Data Protection Policy

Exhibitor Appointed Contractor Association (EACA), revised November 1st, 2023

Note

This data protection policy is a vital blueprint for EACA, member organizations, and partners to safeguard sensitive information, comply with data privacy regulations, and maintain customer trust. It provides a comprehensive framework, guiding organizations in adequately collecting, storing, processing, and sharing personal data.

Clearly defining data handling procedures helps mitigate risks, enhance security measures, and establish a data protection culture. This policy is crucial for legal compliance but also plays a significant role in maintaining a solid reputation and competitive edge in the market.

This document underscores the importance of data protection, ultimately benefiting the organization, its membership, and its stakeholders.

Definitions

  • Organization means Exhibitor Appointed Contractor Association (EACA), a company located at 2214 NW 5th St., Bend, OR 97703.
  • DPA means the Data Protection Act 2018 implements the EU’s General Data Protection Regulation.
  • Responsible Person means Jim Wurm ([email protected]), the person responsible for data protection within the Organization.
  • Registry of Systems means a registry of all systems or contexts in which personal data is processed by the Organization.

Data protection principles

EACA is committed to processing data in accordance with its responsibilities under the DPA. The DPA requires that personal data shall be:

  • Processed lawfully, fairly, and in a transparent manner concerning individuals;
  • Collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes, or statistical purposes shall not be considered to be incompatible with the initial purposes;
  • Adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed;
  • Accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that inaccurate personal data, having regard to the purposes for which they are processed, are erased or rectified without delay;
  • Kept in a form that permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to the implementation of the appropriate technical and organizational measures required by the DPA to safeguard the rights and freedoms of individuals; and
  • Processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and accidental loss, destruction or damage, using appropriate technical or organizational measures.

General Provisions

  • This policy applies to all personal data processed by the Organization.
  • The Responsible Person shall take responsibility for the Organization’s ongoing compliance with this policy.
  • This policy shall be reviewed at least annually.

Lawful, fair, and transparent processing

  • To ensure its data processing is lawful, fair, and transparent, the Organization shall maintain a Registry of Systems.
  • The Registry of Systems shall be reviewed at least annually.
  • The Registry of Systems will provide a critical inventory of information collected and stored, providing a data lifecycle summary.  This will include the basics of how and why these data are collected and processed.
  • Individuals have the right to access their personal data, and any such requests made to the Organization shall be dealt with in a timely manner.

Lawful purposes

  • All data processed by the Organization must be done on one of the following lawful bases: consent, contract, legal obligation, vital interests, public task, or legitimate interests.
  • The Organization shall note the appropriate lawful basis in the Register of Systems.
  • Where consent is relied upon as a lawful basis for processing data, evidence of opt-in consent shall be kept with the personal data.
  • Where communications are sent to individuals based on their consent, the option for the individual to revoke their consent should be available, and systems should be in place to ensure such revocation is reflected accurately in the Organization’s systems.

Data minimisation

The Organization shall ensure that personal data are adequate, relevant, and limited to what is necessary concerning the purposes for which they are processed.

Accuracy

  • The Organization shall take reasonable steps to ensure personal data is accurate.
  • Where necessary for the lawful basis on which data is processed, steps shall be put in place to ensure that personal data is kept up to date.

Archiving / Removal

  • To ensure that personal data is kept for no longer than necessary, the Organization shall put in place an archiving policy for each area in which personal data is processed and review this process annually.
    The archiving policy shall consider what data should/must be retained, for how long, and why.

System Security

  • The Organization shall ensure that personal data is stored securely using modern software.
  • Access to personal data shall be limited to personnel who need access, and appropriate security should be in place to avoid unauthorized information sharing.
  • When personal data is deleted, this should be done safely so that the data is irrecoverable.
  • Appropriate backup and disaster recovery solutions shall be in place.

Breach

In the event of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data, the Organization shall promptly assess the risk to people’s rights and freedoms and, if appropriate, report this breach to law enforcement.

Data Breach Incident Response

A data breach refers to a security incident where unauthorized individuals gain access to protected data. It can have significant implications for both the organization and the individuals whose data has been compromised. Therefore, having a clear, well-structured response plan in place is crucial.

