• Venue and event management in the cloud

Data Privacy & GDPR

Find out how Priava can help you to comply

The European Union enforced new data privacy regulations on 25th May 2018. These regulations, known as GDPR (General Data Protection Regulation), impact any organisations that have data for persons who reside within the EU.

With this in mind, it essential that you assess your existing processes to make sure that you are compliant with the regulations to avoid penalty. If you are worried about how to do this, as part of our cloud-based venue & event management solution, we’ve developed a feature that automates the whole process for you.
DISCLAIMER: Priava is not an authority on GDPR or data privacy laws. We cannot offer legal advice, nor should you rely solely on the information provided on this website to determine your company’s complete compliance strategy. Instead, this site provides background information to help you better understand how our cloud-based venue and event management solution has addressed some important legal points and can help you to comply.

Data Privacy

What is it, and how can it help you comply with GDPR?

Priava is committed to providing innovative solutions that follow best practice standards and that, in terms of data, follow the Privacy By Design methodology. Our Data Privacy feature is part of the Core Software & CRM module. It enables your organisation to nominate a Data Protection Officer who will be able to determine how contacts are stored and managed in your database based on predefined Automations. Key parts of the functionality include:

Consent

Users can record and monitor the fact that they have gained ‘consent to retain personal data’ for contacts that you have saved in Priava.

Automation

Your nominated Data Protection Officer can configure Automations that take action on the contacts stored in your database. Automations are a made up of "Conditions" and "Actions" which can be used to email contact and either pseudonymise, anonymise or delete their details.

Compliance Reports

Your nominated Data Protection Officer can run a report showing all of the Automations configured within Data Privacy and statistics surrounding the personal data that your organisation has stored within Priava.

GDPR

What are the key factors to ensure compliance, and how has Priava addressed these?

Below we have highlighted all of the most important points that you need to consider to ensure you can comply with GDPR and how we have addressed them by developing the Data Privacy feature:

PrincipleDescriptionCan you comply with this using Priava?How does the Data Privacy feature improve this?
LawfulnessData should only be processed when there is a lawful basis for such processing (e.g. consent, contract, legal obligation).Yes, you can. You decide when you capture or process personal data and why.Using Data Privacy, you can configure "Automations" that will notify Data Subjects via email when you have collected their data or have stored it for a set period. This approach will ensure Data Subjects can raise any issues, and your Data Protection Officer can rectify these issues as required.
FairnessThe organisation processing the data should provide Data Subjects with sufficient information about the processing and the means to exercise their rights.Yes, you can. This information should be addressed in your terms and conditions which can be added to any report template using the text option in the report filter.Using Data Privacy, you can customise email templates that will be sent to Data Subjects based on predefined rules (i.e. you can send an email when a Data Subject’s details have been added to or edited within your system). These emails are stored in the contact record.
TransparencyThe information provided to Data Subjects should be in a concise and easy to understand format (i.e. the purpose of consent should not be buried in a lengthy document of terms and conditions).Yes, you can. You control the format and content of your terms and conditions, along with any communication to your customers.Using Data Privacy, you can define rules to remind those that have given you consent in the past and/or advise those that haven't, why you have their data in your system and what they can do to provide consent for you to retain the information or to have it removed.
Purpose LimitationPersonal data may be collected only for a specific, explicit, and legitimate purpose and should not be further processed.Yes, you can.You decide when you collect personal data and why.Using Data Privacy,you can configure "Automations" that will notify Data Subjects via email when you have collected their data. This approach will ensure Data Subject can raise any issues, and your Data Protection Officer can rectify these issues as required.
Data MinimisationThe processing of personal data should be adequate, relevant and limited to what is necessary for the purposes for which the data is being used.Yes, you can.You decide when you process personal data and why.Using Data Privacy,you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined conditions. This approach will ensure that all personal data stored in your system is maintained inline with the purpose of its collection and cannot be further processed.
AccuracyData should be accurate and kept up to date.Yes, you can.Using Data Privacy, you can automatically notify Data Subjects when you have stored their information. This approach will help you to increase your ability to maintain accurate data and comply with GDPR.
Storage LimitationData should not be held in a format that permits personal identification any longer than necessary.Yes, you can.Administrators can delete a contact record when necessary.Using Data Privacy,you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."
SecurityData should be processed in a manner that ensures security and protections against unlawful processing, accidental loss, damage, and destruction.Yes, you can.Priava uses Amazon Web Services (AWS),which has been built to meet the requirements of the most security-sensitive organisations. Your data is encrypted both at rest and in transit and AWS are compliant with ISO27001, ISO27002 and ISO27018.The entire Priava application, including Data Privacy, has been built to ensure your data is safe and secure at all times.
AccountabilityThe Data Controller is responsible for demonstrating compliance.Yes, you can.Your process and methodology should be documented to demonstrate what you have implemented in Priava and other applications that you use across your organisation.Using Data Privacy your nominated Data Protection Officer can produce a report showing all of the active "Automations" (including "Conditions" and "Actions") within your system and statistics surrounding the personal data that your organisation has stored within Priava.

