Data Privacy and GDPR Compliance
Events Manager 5.9.3 includes various features to help you comply with international and national data protection and privacy laws, such as the EU GDPR laws which is enforced as of May 25th 2018. Since the GDPR will affect most of the world, we'll refer to data privacy/protection laws as GDPR for the purposes of this document.
It's important to understand that these features do not automatically make you GDPR (or any other data protection law) compliant. Everyone's site is different and therefore is subject to different consideration when coming up with a data privacy and protection plan. The purpose of this document is to explain the features available to you that will assist you with compliance. Please see our overview of GDPR considerations you should take into account when making your site compliant with GDPR and other data protection laws you may be subject to.
The main areas you need to deal with when it comes to GDPR involve:
- Privacy policy - providing clear information about what you do with personal data obtained by your site.
- Consent - obtaining permission to use personal data submitted to you in accordance with your privacy policy.
- Right to erasure - users have the right to request their data to be removed from your site.
- Data access and portability - users can request for a digital copy of all their personal information stored on your site.
Privacy Policy
The first area is the part that requires the most input from you, since you need to create your own Privacy Policy. We integrate with WordPress' Privacy Policy tool to provide you with an example of information you could include in your Privacy Policy, which describes how and why Events Manager collects data from the user. This sample (at the time of writing) is:
We use Google services to generate maps and provide autocompletion when searching for events by location, which may collect data via your browser in accordance to Google's privacy policy.
We collect and store information you submit to us when making a booking, for the purpose of reserving your requested spaces at our event and maintaining a record of attendance.
We collect and store information you submit to us about events (and corresponding locations) you would like to publish on our site.
We may use cookies to temporarily store information about a booking in progress as well as any error/confirmation messages whilst submitting or managing your events and locations.
Privacy Settings
You will see a Privacy section on our settings page under the General tab, which will look like this:
These settings provide you with fine grain control over the next few areas of the GDPR you need to comply with.
Consent
We provide you with an easy way to automatically add a consent checkbox to the bottom of your booking event/location submission forms. With this checkbox present, it must be checked for users to proceed with submitting their data.
The first option, Consent Text, allows you to edit the specific wording used for the checkbox description.
Remembering Consent allows you to decide whether to display these checkboxes more than once to registered users. When a form is submitted containing this consent checkbox, the date of consent is saved to the user profile, and gets updated when they consent again. Because of this, you can choose whether or not to keep showing this checkbox to users that consented, and whether to pre-fill the box as well.
The following options allow you to decide whether or not to show these consent checkboxes, and if so, whether to show them only to guests regardless of whether the registered user had previously consented or not.
Export / Erase
These two sections provide the same sort of options, and deal with the "right to erasure" and "right to data access" requirements of the GDPR. Events Manager integrates with the personal data export/eraser tools provided by WordPress, and the following options provide you with fine-grained control on what to specifically include in data exports, and what to delete when requested.
One important point to note is that WordPress does not delete user accounts when erasing personal data. When you delete a user account, you are given the option to delete all their content, or transfer it to another user. This applies to events and locations too. Bookings belonging to a user, including payment transaction history, will get deleted along with the account.
As of May 25th 2018, the new EU GDPR laws are enforced and affect anyone that runs a website which is served to anyone in the EU.