Last Updated: Jan 4, 2019
The GDPR - General Data Protection Regulation - aims to create a new data protection regime, applicable to all organisations established in Europe and, depending on the circumstances, outside the limits of that territory as well.
GDPR will require a series of items regarding data security, transparency, privacy and confidentiality. The regulation takes effect from May 25th 2018.
If your company does not comply with the legislation rules, fines can be as high as 20 million euros or 4% of total worldwide annual turnover, whichever is higher.
It is important to understand that GDPR is about 'who' is doing something. InEvent or any other software company will provide the meanings to understand where data came from, but we cannot prohibit an ill-intentioned employee in your organization from uploading a full list of contacts which you don't have permission to communicate with. In such a case, InEvent will identify who performed which action so you can apply your organization internal compliance.
| Data Controllers | Data Processors |
|---|---|
| It is your company | It is the software you use to store and process customers and prospects data |
| Primary responsibility | Secondary responsibility |
| It is responsible for security, transparency, privacy and confidentiality | It is responsible for guaranteeing that the company data are stored and processed in a secure way |
| Collects information through forms and similar means | It is responsible for security and privacy in processing the collected data |
InEvent helps your data compliance with tools to manage your customer's privacy:
Customers have the right to receive their personal data from a controller in a structured, commonly used and machine-readable format so they can transfer those data to another data controller without interference. InEvent provides this through a public page where users can see all the events they are enrolled at and request their information stored on this event at anytime.
The right to be forgotten is part of GDPR and users can request this at any minute during their days. Information is logged for administrative and forensic purposes. InEvent provides a public page where users can type their email address, receive a confirmation and confirm they want to be forgotten.
Under the GDPR, consent must be given by a statement or a clear affirmative act establishing a freely given, specific, informed and unambiguous indication of an individual’s agreement to the processing of their personal data. A request for consent cannot be bundled together with other terms in a contract; it must be presented in a manner which is clearly distinguishable from the other matters, in an intelligible and easily accessible form, using clear and plain language.
InEvent is compliant with a series of protocols, including SOC 2, which provides the Standard Operating Procedure for different cases scenarios. These documents, which include our Business Continuity Plan and Disaster Recovery Plan, ensure your data protection by product design.
The GDPR requires that data breaches be reported to the competent supervisory authority (of the EU Member State concerned) without undue delay, and where feasible, within 72 hours of the organization becoming aware of it, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons. InEvent monitors the API usage from each customer and provides a series of triggers that can be activated for your IT security team.
Personal data is stored for as long as the contract is active after which the personal data is automatically erased by the data processor.
