What tools does Hugo offer to meet the AVG / GDPR regulations?
From the 25th of May 2018 onwards, the General Data Protection Regulation (GDPR) will be enforced in Europe and, as we are a Dutch company, we have to abide to this legislation. On this page you will find how this affects your organization, what has changed and what will change in Hugo"s software and the required changes in your business-relationship with Hugo.
About the AVG / GDPR
Privacy is increasingly important in the current information technology era. We as people, want to know what happens to our data and want to prevent this data from ending up on the street.
The EU enforces a new privacy law: the General Data Protection Regulation (GDPR). In the Netherlands and Belgium this law is known as General Data Protection Regulation (AVG). This law provides us with the confidence that every effort will be made that our data is not being used for purposes we are not aware of.
From the 25th of May 2018 and onwards, this law will be enforced. This means that when you collect personal data, you must comply with the rules of the AVG / GDPR.
Most organizations have already started the preparations and we are happy to inform you where Hugo helps you to comply with this law. Please know that if you do not comply with the rules, the fines can rise up to four percent of your annual turnover.
The AVG / GDPR and Hugo
To understand the consequences of this law, we have divided this article into three parts:
People | Organization | Technology
This concerns for example, a user of the software, an employee of your organization or a contact that is recorded in your CRM system. For Hugo, the three most important pillars of AVG are:
- Transparency: companies must inform users in an understandable way about how the(ir) data is collected and processed.
- Right to be forgotten: companies must be able to delete personal data if the applicable person requests this and no valid counter argument can be given.
- Reporting obligation for data leaks: companies are obliged to document and report a data breach within 72 hours unless they can prove that the leak is not a hazard for the collected personal data.
Personal data is all information with which a person can be identified, such as a name, a telephone number, an address, an e-mail address, a date of birth, an account number, and more. Are you wondering whether the AVG / GDPR applies to your organization? It’s very simple: if you work with one of the data elements as mentioned above, the AVG / GDPR applies to your organization.
People have the right to correct their data or have it removed. In addition, each person must give specific, freely determined and unambiguous consent, with full knowledge of the facts.
In other words: for every ticket purchase, every newsletter registration, you as a company, have to explain specifically what will happen to the collected personal data. Keep in mind that this information needs to be clear and easily understandable in your Privacy Statement and please don’t forget to always ask the users explicit permission for using their personal data. Sending anyone who purchased a ticket an email for promotional purposes is prohibited. Your ticket buyers must have given explicit consent to receive promotional emails.
Service Level Agreement / Cooperation Agreement
From May 25th 2018 onwards, all Hugo customers and partners will receive a new cooperation agreement containing a processor agreement that is according to the new legislation and regulations with all rights and obligations that arise from the AVG. Some important changes are:
- Processing agreement: according to the AVG, there is a "Processor" and a "Controller". Hugo is the Processor and its customers are the Controllers.
- Legislation: the reference to the Personal Data Protection Act (Wbp) will be adapted to the General Data Protection Regulation (AVG in the Netherlands).
We have a Privacy Statement for both companies (our clients) as well as her end users (your clients) on the website in which we want to express the fact that we do not abuse your data or that of your customers.
Terms & Conditions
In addition to the Privacy Statement, our Terms and Conditions can be found here
By using Hugo"s software solution, personal data will be processed, which is securely stored and made available via the Hugo back office. In the back office, the collected (personal) data is presented in the account of each client. This information can be adjusted by the clients of Hugo. If you have more questions about (for example) the removal of data, please feel free to contact us via firstname.lastname@example.org
For the Hugo software solution, the AVG / GDPR has impact on the following:
Right to be forgotten
The "right to be forgotten" is a very strong right of the end user in the AVG / GDPR. In the Hugo system, this (or insights into data or adjustments of data) can easily be carried out:
- Block before use. It is already possible to block data that is no longer in use. In the case of e-mail campaigns, the Hugo software does this automatically by registering recipients as "unsubscribed" when a user indicates this. These are then no longer included in new email campaigns. The use (or misuse) of this data can therefore be prevented.
