Article

On-side, GDPR’s Ghost protocol

Published On: 19 December 2021|5.2 min read|

Who you are is who your are !

Have you tried during your web browsing to click just once on the cookie settings (and yes, as it must be done on each site, you succumb to the “I accept”). It’s just fascinating to see the plethora of trackers installed. All this information will “de-anonymize” at your first email subscription or purchase and will be an integral part of your “profile”. This is where the GDPR comes in: we must offer you the default unsubscribe (like, of

course! We’ve been stalking you since your first visit and we’ll let you go like that…).

You will actually have all the information and know everything we are going to do with your pretty email and your data that know more about you than your brother-in-law. So will you tell me with the GDPR: it’s “fair”, I’m told everything, where is the problem? I just don’t have to accept if I don’t want to.

Certainly, but let’s say above all that you will start by not reading the 20 pages of “privacy & consent”, and that you will buy the blue cashmere sweater or the camera pen, because still it is at -40% on sale.

Who you are is who your are !

Have you tried during your web browsing to click just once on the cookie settings (and yes, as it must be done on each site, you succumb to the “I accept”). It’s just fascinating to see the plethora of trackers installed. All this information will “de-anonymize” at your first email subscription or purchase and will be an integral part of your “profile”. This is where the GDPR comes in: we must offer you the default unsubscribe (like, of

course! We’ve been stalking you since your first visit and we’ll let you go like that…).

You will actually have all the information and know everything we are going to do with your pretty email and your data that know more about you than your brother-in-law. So will you tell me with the GDPR: it’s “fair”, I’m told everything, where is the problem? I just don’t have to accept if I don’t want to.

Certainly, but let’s say above all that you will start by not reading the 20 pages of “privacy & consent”, and that you will buy the blue cashmere sweater or the camera pen, because still it is at -40% on sale.

What’s the point of the RGP trick then?

Honestly and to tell the truth, not much. It’s a bit like putting on a tuxedo at the little cousin’s birthday party. Not very useful. The reality is that -in France- the pre-GDPR CNIL rules were relatively close to today’s text. To get caught in the regulator’s nets you really have to be very “Data villain”. The reality is that the fines that have been distributed in recent years have mostly been related to the security of the data rather than to its “misuse”.

rgpd-trick

And so, the events?

To make it short, the transition with the event is simple: apart from the Software (I know that you worked well with your provider, put all the fields that go well, respected the rules, audited the risks of intrusion, unsubscribed those who wanted it from ALL the data ecosystem …)  what could be the weak link?

The ON-SITE: here is a detail that often falls under the trap of the GDPR. So, dear event gliders, organizers of conferences or fairs, here are some points to check to do things right!

1- Staff with access to the data:

Whether it is your service providers or your staff (the sales administration or the hostesses for example), the rules must be mentioned in the famous “privacy & conscent” as soon as the first e-mail of your participant is captured. Do not panic, no need to name them individually, but remember to add the categories likely to come into contact with participant data.

2- Passwords everywhere:

ah… the on-site, the last minute lair and the “I run everywhere”. Consequences: I give my passwords, or even I write them down roughly on a post-it… Make a process and a note to your teams in this sense, it is essential not to expose access to information. This will protect you as a legal entity during the trial.

3- Doors must be closed

Data security is not just “getting into the computer”, it’s also getting the computer stung. All access to servers and workstations containing the data must be subject to continuous monitoring, or failing that, be protected by a physically (hence the closed door for example). Think about it !

4- I print and I like it !

Well, first of all it is not very eco-friendly, but we know that it is common in events to print listings and other data. Well in theory (no, in fact even in practice) printed personal data is subject to the GDPR: you must know what has been printed, archive it and/or destroy it according to your data management process.

5- Onsite technologies

It is certainly important to have technically audited your software providers, but have you thought about the data managed by on-site hardware? (scanners, Synchronization terminals…) How do data pass through the material ecosystem?

The message is simple: on-site technologies are sometimes numerous and some are either dated, insecure or use data in an unorthodox way. In short, beyond the jargon (and this is the problem) a lot of technology and data (therefore potential flaws) punctuate the on-site. It is essential that a “contract” guaranteeing the security and protection of data is put in place with the service providers. This contract must be practical and readable and for each service (software and hardware) a list of data management and security commitments must be made, in line with the master plan of your GDPR policy.

Here you are, I hope, at least aware of the fact that the GDPR also goes through the On-site, a factor that we often tend to neglect: we then open ourselves to the deconstruction of all the work done upstream and we expose ourselves to risks that are ultimately quite simple to control.

You may also like