Last updated: May 8, 2018
On May 25, 2018, the European Union's (EU) General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679) comes into effect. The GDPR protects European Union data subjects' fundamental right to privacy and the protection of personal data. It introduces robust requirements that will raise and harmonize standards for data protection, security, and compliance.
Pursuant to Article 28 of the GDPR, Boomset has certain obligations as a Data Processor engaged by our customers to process their event attendee data, some of which may contain personal data protected by the various provisions of GDPR. Boomset has been working with its customers to answer their questions about how we plan to be in compliance after the GDPR becomes enforceable.
Rest assured that we are working diligently in the background on our compliance efforts to make sure we are ready. In fact, we are excited about the GDPR and its efforts to achieve the following:
In short, Boomset will be compliant with GDPR when it comes into force on May 25, 2018.
What is the GDPR?
The General Data Protection Regulation (GDPR) is a new European privacy law that is in effect and due to become enforceable on May 25, 2018. The GDPR will replace the EU Data Protection Directive, also known as Directive 95/46/EC, and is intended to harmonize data protection laws throughout the European Union (EU) by applying a single data protection law that is binding throughout each member state.
Who does the GDPR apply to?
The GDPR applies to all organizations established in the EU and to organizations, whether or not established in the EU, that process the personal data of EU data subjects in connection with either the offering of goods or services to data subjects in the EU or the monitoring of behavior that takes place within the EU. Personal data is any information relating to an identified or identifiable natural person.
What has Boomset been doing in preparation for the GDPR?
Boomset currently does not independently maintain, host or transmit customer data. Such data resides with Amazon Web Services (“AWS”) secure cloud services platform. All AWS Services are GDPR ready. AWS continually maintains a high bar for security and compliance across all of their global operations. Their industry-leading security provides the foundation for their long list of internationally recognized certifications and accreditations, demonstrating compliance with rigorous international standards, such as ISO 27017 for cloud security, ISO 27018 for cloud privacy, SOC 1, SOC 2 and SOC 3, PCI DSS Level 1 and others. AWS also helps customers meet local security standards such as BSI's Common Cloud Computing Controls Catalogue (C5), which is important in Germany. AWS also complies with the CISPE Data Protection Code of Conduct for Data Protection in the Cloud.
We are careful with any data we collect, whether it is protected by GDPR or otherwise. We only collect and keep what we have to and then only for as long as our customers need the data. Our cautious practices are reflected in our commitments to the privacy and security of the data that you entrust to us. We believe that GDPR is a great step in the right direction and we are happy to do what it takes for us to be compliant and to help you comply as well.
We already have tools that let you control your event attendee data so you can comply with GDPR and our Customer Success team is always available to help you as well. Here are some of the things we have in place and are currently working on:
Tools for responding to ‘erase or export’ requests
GDPR wants you to give people the ‘right to be forgotten’. Erase their personal data if they ask, but only if it doesn’t compromise freedom of expression or the ability to research. Boomset does not use our client’s attendee information in any way other than to allow the event organizer to check in the attendee to their event using our software platform. We never share attendee information with any third party and Boomset allows for the deletion of attendee data by customers on demand, using the Boomset Management Console.
You can always delete any guest list information from the Boomset platform and when it is gone, it is gone – we don’t keep a copy after you delete it.
Review of our data security practices
We are also in the process of conducting a full review of our data security practices before GDPR goes into effect. This includes a review of all our vendors that process personal data, but, there are not many because we keep it simple and safe.
Whom should I contact if I have questions regarding GDPR and Boomset?
We recommend that customers with questions regarding data protection or Boomset and GDPR contact their Boomset Customer Success Manager. Alternatively, you can send an email to firstname.lastname@example.org