You’ve probably heard about the General Data Protection Regulation (GDPR), the new European Union data privacy and protection law that strengthens and expands the privacy rights of EU citizens. Organizations operating in the EU or handling data of EU citizens need to be compliant with the GDPR by May 25th, 2018. Many businesses, including EzTix, are in their final stages of preparation to ensure GDPR compliance.
Data privacy and security have always been top priorities for EzTix. We’re optimistic about the changes the GDPR will bring to the industry and the opportunity it gives us to strengthen our commitment to user privacy and data protection. We’re taking steps to ensure our compliance with the GDPR by May 25th as both a data controller and data processor.
The GDPR was adopted in April 2016, but will officially be enforceable beginning on May 25, 2018. There will not be a “grace period,” so it is important that organizations impacted by the GDPR get ready for it now.
The scope of the GDPR is very broad. The GDPR will affect (1) all organizations established in the EU, and (2) all organizations involved in processing personal data of EU citizens. The latter is the GDPR’s introduction of the principle of “extraterritoriality”; meaning, the GDPR will apply to any organization processing personal data of EU citizens—regardless of where it is established, and regardless of where its processing activities take place. This means the GDPR could apply to any organization anywhere in the world, and all organizations should perform an analysis to determine whether or not they are processing the personal data of EU citizens. The GDPR also applies across all industries and sectors.
In culinary tourism & event industry? If you have ever, or could ever sell a ticket to an EU citizen, your business must be GDPR compliant.
There are a few definitions that will aid the understanding of the GDPR’s broad scope.
Per the GDPR, personal data is any information relating to an identified or identifiable individual; meaning, information that could be used, on its own or in conjunction with other data, to identify an individual. Consider the extremely broad reach of that definition. Personal data will now include not only data that is commonly considered to be personal in nature (e.g., social security numbers, names, physical addresses, email addresses), but also data such as IP addresses, behavioral data, location data, biometric data, financial information, and much more. This means that, for EzTix users, at least a majority of the information that you collect about your guests will be considered personal data under the GDPR.
Sensitive personal data, such as health information (dietary alerts) or information that reveals a person’s racial or ethnic origin, will require even greater protection. You should not store data of this nature anywhere outside your EzTix account.
EzTix has determined, through rigorous evaluation, that our organization is subject to comply with GDPR. With the General Data Protection Regulation (GDPR) going into effect, EzTIx is fully committed to being compliant with GDPR by May 2018, so our customers can confidently use EzTix knowing their business partner abides by GDPR principles.
EzTix started GDPR preparation a long time ago, and as part of this process we are reviewing (and updating where necessary) all of our internal processes, procedures, systems, and documentation to ensure that we are ready when the GDPR goes into effect. While much of our preparation is happening behind the scenes, we are also working on a number of initiatives that will be visible to our users. EzTix, among other things:
• Updating our Terms of Service to meet the requirements of the GDPR in order to permit you to continue to lawfully transfer EU personal data to EzTix and permit EzTix to continue to lawfully receive and process that data;
• Updating our Privacy Policy to ensure that we are making it easier to understand how we are collecting and processing the your data and the data of your ticket buyers in plain clear, easy to understand language.
• Revising our third-party vendor contracts to meet the requirements of the GDPR in order to permit us to continue to lawfully transfer EU personal data to those third parties and permit those third parties to continue to lawfully receive and process that data; Evaluating potential new GDPR-friendly capabilities to add to our application.
• Security & Incident Response Training: All EzTix employees attend trainings on our responsibility regarding security, availability, processing integrity, or confidentiality activities. Additionally, the EzTix team is trained on appropriate incident response procedures in the case of a data breach.
• Data Usage: We’ve completed a comprehensive data audit to ensure we only collect data critical to business needs and will review our retained data regularly. We’ve also streamlined how we use personal data throughout our infrastructure to limit usage of data to only the necessary applications that allow us to operate our service.
• Privacy Shield: Ahead of May 25th 2018, EzTix will complete the E.U.-U.S. and Swiss-U.S. Privacy Shield certifications to ensure adequate safeguards are in place for international data transfers.
EzTix has engaged an outside agency (CertiKit) to audit and certify our business as GDPR Compliant and more information on our certifications will be posted here as they become available.
In addition, we will be prepared to address any requests made by our Partners or any ticket buyer related to their expanded individual rights under the GDPR:
• Right to be forgotten: You may terminate your EzTix account at any time, in which case we will permanently delete your account and all data associated with it.
• Right to object: You may opt out of inclusion of your data in any data science projects.
• Right to rectification: You may access and update your EzTix account settings at any time to correct or complete your account information. You may also contact EzTix at any time to access, correct, amend or delete information that we hold about you.
• Right of access: Our Privacy Policy describes what data we collect and how we use it. If you have specific questions about particular data, you can contact privacy@eztix.com for further information at any time.
