be GDPR compliant. There are hundreds of examples that could be GDPR violations, like registration on a paper sign-in sheet, circulating any type of spreadsheet with travel and hotel info, scanning badges without consent and so much more. In sum, get consent from your attendees on any action that involves any type of personal data. Play it safe.
What about your mobile app?
What you don’t have to worry about is your mobile event app. TripBuilder Media event apps are GDPR compliant.