A 'Data Subject' [Identified or Identifiable Natural Person] has the following rights:

Data Subjects have the right…Can you comply with this using Priava?How does the Data Privacy feature improve this?
to be informedYes, you can. This can be manually created communication sent outside of Priava or sent from within Priava and thereby stored against the contact record.Using Data Privacy, you can customise email templates that will be sent based on predefined rules to inform Data Subjects that you have stored their personal details. These emails will be stored under "Communication" in the contact record.
of accessYes, you can. When a Data Subject requests confirmation about whether or not their personal data is being processed, you can email a report to show the data you have stored and why. These emails will be stored under "Communication" in the contact record.
to rectificationYes, you can.A contact record can be edited by a Priava User.As Data Privacy enables automated information flow to the Data Subject, it increases the potential for data accuracy.
to erasure (the right to be 'forgotten' if the data held on them is no longer needed or if they withdraw consent or object to its use or legal reasons)Yes, you can. Administrators can delete a contact record when necessary.Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."
to restrict processing (if contacts object to their data being collected they can object to it being held)Yes, you can. Administrators can delete contact records when necessary. Alternatively, if you have a legal obligation to retain personal information, you can make the contact record inactive. Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions."

If you have a legal obligation to retain personal information for a specific Data Subject, you can choose to pseudonymise the contact record rather than inactivating it. This approach will ensure that the personal datafor the Data Subject is not available to Priavausers. However, your nominated Data Protection Officer can reverse the pseudonymisation if/when required.
to data portability (contacts can access their personal data for their own use)Yes, you can. A CSV file containing all of the Data Subject’s information can be emailed to them directly from the contact record, therefore recording when and how you provided the information.
to objectYes, you can.Administrators can delete contact records when necessary.Using Data Privacy, you can configure "Automations" that will automatically pseudonymise, anonymise or delete a contact record based on predefined "Conditions." This approach minimises the risk of retaining personal data beyond need and reducing any instances of objection.
not to be subjected to automated decision-making, including profiling, which produces legal effects concerning him or her or similarly significantly affects him or her.Yes, you can.

Frequently Asked Questions

We’ve taken the opportunity to answer some questions that we get asked most frequently

Q. Can Priava supply an Individual Data Processor Agreement (DPA)?

Priava cannot enter into unique DPAs with each customer.

Q. Where can I find out more information about GDPR?

A. Visit the GDPR website for more information on GDPR and how it will impact your business and data.

Q. By using the Data Privacy feature, will my organisation by fully compliant with GDPR?

A. By using the Data Privacy feature to manage the information you have stored within Priava’s CRM, your organisation can comply with the intent behind GDPR. That said, every organisation should undertake their own GDPR assessment.
Adopting the Data Privacy feature should only represent a part of your overall response to the introduction of GDPR.

Q. What if my business is not in a country that is part of the European Union?

A. Following the lead of the European Union (EU), many countries around the world are working towards imposing regulations on data privacy, and we encourage Priava users to utilise the Data Privacy feature so that they are ready in advance. Furthermore, even if the country in which your business operates isn’t part of the EU, GDPR will impact any company that has data for persons who reside within the EU. If you have an international customer base, then it is highly recommended that you adhere to the GDPR to avoid penalty.