Managing your data retention policy in Eventsforce
In May 2018 the General Data Protection Regulation (GDPR) will replace the 1995 EU Data Protection Directive and will provide a completely new framework to the way we collect, process, and protect the personal data of people in the European Union (EU).
The Data Protection Act (DPA) is the UK implementation of the EU Data Protection Directive. It is a piece of UK legislation that gives individuals rights over the data that companies and other organizations hold about them.
The fifth principle of the Data Protection Act (DPA) says that:
“Personal data processed for any purpose or purposes shall not be kept for longer than is necessary for that purpose or those purposes.”
For more information on how this legislation will affect event planners, you can read our eBook "The Event Planners Guide to GDPR Compliance".
Eventsforce includes tools that will allow you to comply with principle 5 and put personal data beyond use, however, we cannot provide advice on what your policy should be.
This guide is for those who have day-to-day responsibility for data protection. However, this is a living document and may change or expand to remain compliant.
IMPORTANT NOTICE: Anonymization and deletion of person records and invoices cannot be reversed!
What will happen to my data?
As the data controller, your organization may have a data retention policy to determine how your data will be managed. Your organization may have determined that you do not need to delete data and therefore, do not require to use the tools in Eventsforce.
Until you know what your data retention policy is, you should not use the data protection tools in Eventsforce. If you do need to use the tools, we would recommend that you try it in your sandbox first on your oldest data.
Please note that there is no 'undo' for this feature. Once the data has been anonymized or deleted it cannot be retrieved.
Eventsforce has 2 methods of putting personal data beyond use:
The data protection tools
Our data protection tools will give you the ability to implement your specific data retention policy. Eventsforce cannot be responsible for your organization's policy relating to data protection and therefore, cannot advise on what you should or should not do within Eventsforce.
There are 2 data protection tools; automatic anonymization and manual anonymization, both are extremely powerful. We recommend that you only give access to those users who understand your data retention policy as we will not be able to revert the process.
There may be instances when an individual asks for their data to be anonymized on an ad-hoc basis; manual anonymization allows for this in the most common scenarios.
Clicking ‘Anonymize...’ will show you a message that either asks you if you would like to proceed with the anonymization or will inform you that it is not possible to anonymize the person.
Being part of a future event but the registration is not cancelled
Being part of a future event but the payment status is not "Paid"
Their last used date is today
If it is possible to anonymize the person and you proceed, the person will be anonymized immediately. It will not be possible to undo this action.
Who can manually anonymize people?
This feature is available to any user who has been given the role function, Anonymize Personal Information. With this function, the user will see the button Anonymize... on the person details page
To add the feature to a role:
Go to System Settings > Roles
Click to 'Edit' the role type you wish the function to be added to
In the 'Access Rights' panel, search for "Anonymize Personal Information" and select the function
Click the 'Tools' dropdown and select "Activate..."
All users with that role type will see, and be able to use, the ‘Anonymize...’ button.
Testing your data retention policy in your sandbox
Before setting up a policy for your data retention in Eventsforce, we would strongly recommend that you test the functionality in your sandbox account as the feature is destructive and it will not be possible to revert the actions.
It would be best to look for your oldest data and enter values on the data protection page to suit. For example, if you have registrations or submissions that are 4 years old, enter values of 48 months. The automatic anonymization will happen at 00:10 UTC. If you want to test a different scenario look for your next oldest data, for example, 3 years and enter 36 months and so on.
Manual anonymization is immediate so you could look for any record and click the anonymize button.
1. What is the meaning of "Anonymization date"?
This is the date when data for a person will be anonymized or deleted based on when they were last used, whichever is the latest.
2. What is the meaning of "Last date of use"?
“Use” is defined as the latest date of:
The last day of any event that person is registered for, including cancelled people
The last day of any event a person is a registration contact for
The last day of any event a person has started or completed an abstract submission for (including inactive and incomplete submissions)
The last day of any event a person is an author or co-author of an abstract for
The last day of any event a person is a reviewer for
The last day of any event a person is an award submitter for
The last day of any event a person is an award judge for
The last day of any event a person is a presenter/session chair for
The last day of any event a person is a guest for
The last day of any event a person is a table guest for
The last day of any event a person is a room guest for
The last day of any event a person is an invitee for
The last day of any event a person is on an event-specific list for
The last day of any event that a person is connected to in any other way
The date that any person last replied to a survey
The “last modified” timestamp on the person record
3. What is the meaning of "Anonymized on"?
This is the date that a person was anonymized for the first time.
4. What happens with data that is integrated with our CRM?
Anonymized data will not be updated in your CRM tool, such as Salesforce, therefore, sensitive data may still exist. You will need to check with your CRM provider about the data retention tools that they provide.
5. What happens if I’m sending an email to a list of people that includes anonymized people?
If you are sending emails in bulk and there are anonymized people on the mailing list, emails will not be sent until the anonymized people are removed from the list.
6. Can anonymized data be sent through the API?
In the API, "IsAnonymized" is sent as "True" for anonymized people.
7. Are attendee categories anonymized/deleted PI?
No. The information about attendee categories may be required for reporting purposes. It will not be possible to trace a person based on an attendee category.
8. If we do not mark bookable items as PII, will we be able to still see an itemized invoice showing individual line items without a name and other PII attached?
Yes. All invoice and credit note line items will be available. However, invoice PDFs generated through the API will be deleted so invoices will need to be checked in the Eventsforce admin portal. This information is stored in the database and can therefore still be accessed.
9. Do you have a recommended best practice on what duration to set before anonymization/deletion?
No. We cannot offer any advice, we can only provide the tools.
10. How does the GDPR work with backed up data?
Any data that was previously backed-up will not be deleted. A back-up of anonymized data is not created, therefore, it cannot be retrieved.
11. What happens to abstracts submitted by someone who is anonymized?
The abstract content will remain but the authors and co-authors will be anonymized. The audit trail will be deleted.
12. If an author submits an abstract with multiple co-authors and the author keeps attending conferences and so is not anonymized, what happens to the co-authors? Are they anonymized?
We treat them all as people, therefore, if the co-authors last used date falls within the duration set for anonymization, they will be anonymized.
13. If the co-authors still want to be associated with the abstract but the main author doesn’t what will happen?
We do not have a mechanism to opt-out specific types of people, so this is not possible. We would recommend making a change to the co-authors to update their last used date.
14. Does the abstract completely disappear if the main author is anonymized?
15. Will admin portal users be anonymized?