Bulletin 4: GDPR and Working with Event Contractors and Vendors

IEEE Technical Activities Bulletin #4
Topic: GDPR and Working with Event Contractors and Vendors
Bulletin Type: Action
Audience: Conference Sponsors and Event Organizers

Version 4, 19 July 2018

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Who is responsible for GDPR compliance when organizing an event?
Responsibility for compliance goes through the entire event supply chain – from IEEE as the financial sponsor of the event all the way to the third-party vendors that store and process data. Event organizers are ultimately responsible, thus IEEE is because we are the legal entity. 
 

This is why it is critical to choose providers that meet GDPR compliance standards. IEEE must show that we are doing our best to protect the personal information of individuals and minimize risks. 

Does GDPR apply to event contractors and vendors? 
Yes. GDPR requirements clearly state that data controllers must show how they are complying with the new regulations. Part of that responsibility is to make sure that all vendors you are dealing with also are fulfilling their legal responsibilities on IEEE’s behalf.  
 
What questions should event organizers keep in mind when working with vendors?
GDPR is an important part of the vendor relationship. It is important to ask vendors how they plan to fulfill their GDPR obligations on behalf of IEEE, including: 
  • Where is the data hosted?  
  • What contractual and legal safeguards are in place to protect data? 
  • Who has access to the data?  
  • How is the data being used while being processed? 
  • How does the system delete personal data? 
  • How quickly can deletion of data be completed? 
  • What is the vendor’s policy regarding data retention? 
  • How does the system allow IEEE to obtain and store consent? 
 
Where can I find examples of language I should include in contracts with vendors?
IEEE has written contractual language to address GDPR and this language has been incorporated into all existing IEEE contract templates.  For existing contracts, IEEE has created an appropriate GDPR contract addendum and has begun conducting outreach to these suppliers requesting their acknowledgement of the new GDPR language. To learn more about the contractual language contact gdpr-mce@ieee.org 

How can I learn more?
 

Please share this information with additional volunteers, contractors, temporary employees, interns, and consultants as needed.

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

What’s Next? Bulletin #5 will focus on Complying with GDPR During the Event Registration Process.