The GDPR for conference organisers

5 minute read

The GDPR for conference organisers: what you need to know. Plus, 9 rules for managing your delegate data under GDPR.

The flood of privacy emails pouring into your inbox throughout May were a good indication that change is afoot in the way organisations manage your personal data. The cause of this deluge, the EU’s General Data Protection Regulation (GDPR), came into effect on 25 May 2018 and it’s the reason organisations are making profound changes to protect you from breaches of your privacy.

What it means: the GDPR for conference organisers

The GDPR doesn’t apply only to the organisations who were inundating you with updated Ts & Cs emails earlier this summer; the new data protection law applies to anyone who controls the personal data of others. And organising a research conference means controlling a lot of personal data. If you fail to make your conference’s data policies and processes compliant, your event could be liable for some eye-wateringly large fines (up to 4% of annual global turnover or €20 million).

Hosting a conference outside the EU doesn’t necessarily mean you’re exempt, either. The GDPR comes with extended jurisdiction, which means that every EU citizen has the same rights regardless of where their data is processed. So if your conference is accepting submissions or registrations from researchers who are EU citizens, then the GDPR applies to you as a conference organiser.

Quick side note: The GDPR aims to protect EU citizens from breaches of their personal data such as their name, address and organisation. It’s useful to note that the title, content and reviews of conference submissions don’t constitute personal data.

9 Rules of GDPR for conference organisers

Current practice around getting consent to use authors’ and delegates’ personal data, and the way this data is often handled could now land conference organisers in hot water. Making your research event compliant means a whole lot more than simply asking people to opt in to your conference mailing list.

While making our conference management software GDPR compliant, we’ve learnt a thing or two about the GDPR for conference organisers. Here are 9 rules to help you ensure your delegate data stays on the right side of the GDPR.

1. Use data in a way that’s transparent, appropriate and permitted

As a conference organiser, you need researchers’ specific and unambiguous consent to store and use their personal data. Pre-ticked boxes on a signup form will no longer pass muster. Instead, tell your contacts clearly about all the ways you’re intending to use their data (like telling them about future conferences or sharing their details with sponsors) and ask them to give separate consent for each instance, for example, by asking them to agree via custom questions on your submission form.

2. Hold data only for the purpose it was given to you

Under the GDPR, you should be holding data only for the purpose it was given to you, and only as long as you need it. For example, you probably need the email address of a delegate who attended last year’s conference; you don’t need their dietary requirements. After the conference is over, delete copies of this unnecessary data from any computers it’s on.

3. Check your conference software is GDPR compliant

Data security must now be built into the products and processes you use to gather and manage personal data. That means that for your conference to be GDPR compliant, any suppliers who process your delegate data (data processors) need to be compliant too. So make sure you use GDPR-compliant software like Ex Ordo to capture and process delegate data.

4. Keep personal data safe and secure, however you handle it

It’s good practice to keep your delegate data within a secure software environment. (And if you can keep the majority of it within one piece of software, so much the better.) But it’s likely that occasionally you’ll need to handle researchers’ personal data outside of a software environment. When you do so, consider where it’ll be stored, who will have access to it, and what the risks are. Then put data protection processes in place so you’re not doing things like: storing data on unencrypted hard drives, sharing passwords or leaving printed registration lists unattended at your conference.

5. Handle sensitive data with extreme care

When it comes to handling sensitive data, like information on someone’s medical conditions, ethnic origin or sexual orientation, the less you collect, the better. The GDPR legislates for much heavier penalties for misuse or breeches of this type of data, so we recommend you don’t collect or store it, if at all possible. And if you feel your conference needs to collect data like this, seek legal advice on how best to do so under the GDPR.

6. Give people access to their data

Under the GDPR, any EU citizen can request a copy of all the personal data you hold on them, for free. Create a process to help you provide people with their data in a machine-readable format, like an Excel file, within 30 days of their request. (If you’re managing people’s data within Ex Ordo, users can make data requests right from their profile.)

7. Correct errors when you’re asked to

EU citizens also have the right to correct errors in their personal data. For example, if one of your authors adds a co-author but misspells their name, the co-author now has the right to have this corrected. If you’re using software like Ex Ordo, every user can make corrections to their data within their own profile. And when they do, the changes they make will automatically populate in your registration system, your schedule and your book of proceedings. If you’re using several systems to manage your delegate data, you’ll need to set up a process to make changes within them all whenever someone makes a change request.

8. Delete personal data when asked to

Your conference contacts from the EU now also have the right to be forgotten. This means that, if someone asks you to, you’ll need to delete all the personal data you hold on them within 30 days. This also applies to any data processed by your suppliers, like your registration or abstract management software. So ensure you have a binding agreement with suppliers like these to honour delete requests when they come in. (At Ex Ordo, we recently released the ability to handle delete requests and we have data processing agreements with our own suppliers to honour them, as standard.) If your suppliers don’t have the ability to delete delegate data, or won’t comply with requests like these, under the GDPR you’ll be left liable.

Quick side note: It’s important to note that research that has been published at a conference is considered to be in the public domain. And so the record that a particular author published a particular paper is not considered private personal data under the GDPR. However, this exemption only applies to data like a published author’s name, affiliation and country, not to private data like their dietary information.

9. Notify anyone affected by a security breach

The GDPR means it will now be compulsory to notify your conference contacts and data protection authorities within 72 hours of discovering a security breach. Here’s where keeping your delegate data within a secure software environment can make all the difference. Using a secure platform like Ex Ordo means you’re less likely to have a data security breach (like leaving a laptop full of conference data behind on a train). And if you do have a breach, we have the necessary communication tools to help you reach those affected within that all-important 72-hour window. So carefully consider all the software you’ll use to store and manage delegate data, and create a policy for handling any breaches in security.

Disclaimer: We’re not lawyers, we spend our time designing and building
conference management software. (And lately, we’ve spent a lot of our time making this software GDPR compliant.) If you’re concerned about how the GDPR might affect how you handle delegate data, seek professional legal advice.

Further reading on the GDPR for conference organisers

Paul Killoran

Back when Paul was an engineering student, he didn’t even know what a conference paper was. Then he dipped his toe in the research conference world, realised how awful the software was, and decided to build Ex Ordo. Sometimes, life can be funny like that.