• Right of portability: We will export your account data to a third party at any time upon your request.
You should consult with legal and other professional counsel regarding the full scope of your compliance obligations. Generally speaking, however, if you are an organization that is organized in the EU or one that is processing the personal data of EU citizens (selling them a ticket), the GDPR will apply to you.
Per the GDPR, processing is “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.” Basically, if you are collecting, managing, using or storing any personal data of EU citizens, you are processing EU personal data within the meaning prescribed by the GDPR. This means, for example, that if any of your EzTix lists contains the email address, name, or other personal data of any EU citizen, then you are processing EU personal data under the GDPR.
Keep in mind that even if you do not believe your business will be affected by the GDPR, the GDPR and its underlying principles may still be important to you. European law tends to set the trend for international privacy regulation, and increased privacy awareness now may give you a competitive advantage later.
EzTix, just like any other business, currently uses third-party Subprocessors to provide various business functions like business analytics, cloud infrastructure, email notifications, payments, and customer support. Prior to engaging with any third party Subprocessor, EzTix performs due diligence to evaluate their defensive disposition and executes an agreement requiring each Subprocessor to maintain minimum acceptable security practices.
We’ve listed our Suprocessors on a separate page. We will keep this page up-to-date, please check back regularly to get updates on all changes.
While the GDPR preserves many principles established by the Directive, it introduces several important and ambitious changes. Here are a few that we believe are particularly relevant to EzTix and our customers:
1 – Expansion of scope: As mentioned above, the GDPR applies to all organizations established in the EU or processing data of EU citizens, thus introducing the concept of extraterritoriality, and broadening the scope of EU data protection law well beyond the borders of just the EU.
2 – Expansion of definitions of personal and sensitive data, as described above.
3 – Expansion of individual rights: EU citizens will have several important new rights under the GDPR, including the right to be forgotten, the right to object, the right to rectification, the right of access, and the right of portability. You must ensure that you can accommodate these rights if you are processing the personal data of EU citizens.
• Right to be forgotten: An individual may request that an organization delete all data on that individual without undue delay.
• Right to object: An individual may prohibit certain data uses.
• Right to rectification: Individuals may request that incomplete data be completed or that incorrect data be corrected.
• Right of access: Individuals have the right to know what data about them is being processed and how.
• Right of portability: Individuals may request that personal data held by one organization be transported to another.
4 – Stricter consent requirements: Consent is one of the fundamental aspects of the GDPR, and organizations must ensure that consent is obtained in accordance with the GDPR’s strict new requirements. You will need to obtain consent from your subscribers and contacts for every usage of their personal data, unless you can rely on a separate legal basis. The route to compliance is to obtain explicit consent. Keep in mind that:
• Consent must be specific to distinct purposes.
• Silence, pre-populated boxes or inactivity does not constitute consent; data subjects must explicitly opt-in to the storage, use and management of their personal data.
• Separate consent must be obtained for different processing activities, which means you must be clear about how the data will be used when you obtain consent.
5 – Stricter processing requirements: Individuals have the right to receive “fair and transparent” information about the processing of their personal data, including:
• Contact details for the data controller, which we will explain in more detail below.
• Purpose of the data: This should be as specific (“purpose limitation”) and minimized (“data minimization”) as possible. You should carefully consider what data you are collecting and why, and be able to validate that to a regulator.
• Retention period: This should be as short as possible (“storage limitation”).
• Legal basis: You cannot process personal data just because you want to. You must have a “legal basis” for doing so, such as where the processing is necessary to the performance of a contract, an individual has consented (see consent requirements above), or the processing is in the organization’s “legitimate interest.”
There are many other principles and requirements introduced by the GDPR, so it is important to review the GDPR in its entirety to ensure that you have a full understanding of its requirements and how they may apply to you.
Non-compliance with the GDPR can result in enormous financial penalties. Sanctions for non-compliance can be as high as 20 Million Euros or 4% of global annual turnover, whichever is higher.
If you access personal data, you do so as either a controller or a processor, and there are different requirements and obligations depending on which category you are in. A controller is the organization that determines the purposes and means of processing personal data. A controller also determines the specific personal data that is collected from a data subject for processing.
A processor is the organization that processes the data on behalf of the controller.
The GDPR has not changed the fundamental definitions of controller and processor, but it has expanded the responsibilities of each party.
Controllers will retain primary responsibility for data protection (including, for example, the obligation to report data breaches to data protection authorities); however, the GDPR does place some direct responsibilities on the processor, as well. Accordingly, it is important to understand whether you are acting as a controller or a processor, and to familiarize yourself with your responsibilities accordingly.
In the context of the EzTix application and our related services, in the majority of circumstances, our customers are acting as the controller. Our customers, for example, decide what information from their contacts or subscribers is uploaded or transferred into their EzTix account.
We will update this page as the plan is implemented between now and May 25th. Following that, this page will serve as our statement of compliance.