GDPR - New European Privacy and Consent Rules!

Tuan,
From 25th May, 2018, new rules are being introduced for companies who deal with European's data: GDPR. There are huge fines for non-compliance (upto €20m or 4% of global annual turnover for breaches), and compliance MUST be in place for 25th May, 2018. From May 25th, an event marketer can get huge fines if we sent an email to a European, where we can't prove that they consented to receive the email.

This is a very important topic for Event Booking (EB) and it's users, and now is the time to prepare for it. I have been doing extensive research on the GDPR, and this is what I think Event Booking needs to offer, so that our event running websites can be GDPR compliant.

1) T & C must be presented seperately to Data Processing Consent. This unbundled presentation could be as simple as the shown example.... assets.econsultancy.com/images/0008/7513...7-14_at_16.40.03.jpg

2) Just-in-time privacy notices with each field are a great UX to compliance, whereby a pop-up gives privacy info for each personal data field. It would be great if EB added support for this, or could suggest how we could incorporate a tool like this, e.g. to have a question mark next to each field, which when a user clicks on it, they get the relevant information... demo.regularlabs.com/index.php/11-tooltips Some good examples for good UX are shown at www.econsultancy.com/blog/69256-gdpr-how...otices-with-examples

3) Granular consent is vital for marketing purposes, i.e. transactional emails should be treated differently to marketing emails, Permission to text should also be treated seperately.

I use AcyMailing and AcySMS, along with your plugin. At the moment, the plugin allows you to configure a field to say they want to receive emails or not, which will then sign user up to all specified lists. This isn't enough. I believe the following system will result in best, compliant UX.

PlugIn allows you to define a number of different mailing lists, and pair them with a number of different fields, e.g.
Mailing Lists - My November 2017 Event, Marketing Mailing List, Marketing SMS List

And configuration would allow the following options
Compulsory List: My November 2017 Event
(No Opt-in on form for this list as it is for transactional emails and texts. Transactional emails and texts are allowed for current customers in order to deliver on your contract with them)

Optional Lists
Marketing Mailing List - Tied to RADIO button field: ReceiveEmails: value Yes! ( or something else specified)
Marketing SMS List - Tied to RADIO button field: ReceiveSMS: value Yes! (or something else specified)

(Radio button is chosen as it has been shown that providing Yes/No options, with neither selected is the best GDPR compliant way to keep opt-in rates up. See www.zettasphere.com/gdpr-consent-opt-in-examples/ )

So, using the above options, a registrant is signed up to 1, 2 or 3 mailing lists, and GDPR compliance is possible from this aspect, while maintaining good UX. This example can be expanded upon.

I hope the above is clear, and you can see the importance. I'd appreciate hearing your thoughts on whether you will implement a system like this?

Thanks,
Donal

Hi Donal

At the moment, I won't have time to look at it and implement it right a way. So something we will leave it to next year development (we will look at it on Feb next year)

Tuan

Hi Donal & Tuan

I would just like to add my voice and backing for all the great OS Solution Extensions to cover this new ruling properly too. It is a game changer that is now coming up very soon.

Not just Events but Membership and anything else that stores personal data like email address from an EU citizen falls under this from my understanding.

I have just being tasked by my employer to have a satisfactory solution in place by mid-April 2018 for our entire website. It even goes down to contact forms and Newsletter Signup boxes.

The guys at RS!Joomla are on to it now with RS!Forms and their other extensions. We are outside the EU but have members and contacts in the EU that we hold data on and it affects us too I think. The fines are huge for anyone not conforming.

So glad to see that Tuan has said he will look at in February already but didn't want to hope all would be well. This could see clients of OS Solution who store data on any EU Citizens scrambling for other extensions if this is not introduced with time to test things.

Thanks as always for your great development

Chris

Hi Chris,

I got a freelancer to implement the GDPR compliant (in terms of consent anyway) solution which I outlined above. I did this as otherwise all of the email addresses which I collected before OS Solution had implemented their GDPR compliant solution would have to be binned post May 25th. The plugin which I got developed works great, and allows me to define consent radiobuttons which are tied to specific mailing lists in AcyMailing.

Hi Donal

I still don't have time to look at this. If it is possible, could you please share the plugin you developed?

Regards,

Tuan

Hi,

The European Commission published guidelines to make the applience the GDPR easyer.

There is their page: ec.europa.eu/commission/priorities/justi...-protection-rules_en

Tuan, I think this have to be implemented ASAP. All of EU sites will be affected.

IMHO this is a waste of resources and time, not really useful... but this is the law and we have to obey...

Thanks,
Seb

I still haven't had time to read that law yet. If anyone here understand it. please explain what we need to implement into Events Booking to have it compatible with this law, please? That would help saving me sometime

Tuan

My original email in this thread outlines a few of the requirements. I have simply fulfilled the granular consent with regards to transactional/mailing/text lists with the plugin I paid to get developed.

There are other requirements, including but not limited to
1) Right for a customer to ask you for all info you have on them
2) Right for a customer to ask to be forgotten, i.e. easily able to delete all info you have on them.
3) Requirement to delete customer data once you no longer need it. I like to keep all of my registrant info for past events, so that I can run statistics on the data. This is frowned upon by GDPR, as I can't demonstrate any real reason to retain 3 year old data. A way out of having to delete old data is to hash the data, while keeping the key stored completely seperately.

Tuan, you really shouldn't underestimate the importance of this legislation. From the end of May, any company that deals with European's data will need to be fully, 100% compliant or face huge consequences.

Regards,
Donal

Hi Donal

Any chance of sharing the plugin? Or show us how it works on your site so that we can understand about that requirement better?

I still have to finish few other things first (including updating documentation of the extension), but Yes, I will look at it soon

Tuan