The General Data Protection Regulation (GDPR) is a European Union regulation scheduled to come into effect on 25 May 2018 relating to personal data, its use and storage. It replaces the prior Data Protection Directive of 1995 and has far-reaching implications for any business that has a global presence. It impacts any business, EU-based or not, which has EU users or customers.
Under the new GDPR regulation, personal data is any information relating to an individual, whether it relates to his or her private, professional or public life. It can be anything from a name, a home address, a photo, an email address, bank details, posts on social networking websites, medical information, or a computer’s IP address.
You must consider all personal data including customers, suppliers, contractors and employees. You need to look at how it is collected, stored, shared with others (internally and externally) and how it is being accessed (internally and externally)
Examples of aspects which may impact privacy include:
– CCTV images of people who are not within the event (for example perimeter CCTV)
– Network usage data of users communicating with those outside of the event network
– Any customer data collected for customer marketing purposes
– Contractor personal details
You must specifically have users ‘Opt In’ when collecting personal data. Plain language should be used to explain:
– Why you are collecting the data
– How it will be stored
– Who will have access to it
– What you will be doing with it
– How they can remove it from your systems
Yes, particularly in relation to public areas. For events consideration should be given to cameras which may be able to see people who are not part of the event, for example around entrances and the perimeter. For each camera an assessment should be undertaken and recorded including:
– Why do you need that camera there?
– What will the camera be used for?
– What else, if anything, could you do to achieve the same objective without having a camera