The GDPR and webinar.net

Background

On May 25th, 2018, the European Union’s (EU) new data protection framework, the General Data Protection Regulation (GDPR), will come into effect. It is the most significant piece of data protection legislation to date and will impact any organization that processes personal data in connection with goods/services offered to an EU resident, or monitors the behavior of persons within the EU, regardless of where that organization is located in the world.

The introduction of GDPR will force us to be better at protecting the personal information we collect. What the GDPR mandates is actually a set of best practices that benefits marketers to follow. At a basic level, it requires that you:

  • Collect, store, and use personal information only insofar as it is compatible with your purpose for collecting it
  • Obtain active permission from recipients before you send marketing materials, and
  • Disclose and/or delete an individual’s personal information at their request.

If you work with one or more outside organizations to collect, store, or use the personal information of people within the EU, then make sure that each of those organizations is fully prepared for GDPR compliance.

Implications of Not Complying

You should embrace the changes for GDPR for a number of reasons. The first, is that protecting privacy and being clear and transparent about how and why you use personal information is just good business. The second, if that you can be hit with heavy fines. Depending on the violation, a company can be fined up to the greater of €20 million (approximately $24.5 million) or 4% of the preceding year’s worldwide revenue.

Webinar.net’s Commitment to GDPR Compliance

webinar.net is committed to helping our customers and partners by protecting and respecting personal data, no matter where it is from or where it flows. Webinar.net’s Legal, Trust and Privacy teams have carefully analyzed the GDPR and have taken the necessary steps to ensure that we comply. Between now and May 25th (and beyond), we are fully committed to enhancing the webinar.net platform to enable easier compliance with the GDPR.

Key Definitions

  • Data Controller: the entity that determines the purposes, conditions, and means of the processing of personal data; the webinar.net Customer, i.e. producer of a webinar
  • Data Processor: the entity the processes data on behalf of the Data Controller; webinar.net
  • Data Subject: a natural person whose personal data is processed by a controller or processor; the registrant or attendee of a webinar on the webinar.net Application, “End Users”

Information We Collect

webinar.net may collect and receive customer data, personal information, attendee information, and other information and data (collectively “information”) in a variety of ways.

Information

Individuals granted access to the webinar.net application by a webinar.net customer (“end users”) routinely submit information to webinar.net.

When an end user of a customer has been granted access to the webinar.net application, we collect and store information about the end user. The personally identifiable information collected from the end user through the webinar.net application includes information in the “Profile” section of the webinar.net application, which is populated through the Registration Page. This information might be name, email address, company, title, location, and phone number (which makes up the end user’s “personal information”).

We use this personal information to set up the end user’s account or allow administration and communication with the end user regarding their registration. We may also use their email address to send updates about the customer program on the webinar.net Application and to provide support in connection with said program.

Consent

webinar.net is implementing a new “opt-in” consent for the platform. webinar.net’s customers are considered the Controller of the data from a GDPR perspective, making our customers ultimately responsible for fulfilling data subject rights and ensuring that the opt-in consent is in place. webinar.net understands that their customers will need to rely on webinar.net to collect the opt-in because they are using our platform to collect information for user registrants (data subjects) they may not have an existing relationship with. webinar.net will also provide the ability for Customers to provide details on how they will use John’s data.

The opt-in consent will include a link to the webinar.net Data Collection Consent, as well a link to the Customer Terms & Conditions.

Meeting GDPR Requirements

Let’s say that John Doe is a registrant on the webinar.net Application and an EU citizen. John is the Data Subject (End User). Any webinar.net Customer using the webinar.net Application to host a webinar is the Controller. webinar.net acts as the Processor of John’s data on behalf of the Customer.

Below are a few key areas where webinar.net is helping our Customers be GDPR-compliant.

What It Meanswebinar.net GDPR Enhancement
Lawful basis of processing webinar.net needs to have a legal reason to use John's data. That reason could be consent (he opted in by registering).

webinar.net needs the ability to track that reason (also known as “lawful basis”) for a given contact.
webinar.net will track lawful basis of processing via Consent; see below.

webinar.net will be able to track and audit the grant of lawful basis based on using the property history for Consent.
ConsentOne type of lawful basis of processing is consent with proper notice.

In order for John to grant consent under the GDPR, a few things need to happen:

He needs to be told what he’s opting into. That’s called “notice.”

He needs to affirmatively opt-in (pre-selected checkboxes aren’t valid).

The consent needs to be granular, meaning it needs to cover the various ways webinar.net processes and uses John’s personal data (e.g. marketing webinar). We must log auditable evidence of what John consented to, what he was told (notice), and when he consented.

Customers of webinar.net must also provide granular details on how they will use John’s personal data.
webinar.net makes collecting, tracking, and managing consent as straightforward as possible.

webinar.net Customers acquire personal information about End Users like John through registration.

On our Customer registration page, we will provide proper notice to John before he provides information to webinar.net. webinar.net will also collect the appropriate consent when he’s ready to grant it.

Once John submits his information, we will store a copy of the notice that John was provided, information about which consent he provided, and the timestamp of the interaction.
Withdrawal of consent (or opt out) John needs the ability (as a data subject) to see what he’s signed up for and have the ability to withdraw his consent (or object to how webinar.net is processing his data) at any time. In other words, withdrawing consent needs to be just as easy as giving it.John can send webinar.net a withdrawal of consent directly to webinar.net via info@webinar.net.com, as detailed in our Privacy Policy. webinar.net will be able to modify the lawful basis contact property mentioned above.

In addition, all John's data within that current webinar will be masked.
DeletionJohn has the right to request that webinar.net deletes all the personal data we have about him. The GDPR requires the permanent removal of John’s contact from the database.

In many cases, webinar.net will need to respond to his request within 30 days. The right to deletion is not absolute, and can depend on the context of the request.

Therefore, it doesn’t always apply.
webinar.net will provide a GDPR- compliant permanent delete in all webinar Environments. This will be performed by a webinar.net employee only, per direct request.
Access / PortabilityJust as he can request that you delete his data, John can request access to the personal data you have about him. Personal data is anything identifiable, like his name and email address. If he requests access, webinar.net needs to provide a copy of the data.

John can also request to see and verify the lawfulness of processing.
webinar.net enables Customers to grant any access/portability request by allowing John to easily export his contact record into a machine-readable format. This is done via the Setting drop-down, Download My Data, inside the webinar.net Application.

webinar.net can verify John’s lawfulness of processing and using the associated contact property we mentioned above.
Modification Just as he can request to delete or access his data, John can ask Customers to modify his personal data if it’s inaccurate or incomplete. If and when he does, we need to be able to accommodate that modification request.Inside the webinar.net Application, John can easily update his personal information via the Settings drop-down, Edit Registration.