Background as provided by the Information Commissioner’s Office (ICO)
The European Union’s GDPR is a new set of regulations intended to give the power back into the hands of EU citizens over how their data is processed and used. EU citizens will be able to request that businesses delete their personal data if required.
The new regulations came into force from 25th May 2018.
Under the GDPR, the data protection principles set out the main responsibilities for organisations.Article 5 of the GDPR requires that personal data shall be:
“the controller shall be responsible for, and be able to demonstrate, compliance with the principles.”
Index is an established data controller, registered with the Information Commissioner reference Z7263558.
The protection of individuals’ privacy has always been key to our principles, our office systems and our data management.
Meeting the Requirements of Article 5 (as set out above):
|Article 5 of the GDPR requires that personal data shall be||Index confirmation
|a) processed lawfully, fairly and in a transparent manner in relation to individuals;||All data is processed lawfully, fairly and in a transparent manner|
|b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes;||All data is collected for specific purposes relating to individuals’ interest in attending (or attendance at) events with which we are involved; contact data is never released to third parties|
|c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed;||The data that we hold for data subjects is provided by them for the purposes of informing them about events or booking them into an event. It is limited in nature to name, address, contact telephone numbers, dietary preferences, choices relating to programmes and payment information. We hold no other personal data|
|d) accurate and, where necessary, kept up to date;||
Where we are notified of a death, retirement or change of interest area, contacts are removed from our forward-looking systems (ie for future events) to avoid them or their families receiving future contact; we do not delete financial records less than 6 years old which are required for archived accounts purposes; these may reflect bookings and transactions from an individual who has been removed from our contact databases
|e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed;||By way of good practice, we enable attendees to opt out of hearing about future events at the booking stage and at any time. Our storage and publicity methodology enables us to pinpoint and manage details of a data subject quickly, to make any required change promptly|
|f) processed in a manner that ensures appropriate security of the personal data||Booking data (including financial aspects) is encrypted and held securely. Contact databases for future events are held on a secure server which is professionally managed|
Index works on the basis of this lawful basis:
“(a) Consent: the individual has given clear consent for you to process their personal data for a specific purpose.”
This is because we are receiving data from data subjects who wish to express an interest in an event or who book to attend. By providing their data they are requiring us to process it in order to provide them with the information – or the booking – that they require.
We collect name, organisation, contact information, dietary requirements and preferences of activities on offer. This does not include an individuals’ IP address or details of their pathway through our websites. If this kind of data collection becomes important in the future and we implement software to capture this information, we will revise this Policy.
We do not store/have any requirement for personal information about family members, criminal convictions, vehicle or travel patterns. All information that we receive, store, process and manage has been received from the individuals.
To inform relevant potential delegates (who have expressed an interest or attended before) about a forthcoming event.To process and manage their booking to attend an event.
To collect feedback after an event about their experience.
We never sell or rent data subjects’ contact data to third parties for any reason whatsoever.
At events, simple outline delegate lists are produced by way of summarising who is present. This does not contain any contact information: simply names. Delegates can opt out of being listed, when they make their booking.
When using our booking software, the purchase is processed by a specialist third party payment processor, which specialises in global events. The system is totally encrypted such that staff do not have sight of the financial details.
Internally, all Index staff have been trained and are aware of our strict data protocols.
There is always a choice about whether or not to receive information from us. Only those who have opted in receive information which is targeted and relevant to them.
All contact from Index includes instructions on how to Unsubscribe at any time.
The accuracy of contact information is important to us, to reduce wastage in what we do. We therefore urge all contacts to keep us informed of changes to E-Mail addresses (our main channel of communication).