sapmentors / SITregParticipant

SAP Event Registration - Front end for Participants
Apache License 2.0
3 stars 11 forks source link

Option to register „invisible“ to fulfill GDPR #32

Open CBasis opened 6 years ago

CBasis commented 6 years ago

I am wondering what GDPR might cause for SITreg. Having all participants visible at the event is one of the success-reasons for SAPInsideTracks IMHO. But we might need a flag to register visible to the organizer only and stay anonymous for „the world“.

What do you think about that? Needed? Any other critical points regarding GDPR we have to solve?

gregorwolf commented 6 years ago

We've had a short discussion on this topic at our sitMUC organization kick off yesterday. I think we need help from someone who does GDPR stuff on a daily basis to guide us.

CBasis commented 6 years ago

I am pretty sure that it does not mean to „shut it down“ but to identify the critical points.

Keeping the event as transparent as possible should be the goal.

Getting the option to hide personal data,

request for confirmation of storing the data for event management and communication

and an (optional) agreement to participate at an event that will publish informations, mention participants and event photos at social networks

seems to be needed at least.

What I did for sitFRA in the past was a statistics e.g. about the group of participants. Gender distribution, Profession, location, age and showed that at the event. This should be handled with care as well .. and should not give the chance to identify an individual if he did not confirmed to it before. Like: „25 customers, 45 partners, 10 SAPEmployees and 1 student!“ .. the 1 student might be a problem to mention depending on what is shown.

stevelofthouse commented 6 years ago

I love a good data protection question :)

Transparency, fairness and lawfulness are your watchwords.

Transparency When people register, tell them what you will do with their data. How long you will keep it for, where you will store it and how you will use it. Give people a contact either a person or an email that they can email if they need to query something about how their data is used.

Fairness Be fair in how you use peoples data. Use their data to register them for the SIT, and nothing else. That is to say don't take the registration list and start mail bombing people (i know, we don't do that.) The use that we put the data to, should be described as part of the transparency process (above.) Only collect the data you need to register people, and only store it for as long as there is a business need.

Lawfulness. There needs to be a lawful basis to process the data. It could be contract, or legitimate interest (LI) or consent. If you can keep data collection and use to a narrowly defined remit then contract is probably the best choice, otherwise its Consent or LI.

If we can do the Transparency and Fairness really, really well then we will be in a position to say to people when they sign up - We publish our list of attendees, because it proves really valuable to the people who attend. Connections and partnerships are fostered and that benefits the community. Having said that, if you would rather be a secret squirrel and not have your details publicly available, then please select hide me on the registration form, and you will be listed as secret squirrel on the public attendee list.

With regards to pictures and Social Media handles; You do not need consent under data protection law to take pictures. However if you are going to use a persons image to promote a particular thing, then you need permission in some form, as people have image rights. You could say something along the lines of - We make use of social media (twitter, instagram etc) to publish pictures of our events and tweet and connect with attendees. If you would rather we did not include you in pictures or tweets, please let us know by speaking to the organiser when you attend the event.

The above is general advice, If you would like more specific answers do please drop me an email.

Steve

CBasis commented 6 years ago

Wonderful Steve! .. and sounds like a very realistic and honest way to handle that topic to me.

I think we now need to find all areas in the process / forms and validate based on what you wrote. Then making things clear and transparent to the participant and act accordingly .. would bring us on the sure side.

Thanks Steve!

steverumsby commented 6 years ago

GDPR applies to organisations, and one question I have is where is the "organisation" here, and then of course who are the data controller and data processor. I have a suspicion that the "organisation" will be SAP, and that might mean getting SAP legal involved.