New GDPR: what changes for medical congress organisation
With the new EU regulations about data collection and protection, PCOs and Scientific Associations must review their processes and tools for events organisation to comply. A brief guide to the new rules.
As of 25th May 2018 the new EU General Data Protection Regulation (GDPR) came into force affecting all companies handling the data of EU citizens. It is a very complex and sensitive matter which impacts congress and event organisers who collect and manage a vast quantity of personal information (attendees, clients and sponsors).
“The new European Regulations requires an important change of mind-set in the way of managing, storing and processing personal data, which is of particular prominence in the health and scientific sector, with significant duties and new procedures not only for Medical and Scientific Societies but also for all their partners” outlined Gianluca Buongiorno, president of AIM Group International, in a dedicated seminar recently organised in Rome.
Why it is so important
Associations and PCOs are considered by GDPR to be data controllers, entities with the highest responsibilities for handling personal data. So they have to prove that the best system to protect personal information is implemented and it minimises risks. Penalties for non-compliance controllers are very heavy: up to 20 million Euro or 4 percent of the company’s annual global turnover.
Partners and providers as well
The new rules are important because, data controllers, such as medical Associations or PCOs, are responsible not only for the data directly handled but also for the outside organisations that help them manage that data, such as third-party providers – from registration systems and mobile apps to survey tools and social media or payroll service providers. All the vendors and suppliers have to meet their legal responsibilities.
The fundamental rights
According to the GDPR, event organisers must guarantee individuals the following rights:
- Explicit Consent: Consent cannot be inferred from pre-filled opt-in boxes or from tacit approval. Consent must be explicit and given separately to each different organisation and purpose.
- Easy Access: Attendees may ask to access their data collected at any time.
- The Right to Withdraw: EU citizens have the right to remove their personal data with third parties (suppliers, hotels, venues, etc.) at any time.
- Breach Notification: Companies must notify every eventual security break both to users and data protection authorities within 72 hours of discovering the breach.
- Privacy by Design and by Default: Organisations have to implement appropriate technical and organisational measures for the overall data handling process, and by default, only the minimum amount of data must be used for each purpose.
- Data Protection Officer: Large organisations handling a lot of data have to identify a Data Protection Officer responsible for GDPR compliance.
How to implement compliant GDPR procedures
To comply with the new regulations, every company needs to implement a complex and in-depth project, which involves all functions, including IT, sales, marketing & communication, human resources and event management, as well as every employee handling data.
Here are some milestone steps to achieve:
- Make a complete assessment of the internal data collection methods and flows, identify where personal data transits and resides, how it is used and accessed.
- Write up a Treatment Register, which shows the data flows and protection measures adopted.
- Identify the different qualifications and related responsibilities involved in the data flow (Data Controller, Process Manager, etc.). The PCO, for example, is the Data Controller when organising a congress; in case of medical delegations to conferences registered by sponsors, the PCO must be sure that the attendees have been adequately informed by the sponsors (a related clause should be usefully inserted in the sponsorship contract).
- Implement Privacy by Design management system and appropriate cybersecurity, IT, technical and organisational measures and codes of conduct, periodically reviewed.
- Review your procedures and contracts with suppliers and providers covering all the areas: attendees’ registration and communications sending, scientific association data handling, website navigation and external newsletter sending, etc.
- Review your Information Policy. Compile and communicate new reinforced information on data processing, with the clear description, for example, of the purpose, the use of data, the DPO, the duration of the consent issued and any optional consent.
- Ad hoc information and consent are necessary in case of associations linked to equivalent international associations that share the members’ data, as well as for the publication on the association’s website of the data of the members.
- Provide all people in charge of data management a short guide to follow and training initiatives, so that they are adequately informed.