There is a lot that meeting planners and associations need to worry about when it comes to the upcoming General Data Protection Regulation (GDPR), but their event app shouldn’t be one of them! We guarantee all our clients our best effort to be GDPR compliant. To find out what exactly this includes, our CEO Jelmer van Ast answers the most asked questions about the compliance of our apps and services.
What do I need to know when talking GDPR?
It is important to know that the GDPR is all about the protection of personal data, not companies’ data. Personal data is any information that can be used to identify an individual. Identifiers can be names, telephone numbers, emails addresses, pictures and so on.
The regulation also differentiates between data controllers and data processors. It is not always clear who is the processor and who the controller: A controller is a person, organisation or other instance which determines the purposes and means of the processing of the personal data. After that, the processor is responsible for processing the personal data on behalf of the controller.
When are you dealing with personal data?
As most of our clients’ attendees are from the EU, the GDPR applies to Conference Compass, too. We deal with personal data in two ways. Firstly, we process conference data in our CMS on a daily basis. This may include personal data like speaker biographies or attendee lists.
Secondly, we control and process data of users who log into one of our apps. This way, the users can create profiles and chat with other attendees.
Where is my data stored?
We treat all personal data that we collect and process with utmost care. All data is hosted on Amazon AWS data centres, which are located in Germany, a member of the EU (Find Amazon’s AWS GDPR policy here). On top of that, each client’s app runs in separate, isolated environment that includes its own database and services. This ensures not only maximum performance but also rules out all chances of data mix-ups between client accounts.
Clients can upload their conference data directly into the CMS from their computer. If they need assistance from one of our project managers and send us sensitive conference data, we secure this files in Dropbox folders, that only be accessed by relevant team members (Find Dropbox’s GDPR policy here).
Do you ask Eureka users for explicit consent?
To begin with: All our apps can be used without the need to log in. However, if users want to be included on the attendee list, chat or sync their personal agenda, they have to log into a personal account. Our Eureka platform is created to bring greater interaction and connectivity to attendees and hosts all personal accounts. When a user decides to log-in using Eureka, he or she will be lead through a GDPR compliant sign-up process.
In a first step, users are asked to fill in their name, email address and to choose a password.
Another important step towards GDPR-complicacy is the required opt-in to be visible on the attendee list and to receive chat messages. Many clients fear that the opt-in will cut the number of active app users, but our experience proves otherwise: By ensuring that all attendees of the attendee list want to be visible and are ready to chat and network, you not only comply with the GDPR but are left with a much more active community. Quality over quantity!
How do you store consent?
Are you able to erase my data?
Clients who would like to delete their data can do so at any time and immediately within the CMS. It is possible to restore conference and app data though back-ups. In case you want to erase these back-ups as well, we agree to do so after a personal consultation.
Eureka users who wish to review or delete their account can contact us at any time. It is important that this request is done by the user itself and is not forwarded by third parties like the event organisers. We will then share or delete all personal data within the required 72 hours.
What is your procedure for reporting data breaches?
Our top priority is to keep your data secure. Detecting data breaches is an important, yet complicated because they can only be detected after they have happened. We are constantly working on improving our security processes and making them even more precise. When a data breach is detected, we will always be transparent about it to all our clients and users and report the incident within 72 hours to the authorities.
If you have further questions about our efforts to become GDPR compliant, feel free to contact us at firstname.lastname@example.org.