GDPR and Training: How to organize GDPR compliant online events
Take-aways from the workshop organised by the OpenAIRE Community of Practice of training coordinators
Blogpost by Rene van Horik, Ellen Leenarts (DANS) and Iryna Kuchma (EIFL)
The topic of the workshop concerns issues related to the processing of personal data in relation to a training event. GDPR requirements must be properly addressed and personal data must be protected. Obviously a training event cannot be organised without having information on the background of the participants to prepare the workshop or to organise follow-up activities. How to manage the personal data without violating the GDPR regulations?
After an introduction on the topic from Prodromos Tsiavos (Legal Adviser of Athena Research & Innovation Center and OpenAIRE) and Walter Scholger (Zentrum für Informationsmodellierung, Austrian Centre for Digital Humanities, Universität Graz), discussion continued in three groups with respectively focus on GDPR issues before, during and after a training event. Below a short description of the outcomes of the discussions is given.
Before the training event
Key GDPR related elements to keep in mind when setting up registration:
- Do not collect more information than you need at registration . For example, do you really need information about the gender of the participant? This information is now seen as sensitive, and is not always required to collect. A solution could be to leave this field optional.
- When stating how a participant that provides consent can exercise rights, do not provide generic email addresses such as info@... that tend to be not monitored well.
- Be transparent about why you collect what data and who you are going to share it with. Some additional examples:
- Sharing dietary information with catering companies does not have to be on the basis of names, it can be shared as the number of people that require vegan/vegetarian etc.
- Sharing data with companies that provide outsourced services, for example for paying the registration fee, needs to be explicitly stated
Registration of participants is obviously a prominent part of organising a training event. The details of the registration process should be communicated with the participants by means of a consent form.
The DARIAH ELDAH consent form wizard (CFW) is a tool that guides the user through a questionnaire that will consequently generate a GDPR-compliant form for obtaining consent from data subjects, tailored to specific purposes and the data categories the training organiser intend to collect.
During the session a demonstration of the CFW-tool was carried out. It seems the wizard covers all data protection aspects to think about when organising a training event. The template generated by the wizard is not saved in the tool. A point of attention is that if Google drive is used to store collected information it should be noted that the USA is currently not part of the EU GDPR space. (So the USA cannot be considered an adequate privacy "safe-guard"). The CFW is relevant both for pre-event and post-event purposes, because the consent form covers issues such as how long specific information will be kept and for what purposes.The interface of the CFW tool is currently translated in a number of languages and is available under CC-0 license (the source code is on Github).The participants of the group really welcomed the CFW-tool. The tool seemed to be a good basis for creating consent forms when organising events and processing personal data in different scenarios. When using the tool it should be taken into account that national laws may apply additionally e.g. a local COVID-19 law that requires registration when entering a building. The wizard does not mention these national laws.
During the training event
During your online training event, keep in mind the following:
- Participants should be be offered the possibility to enter a meeting with a pseudonym and/or without their video.
- Chat records do not have to be kept.
Collaborative writing tools
What are the alternatives to Google docs? Consider these alternatives:
After the training event
Evaluation/feedback forms
- Avoid collecting personal information - keep feedback forms anonymous and include any other questions/requests (e.g. permission to sign-up to the mailing list or send another questionnaire six months later, etc.) as a separate request/new page to have 2 separate databases.
- Consider the alternatives to Google feedback forms:
- GDPR compliant tools such as Typeform - free for up to ten questions
- or this Slovenian solution https://www.1ka.si/d/en;
- make sure to budget for these kinds of tools in your project proposals!
- Think about statistics you would need - e.g. stakeholders, countries, gender - keep the reports you've made, even if you didn't exactly need them at the time, but delete the underlying personal/sensitive data.
- Beware of keeping backups with actual names and email addresses!
- anonymize before backing up and storing
- ensure secure storage (encrypted if needed), etc.
- Create a structure with folders, events, for data controllers
- Make sure that signed participants lists are not included in the project deliverables. You might need to keep signed documents for financial audit of a project if this is required by a project!
Cover image credit:
Hands of woman pasting sticky notes on glass wall in office by Jacob Lund from Noun Project, CC BY
When you subscribe to the blog, we will send you an e-mail when there are new updates on the site so you wouldn't miss them.