GDPR and Data Privacy Compliance
Parts of this section are based on an article, A Developer’s Guide to GDPR that won’t make you sweat by Mags Allen .
The General Data Protection Regulation (GDPR) is a set of rules that came into effect on May 25th, 2018.
It regulates the use of data by organisations. It applies to any organisation that stores or processes any data relating to individuals inside the European Union (EU).
Since we have events in Europe, it is important for Django Girls Foundation and organizers across the globe to comply with GDPR as it has legal implications. All organizers should therefore comply with GDPR as it protects users' data, irrespective of their location.
This guide therefore applies to all organizers as they deal with the sensitive data of fellow organizers, attendees and sometimes, sponsors from the EU region. Every event organizer should ensure their event is GDPR compliant to avoid chances of being sued by either applicants or sponsors.
Storage of Data
Protect the data you store and only keep what you need.
When you customise the application, ensure that you only ask for data that you need to run your event successfully. This data should be protected and not shared with people who do not participate in ensuring the successful delivery of the workshop. Be sure to inform the applicants that you will share their phone numbers and/or email addresses with their coaches.
Coaches should not be given email addresses or phone numbers of attendees who are not in their group as they do not need to contact them before or after the workshop. Also inform your coaches and organizers need to be informed that they should protect personal data of attendees and other coaches/organizers and not share it amongst themselves without the consent of the person(s).
Subject Access Requests
Make it easy to retrieve, delete and anonymise data when you need to.
Certain organisers, coaches or attendees may not want to be photographed or have their photos published. You should make sure you get consent from all attendees to photograph them and publish their photos before you do. Consent for photos is difficult to manage through an application form and is best done by using either name tags or lanyards of different colours for "OK with photo" and "NOT OK with photo" attendees. The photographer has to make all efforts to avoid all the "NOT OK with photo" attendees and should they be visible in a photo you want to publish, you should have their faces blurred so that they cannot be recognised.
Get fair consent before you communicate with users and maintain a preferences management. Get consent for photos before publishing them.
You also need to ensure that you get consent from the applicants via the application form to send them any mass email communication before, during and after the event. This consent should also cover their consent to be invited to other meet-ups should you also want to suggest meet-ups they can get involved with after the event.
They should also be able to opt out of these communications anytime they wish to, therefore you should provide a link to unsubscribe from the mass emails anytime a user wishes to do so. MailChimp already provides this, so if you are using MailChimp for your mass emails, you have this covered already.
Users must be able to opt out of profiling.
Normally, there is no need for profiling attendees for Django Girls events in general. However, should you decide to profile your attendees, you should get consent from them and they should be able to opt-out of profiling anytime they decide they are no longer interested. You should also make it clear during the application process that you may profile them and ask for their consent in the application form.