1. Make an overview of all data that you handle
Make a register of all (personal) data your organization handles. It must be clear what different sets of (personal) data are used, for what purpose, where they are stored and who has access to it.
Tip: make sure that you map all processes about how to deal with (personal) data, for example how it is removed. If a newsletter reader sends you an email with the request to delete (personal) data, the data of that person must actually be deleted within 1 month. Make sure you can! The same applies of course in case someone wants to change his / her data.
2. Consider privacy by design & privacy by default
Privacy by design means that when designing (new) products and services you have to take the protection of privacy-sensitive information into account. Think for example about a new event, or a new product type that can be purchased or, for example the purchasing of tokens prior to the event.
Privacy by default means that you only process the personal data that is necessary for that specific purpose. For example, someone who buys a ticket to the event and receives a ticket via email, should not receive an email (without explicit consent) with promotional purposes at a later stage. That is not necessary for the specific purpose. As organization, you always remain responsible as to who can process which data and where.
Tip: when you review your online documentation (your Privacy statement for example) regarding the processing of personal data, make sure that it is expressed in clear, understandable language. If people do not understand you, suspicion may arise and that will harm your brand.
3. Comply with the Data Breach Reporting Requirements
Unfortunately, we read about data breaches through hackers that have acquired personal data more and more often. But a data breach is also the case in the unfortunate event of losing a company laptop or sending an email containing personal data to the wrong recipient.. In all circumstances, you must inform those involved about the data breach and in case it has serious consequences to personal data, you have to report it to the appropriate authorities within 72 hours. Most important of all, you must do everything to prevent this.
Tip: document the risks for your organization. Look at your procedures for documenting and reporting data breaches. In the GDPR/AVG, the obligation to report data breaches is extended with the obligation to document all data breaches so they can then be reviewed by the competent privacy authority.
4. How do you request and register permission for using (personal) data?
The new legislation imposes more strict requirements about the permission that people must give for the processing of data. Evaluate the way in which you ask people (your ticket buyers, fans, newsletter subscribers etc.) permission to process their (personal) data and how (securely) you register them. You must be able to demonstrate that consent has been obtained.
Feel free to contact our Client Success Team and they would be happy to assist you with any questions.