Issue link: http://read.uberflip.com/i/1053158
Feature GDPR 46 NOV-DEC 2018 MEETINGS & CONVENTIONS MCMAG-ASIA.COM How will you know if technology suppliers are truly in compliance with GDPR and following privacy- by-design principles? The following are suggested RFP questions for them, proposed by Lenos Software co-founders Debbie Chong, CEO, and Patti Tackeff, president. • Does the supplier place its privacy policy, logo or marketing links on customer websites? Such placement could equate to marketing without consent; attendees have not agreed to receive marketing info from your suppliers. • Does the software allow the data controller — the client — to manage data and consent? Can the customer specifically manage consent, withdrawals of consent and automatic, secure deletion of personal data? If so, are those capabilities native to the solution or part of a third- party application? • Does the supplier use website cookies/trackers or registrant data to market its software, share with data marts, or sell data without customer consent? Such practices would have to be both clearly spelled out and then consented to by the registrants. • Is the software developed based on privacy-by-design principles? This is the idea behind GDPR. • Has the supplier ever had a data breach? What is the policy for handling data breaches in the future? The GDPR spells out specific notification protocol to follow in the event of a breach. – M.J.S. What to Ask Suppliers 1. Conduct a data audit. What data is being collected, and who is touching it? "This is a great opportunity to clean up one's act," Iwamoto of GoldSpring Consulting points out. "Because oftentimes what people find is that their processes are outdated, and they're collecting more data than they need." Find the inefficiencies and decide what must be fixed. "I think this is where most companies are now," Iwamoto adds, "trying to address and fix some of these gaps." 2. Understand peoples' rights with respect to personal data. "The biggest change is that somebody, at any time, has the right to demand to know what information you have on them," says Iwamoto. "And that person also has the right to ask that it be deleted. And you can't charge a fee — you have to be able to provide the data, delete it or let them use it, all for free." critical action items for meeting planners 3. Collect consent for everything, and disclose what you're doing with the data. You must have consent from individuals for any information you collect about them, and you must tell them exactly what their information will be used for. "Consent forms have to change," Iwamoto states. "They can't be full of legal jargon. You have to make everything straightforward and simple to understand. You have to disclose at which points their information will be collected — registration, mobile app, etc. — and what it will be used for in 3 each instance." And if individuals don't consent? "I say that means they can't attend," says Iwamoto. "If they're not agreeing to any of this, you don't want them at your event." That's not likely to happen though, he adds. "Most attendees understand that their data is going to be repurposed in some way, shape or form. What GDPR says is that you have to disclose upfront exactly what it's being used for. If they don't agree with that, they shouldn't be attending anyway." PHOTO CREDIT: Z_WEI/GETTY IMAGES