If you have European attendees at your event, you are subject to a new European Union law, the General Data Protection Regulation (GDPR). This law protects the privacy of Europeans and enforces responsible stewardship of EU residents’ data. Like many other companies, Whova is preparing for the GDPR when it comes into effect in May 2018.
We assure you that we are taking the GDPR requirements very seriously and are working on this to ensure that our customers will be fully GDPR compliant. We believe that our current company practices are very respectful of our users’ privacy and applicable privacy laws, but we are using this occasion to prepare for GDPR as another opportunity to ensure that we do even better.
Whova’s GDPR readiness status and plans
- Consent – Active consent must be given by European attendees in order to store their data. European attendees must explicitly agree to storage of their data as opposed to submitting a form where a “yes” agreement is pre-selected.
For GDPR compliance, Whova’s product team is adding an active consent form in the app to get app users’ approval for Whova’s use of their sign-up information (e.g. email address, name). Whova mainly uses the information to authenticate their identity by comparing it with the registrant list you upload to the Whova dashboard. In that way, we can protect your event information on the app (e.g., session discussion, attendee comments, photos, etc.) from strangers.Regarding the registrant list you upload to Whova for the app, if you use a third party registration system, you will need to check the vendor’s GDPR compliance when you collect the registrant information with their service. If you use both Whova registration and the app, you don’t need to worry. We will provide an active consent form on the registration webpage.
- Data Editing and Deletion – Whova already has the ability to allow attendees to edit or delete their personal data. If your attendees want to edit their profiles shown on the app (e.g., affiliation, headshot), they can do so by themselves through the app. They can also decide whether to go invisible to others or remain visible for networking by changing their profile visibility setting. If they want to remove personal data completely from the Whova system, they can directly contact us. We can find, isolate, and purge attendee data from the system if needed. If your attendee asks you to remove their personal data, you can simply forward the request to us (firstname.lastname@example.org) and our support team may reach out to the user directly to confirm the request.
- Security – Whova already uses state of the art, high-security cloud systems hosted by Amazon Web Services (AWS), the strongest industry-standard cryptographic protocol, SSL, and the most secure payment processor that complies with PCI DSS. We will continue to ensure that our security practices are always first class with cutting-edge technology. Please find the details here.
- Breach Notification – In a case where we are a data processor over attendees’ personal data accessed in an unauthorized manner, we will notify you and the attendees within 72 hours of such incident.
- Vendors – We’re reviewing our vendors and sub-processors to make sure that each meets the new requirements of the GDPR. We will continue the evaluation.
We are confident of our ability to ensure that we can comply with GDPR by the deadline in May 2018. If you have any specific questions regarding the GDPR requirements and how this may impact your use of Whova, please feel free to let us know and our GDPR team will respond.