Detection and Identification

The first step in the case of a data breach is to detect and identify the incident. This can be achieved through various means, such as system monitoring, intrusion detection systems, or employee reports. Once a potential breach is detected, the incident should be immediately reported to the designated Responsible Person or the organization’s data protection officer.

Containment and Recovery

The next step is to contain the breach to prevent further data loss. This may involve actions such as disconnecting compromised systems or changing access credentials. Simultaneously, steps must be taken to recover lost data and restore compromised systems, if possible. This might involve using backup data or repairing system vulnerabilities.

Risk Assessment

Once the breach is contained, an assessment should be conducted to understand the extent and impact of the breach. This includes identifying the data involved, the number of individuals affected, potential consequences, and whether the data has been lost or stolen.

Notification

Depending on the severity and nature of the breach, it may be necessary to notify affected individuals and relevant regulatory bodies. Under the GDPR, for example, the local data protection authority must be notified within 72 hours of becoming aware of a breach. The notification should include details about the nature of the breach, the categories and number of individuals affected, potential consequences, and measures taken to mitigate the breach’s impact.

Review and Update Security Measures

After handling the immediate concerns of a data breach, the organization should conduct a thorough review of the incident. This involves identifying how the breach occurred, evaluating the effectiveness of the response, and implementing measures to prevent similar breaches in the future. This could involve updating security protocols, improving employee training, or enhancing monitoring systems.

In conclusion, dealing with a data breach effectively requires a swift and coordinated response. A clear incident response plan, regular employee training, and robust technical and organizational security measures are key to minimizing the impact of a breach and preventing future incidents.

Employee Responsibilities and Training

Employee Responsibilities

Every employee has a role to play in maintaining data privacy and security. Employees must:

  • Comply with the data protection policy at all times.
  • Only access data that is necessary for their role.
  • Not disclose confidential information to unauthorized individuals.
  • Report any suspected data breaches or irregularities to the designated Responsible Person immediately.
  • Use secure networks and strong, unique passwords to access organizational systems and data.

Training

In order to ensure that every employee understands their responsibilities and the importance of data protection, the organization will:

  • Provide regular training sessions that cover the organization’s data protection policy, relevant laws and regulations, and best practices for data security.
  • Regularly update training materials to reflect changes in laws, regulations, and internal policies.
  • Conduct training sessions when onboarding new employees and following any significant updates to the policy.
  • Test employee knowledge and understanding of data protection principles and practices from time to time.
  • Offer resources for employees to learn more about data protection and privacy, such as online courses, webinars, or reading materials.
  • By fostering a culture of awareness and responsibility, organizations can greatly reduce the risk of data breaches and ensure that all employees are actively participating in the protection of personal data.

Regular Policy Review

A data protection policy is not a static document and should be treated as a living, evolving entity. Regular reviews are critical to ensure the policy stays relevant, effective, and compliant with all current laws and regulations.

Review Timeline

The policy should be reviewed at least annually. However, it’s advisable to conduct reviews more frequently in response to significant changes in data protection legislation, technological advancements, or shifts in the organization’s operations or practices.

Review Process

During the review, the Responsible Person, along with any relevant teams or individuals, should examine each section of the policy. This includes assessing whether its guidelines for data collection, processing, storage, and sharing remain appropriate and compliant.

The review should also consider recent data breaches or security incidents, both within the organization and in the wider industry, to identify any areas of the policy that need strengthening.

Policy Updates

If the review identifies necessary changes, these should be made promptly to the policy. Any updates or modifications must be clearly communicated to all employees, and additional training should be provided as needed.

Documentation

All policy reviews and subsequent updates should be thoroughly documented. This includes recording the date of each review, who was involved, what was discussed, and any decisions made or actions taken.

Regular policy reviews ensure that an organization’s data protection policy remains a robust and effective tool for safeguarding data, maintaining legal compliance, and fostering trust with stakeholders.

Policy Adoption and Communication

When this policy is updated, it will be communicated to all employees, stakeholders, and relevant third parties. It will be easily accessible and available in language that everyone can understand. Employees are encouraged to ask questions and seek clarification if needed.