Many governments and regulators, including those in Europe, Australia and New Zealand are in the process of tightening their rules around how organizations capture, store and use customer data. If you’re a training or event management business, you need to be aware of this changing landscape as there are significant implications.
This article focuses on GDPR – an update to European Union law which has global ramifications. If you haven’t already explored what this means for your organization, this article is a great place to start.
GDPR in a nutshell
The General Data Protection Regulation (GDPR) is an update to European Union (EU) law designed to create a more comprehensive and enforceable approach to the use of personal data. Coming into force on 25 May 2018, GDPR gives more control to individuals on how their personal data is used. Affected organizations may need to change how they gather, manage and use their customer and marketing data. Fines for noncompliance are significant.
GDPR applies to all organizations globally that hold and process personal data for people based in the EU. If your organization offers training and events to people in Europe, either via online or physical delivery, then you’ll likely need to meet GDPR requirements.
Things to consider
Elements of GDPR that may be relevant to training and event organizations include:
- Data collection – you can only collect personal data if you have a legal reason to do so and must make it clear what the personal data will be used for.
- Communication & profiling – you need a lawful basis, likely to be either active opt-in consent or legitimate interest.
- Simple & clear – contracts and other legal text (eg. website T&Cs) need to be easy to understand.
- The right to know – individuals can ask you what information is being held about them.
- The right to erase – individuals can ask you to delete all stored personal data about them, unless you need to keep that information for legal reasons, such as tax.
- Data security – you must store and process the personal information you collect securely.
- Data breach – you’re obliged to report certain types of data breach to the relevant authority.
- Accountable – you must be able to demonstrate compliance with all principles.
This is just a summary. Below are links to more in-depth information.
What GDPR means for marketing
For many organizations GDPR may initially sound like a hindrance to marketing and sales. For sure, past techniques of marketing to cold leads may not be lawful in the EU. But keep in mind, those who do consent to receiving your marketing material and tailoring content through profiling are far more likely to convert to sales. GDPR will mean that marketers have the opportunity to increase the engagement and conversion rates they get while respecting the rights of the consumer.
Controller (You) and Processor (Arlo)
One of the key elements to understand under GDPR is whether you are the controller or the processor of data, and the responsibilities of each.
In the case of training or event organisations using Arlo, you are the controller and determine what the personal data is used for and how it is processed. Arlo is the processor, with personal data captured on our registration forms and stored in our systems to be processed on your behalf.
This distinction is important. You, the data controller, are principally responsible for collecting consent, revoking consent and giving users access to their data. If a customer wants to access to their personal data or have it deleted completed, as the data controller you pass this request onto Arlo, the data processor.
This means that compliance with GDPR is important to all of us.
With Arlo your data in safe hands
Arlo will be fully GDPR compliant as a data processor well before the May 25th deadline.
We have taken a number of steps to ensure Arlo is a GDPR-compliant cloud provider, including:
- Ensured all of Arlo’s data processing flows are GDPR compliant
- Key staff have received GDPR-specific training
- A Data Protection Officer has been appointed
- Ensured all of Arlo’s own sub-processors are compliant with GDPR requirements
How Arlo can help you with GDPR
Arlo is actively helping its customers become GDPR compliant.
By storing customer data in Arlo you benefit from best practice data storage and security. All data in Arlo is encrypted at rest and stored in AWS, a provider that is fully compliant with GDPR. You can also action your customers’ right to access their personal data through Arlo’s existing data export tools.
Data Processing Addendum (DPAs) will be available soon for Arlo customers. These are agreements that extend our existing Terms of Service that formally set out the nature and purposes of relationship between you (as a Controller) and Arlo (as a Processor), the types of personal data you want Arlo to process, the duration we can store it for, any particular special categories of data, and the obligations and rights of both parties. These agreements are important to ensure that Arlo can continue to process data on your behalf once GDPR takes effect.
You can email firstname.lastname@example.org now with your details and we will be in contact with you as soon as the DPAs are ready for you to enter into.
We’re building new features into Arlo to help you stay GDPR compliant. This includes the ability to add configurable explicit consent fields into registration forms so you can capture and store consent data. This specifically helps you address the Accountability element of GDPR mentioned above.
There is a wealth of information online about getting your business prepared for GDPR. Two particularly good resources are:
- 12 steps to prepare for GDPR – The UK Information Commissioner’s Office (ICO)
- How to prepare for GDPR – The Federation of Small Business (FSB)
Disclaimer: You should talk to your legal advisers to ensure you are compliant before May 2018. This blog post should not be used as a complete guide to EU data privacy or legal advice.