‹ Back to the list
July 02, 2018
Ready for GDPR? Here's How CTI Can Help
Ready for GDPR? Here's How CTI Can Help

The European Union’s General Data Protection Regulation (GDPR), which went into effect in May, provides EU residents with new rights and protections regarding their personal data. While the regulation has the force of law over EU organizations, it also asserts jurisdiction over all organizations anywhere in the world that process the personal data of EU citizens and the penalties for violation of the regulation are steep: up to 4% of annual global turnover or £20 Million (whichever is greater).

With an office in Vienna and a significant presence in Europe, CTI Meeting Technology has been making changes over the past twelve months to prepare for the full implementation of GDPR. In addition to increased security levels for our hosting environments, we have new protocols and training in place with our staff to further protect all personal data managed by our products.

GDPR is not likely to be the last attempt by governments to attempt to guarantee the safety of personal information. At CTI Meeting Technology, we have long believed in the importance of such security and have approached GDPR as an opportunity to harden our products and services that much more. In line with that, we’ve created this fact sheet to help you understand this new regulation and what we’ve done to prepare.

The Three Stated Goals of GDPR (Article 1)

  • This Regulation lays down rules relating to the protection of natural persons with regard to the processing of personal data and rules relating to the free movement of personal data.
  • This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.
  • The free movement of personal data within the Union shall be neither restricted nor prohibited for reasons connected with the protection of natural persons with regard to the processing of personal data.

Important terms and parties as defined by GDPR

  • Consent. The affirmation by individuals permitting data processing of personal information. It must be made with a definitive action, like checking a box, and can be withdrawn as easily. A pre-checked box or other indications of Consent by default are not permissible.
  • Data Controller. The entity that determines the purpose and means for the data processing (e.g. an association).
  • Data Processor. The entity which processes Personal Data on behalf of the Data Controller (e.g. CTI Meeting Technology).
  • Data Subject. The individual who has personal data that’s processed.
  • Legitimate Interest. A “strictly necessary” reason why the Data Controller must process Personal Data without the Data Subject’s consent. Maintaining a membership organization can be one such reason, but the association must still complete a Legitimate Interest Assessment (LIA) and notify members that it is asserting its Legitimate Interest as permitted by GDPR (see more about the LIA below).
  • Personal Data. Any data that can be used to identify a Data Subject.
  • Personal Data Breach. The accidental or unlawful destruction, loss, alteration or unauthorized disclosure, access, or transmittal of Personal Data.
  • Supervisory Authority. The individual or groups of individuals in each member nation who will resolve disputes regarding the GDPR. Mechanisms are in place to ensure consistent rulings.

The “Lawful Basis” for processing of Personal Data by Data Controllers (e.g. Associations)

  • To provide services with the explicit consent of the Data Subject;
  • To fulfill a contract with the Data Subject;
  • To comply with a legal obligation;
  • To protect the vital interests of the Data Subject;
  • To carry out tasks in the public interest as vested in the Data Controller (e.g. by governmental bodies);
  • To pursue legitimate interests of the Data Controller.

Data Controllers must be transparent as to the Lawful Basis they are using to process the data, since the requirements for each basis may differ. However, our reading of the regulation is that they may choose a different basis for different processing activities. For example, some associations are being advised to require Consent before they process data related to fees charged for access to enduring content on the web or in publications. For other data processing related to membership services and abstract submission, they are being advised to choose Legitimate Interest as a Lawful Basis. In any case, decisions on the Lawful Basis for Data Processing and Data Subject Rights should be made with the advice of legal counsel.