- Deleting records / subscribers. It is possible to delete records or subscribers directly within the Data Management and Fanbase Management. Note that people"s data could be in multiple places and deleting really means really deleting. Once deleted, that data can no longer be retrieved.
The GDPR pays a lot of attention to this and this has everything to do with being able to export personal data so that they can be re-used in other situations. The current possibilities in the Hugo software, such as reports via PDF and / or XLS or CSV are sufficient to comply with the legislation.
Important pillars of the AVG
What should you do?
1. Make an overview of all data that you handle
Make an overview of all (personal) data your organization handles. It must be clear what different sets of (personal) data are used, for what purpose, where they are stored and who has access to it. Create a so-called Privacy Impact Assessment (PIA). According to the AVG, organizations are obliged to map the risks of data processing in advance.
Tip: make sure that you map all processes about how to deal with (personal) data, for example aboue how it is removed. If a newsletter reader sends you an email with the request to delete (personal) data, the data of that person must actually be deleted. The same applies of course in case someone wants to change his / her data.
2. Consider privacy by design & privacy by default
Privacy by design means that when designing (new) products and services you have to take the protection of privacy-sensitive information into account. Think for example about a new event, or a new product type that can be purchased or, for example the purchasing of tokens prior to the event.
Privacy by default means that you only process the personal data that is necessary for that specific purpose. For example, someone who buys a ticket to the event and receives a ticket via email, should not receive an email (without explicit consent) with promotional purposes at a later stage. That is not necessary for the specific purpose. As organization, you always remain responsible who can process which data and where.
Tip: when you review your online documentation (your Privacy statement for example) regarding the processing of personal data, make sure that it is expressed in clear, understandable language. If people do not understand you, suspicion may arise and that will harm your brand.
3. Comply with the Data Leak Reporting Requirements
Unfortunately, we read about hackers that have acquired personal data more and more often. But this is also the case in the unfortunate event of losing a company laptop or sending an email containing personal data to the wrong recipient. These are, besides serious entrepreneurial risks, also considered Data leaks. In all circumstances, you must inform those involved about the data breach and in case it has serious consequences to personal data, you have to report it to the appropriate authorities. Most important of all, you must do everything to prevent this.
Tip: document the risks for your organization. Look at your procedures for documenting and reporting data leaks. In the AVG, the obligation to report data leaks is extended with the obligation to document all data leaks which can then be reviewed by the Dutch Data Protection Authority.
4. How do you request and register permission for using (personal) data?
The new legislation imposes more strict requirements about the permission that people must give for the processing of data. Evaluate the way in which you ask people (your ticket buyers, newsletter subscribers etc.) permission to process their (personal) data and how (securely) you register them. You must be able to demonstrate that consent has been obtained.
How can we help you?
1. Accurate, safe and secure import of (personal) data
If you want to send an email campaign, then your email addresses must be available. With the import functionality of the Hugo system, you can indicate which e-mail addresses you want to import and which you do not want to import. Email addresses that you do not want to import are the email addresses of people who have not given permission to be approached for promotional purposes. Since these people should be able to receive service messages however, it is also possible to do the segmenting with our extensive filter options after the data has been imported.
2. Possibility to block or delete (personal) data
Within the Fanbase Management and Data Management environment, you can easily unsubscribe or completely remove people from the Hugo software. Note that you should be aware to not add these people again without consent in the future. This is your responsibility.
3. Double opt-in
If you are making use of the newsletter registration module, always use a double opt-in. People who subscribe to the newsletter will then receive a confirmation email in which they have to indicate again that they want to sign up with that specific email address. This provides you as organizer with a clean database and you have taken care of the explicit consent.
If you have any questions about anything, please contact us on email@example.com