Legitimate Interest Assessment (LIA)

Data Controllers asserting Legitimate Interest must keep a written LIA that they can share with Data Subjects and Supervisory Authorities. This document must show that the Data Controller has considered the “necessity” to process personal data and weighed that against the individual rights of Data Subjects. The LIA must accomplish the following three objectives:

  • Identify a Legitimate Interest—For an association, for example, it might be claimed that a legitimate interest is deriving income from services provided to members;
  • Carry out a Necessity Test—For an association, this test could show that processing personal data is a necessity because it must keep a list of its members;
  • Carry out a Balancing Test—There should be three components to this test:

    • Balance competing interests. For an association, the competing interest could be the critical need to maintain a list vs. a member’s desire for complete confidentiality.
    • Consider the impact of processing. In the case of an association, this test could address the impact of processing on the member. The association could claim that the impact on a member would be mitigated by the fact that processing has been done in the past and would not be unexpected.
    • Consider the safeguards in place for protecting the personal data. This would address the security systems put in place by the Data Controller’s Data Processor (i.e. CTI) in accordance with the Data Subject’s rights and the requirements of GDPR for enhanced data security (see below).

Data Subject’s Rights under GDPR

  • Notification of Personal Data Breach by the Data Controller within seventy-two (72) hours of the incident to the Supervisory Authority and affected Data Subjects;
  • Right to Inspect. Data Subjects have the right to confirm with the Data Controller that their Personal Data is being processed, learn for what purpose it’s being processed and obtain a copy of the data for their inspection;
  • Right to Correct. If upon inspecting the data, the Data Subjects see something in error, they can have the faulty information corrected;
  • Right to Forget. Also, upon inspection, Data Subjects may request “to be forgotten,” by having their Personal Data deleted for the following reasons:
    • They decide to withdraw their consent;
    • Their Personal Data has been unlawfully processed;
    • The Personal Data involves a child.Their Personal Data is no longer necessary for the purposes for which it was collected;
  • Right to Object. This right does not apply to Data Subjects who have offered consent but does apply to those whose data is processed because of the Data Controller’s Legitimate Interest. While the Data Subject may be removed from a list, the Data Subject may not ask to keep the benefits of those who remain on the list.

When the Right to be Forgotten does not apply

  • When it conflicts with the right to freedom of expression or information (as with news gathering);
  • When the Personal Data has been collected in compliance with legal obligations;
  • When there is a greater public interest in maintaining the data;
  • When archiving is necessary for the public interest, science, history, or statistics;
  • When it is necessary to use the data to establish or defend against legal claims;
  • When the Data Controller has a legitimate interest in the Personal Data.

Obligations of the Data Processor (i.e. CTI Meeting Technology)

  • Processes Personal Data only with the documented instructions of the Data Controller;
  • Divulges where Personal Data is held;
  • Ensures that staff who access Personal Data are committed to confidentiality;
  • Takes all measures to process Personal Data securely;
  • Does not use sub-processors unless they are specified in the contract with the Data Controller;
  • Assists in responding to Data Subjects’ requests about Personal Data;
  • Deletes or returns Personal Data after it ceases providing services for the Data Controller;
  • Shares all information with the Data Controller to show that it complies with the GDPR.

Measures CTI Meeting Technology has taken to comply with GDPR

  • Physical Security.
    • CTI Meeting Technology’s content products are all cloud-based, using Amazon’s AWS service. CTI operates more than 100 servers within AWS facilities inside and outside of Europe. Amazon is one of the few hosting providers certified under the EU-U.S. PRIVACY SHIELD FRAMEWORK to allow processing and storage of EU citizen data outside of the EEC.
    • All servers are configured in Virtual Private Clouds (VPC) which in turn allows the creation of public and private subnets to control system access;
    • Private subnets isolate the client’s systems from all other systems;
    • All public inbound traffic is prohibited;
    • Periodic vulnerability testing is also performed.
  • Data Security.
    • Access is with Multi-Factor Authentication through Virtual Private Network software and security groups.
    • Staff have been trained and are expected to follow procedures to encrypt any personal data sent via attachments or email.
    • New Procedures to support Right to Inspect, Right to Correct and Right to Forget so that clients can comply with GDPR-related requests from Data Subjects. Should your association receive a request from an EU citizen related to his or her personal data, CTI Meeting Technology’s products provide the capability to allow you to conform with the GDPR.
    • Updated Service Level Agreement (SLA) to provide clients notice of a Breach within seventy-two (72) hours of any Security Incident related to Personal Data.

    Please direct any further questions about GDPR and CTI to David Johnson (d.johnson@ctimeetingtechnology.com).