Lyyti is a safe and reliable partner.
A high level of security is of primary importance to us. When you entrust Lyyti with your event data, you can relax knowing that it will stay safe. Lyyti is 100% committed to complying with the GDPR, and we offer all our users and clients the possibility to do the same; Lyyti gives you everything you need to manage your participant data safely.
- Lyyti's operability is constantly guarded by an operations team. The team is on duty 24/7, every day of the year.
- Lyyti’s security standards and documentations have been created in accordance with the KATAKRI audit system criteria and ISO-27001 standard. KATAKRI is the security audit criteria used by the Finnish government bodies and authorities and ISO-27001 acts as a good basis for administrative security & risk management.
- Lyyti’s backup system covers four different operative levels which are geographically separated.
- All employees must successfully complete annual and mandatory data security and data protection training.
- Lyyti's premises have been designed and equipped to comply with very strict security regulations (VAHTI ST IV).
- Lyyti processes data on EU territory only (GDPR 2016/679).
- All subprocessors are hand picked to match Lyyti's high security standards. Click here to view the subprocessor list.
Lyyti is GDPR-compatible. We meet or surpass all demands set by the General Data Protection Regulation.
Taking effect on 25 May 2018, the European Union's General Data Protection Regulation (GDPR) is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual's rights to manage and process their personal data and to harmonise legislation within the European Union.
Lyyti is firmly committed to the new Data Protection Regulation. In addition to complying with the regulation ourselves, it is important for us to help our customers with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software.
Lyyti offers tools and features for GDPR-compliant event management
Lyyti is a SaaS company specialized in participant data management, with millions of registrations and over 70 000 events handled yearly. Where events are handled, there’s always personally identifiable information and sensitive personal information involved. We want to set a high standard for data protection in event management and lead by example. Lyyti offers all clients all the adequate tools needed for creating and managing GDPR-compliant events, and more.
Based on hundreds of client interviews we’ve found that organizations around Europe battle pretty much the same issues when it comes to GDPR compliancy. This page is a roundup of these common data protection challenges, where we also present the tools and features Lyyti provides for adressing these issues.
All of our clients have access to the basic compliance tools included in their Lyyti license. However, our clients are different and have different needs. This is why we’ve bundled the advanced compliance tools into either the Compliance Center (included in Lyyti licenses purchased or updated after Jan 1st 2017) or the Enterprise license level.
Scattered registers, i.e. participant lists saved here and there can cause problems. Scattered registers form easily at events, when there’s an undeniable need to share specific participant information with third parties like catering or accomodation representants.
Lyyti offers one centralized participant database for safe storage of personally identifiable information. The data can be shared securely via online reports, which can be regulated closely by the sender: the report can be password protected, access can be restricted and the report set to expire at a certain time. Thanks to online reports, the recipient never needs to save any personal data onto their own device.
The online reporting feature is included in all Lyyti license types.
If an organization is managing events that form separate filing systems or registers (e.g. client events related to the marketing register or internal events related to the employee register), there may be a need to manage several different privacy policies.
A person can be entered into a filing system in Lyyti based on explicit consent, where the person ticks a box to agree to be registered. The registration can also be based on other terms, which are to be clarified to the person about to be registered when they are signing up. In this case explicit consent isn’t needed, as long as the terms are presented clearly to the registered person.
Several separate registers in Lyyti is an especially useful model of conduct for event agencies. In this model, the client is producing events for their client, which makes them not a register controller, but a processor. An event agency can create client-specific privacy policies, manage client-specific consent questions and edit or remove data in client-specific registers.
The several registers feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
If the participant’s/registered persons explicit consent is requested for something (e.g. for a newsletter), the consent information can be stored and handled in Lyyti. The consent question feature is easy to use and transparent for both user and participant. If consent has been given in a previous event, Lyyti will recognize this based on the email adress connected to the participation, which eliminates repeated consent questions.
One consent question and consent management is included in all Lyyti license types.
When a need arises for several separate consent questions (e.g. several different newsletters or other marketing consent), an unlimited amount can be created in Lyyti. The relevant consent questions can be selected for each event at the user’s discretion.
The several consent questions feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
According to Article 15 in the regulation the registered person (in this case the participant) has the right to access their personal data and information about how this personal data is being processed, and to request changes or erasure.
Lyyti has solved this by providing a search feature that retrieves all data on a participant and compiles it into either a PDF-file or machine language. The search can be executed either within the events belonging to one user, or within all events belonging to the entire organization.
Participant data retrieval from one user’s events at a time is included in all Lyyti license types.
Participant data retrieval from the entire organization’s events and the PDF or machine language file generation is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
When an organization manages more than one register, the participant data search can be performed in either just one register or all existing registers at once.
Participant data retrieval from one or more registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
Personally identifiable information loses its sensitivity status when all data that could help tie the information to a natural person is removed. The process is known as anonymisation, after which the data isn’t subject to the GDPR anymore. Such anonymised event data can be used for statistics etc. The need for anonymisation may arise either from the registered person’s request or when the need to process certain personal information is gone (e.g. a sufficiently long time has passed since the event).
An anonymisation feature for processing an individual participant at a time is included in all Lyyti license types.
When an organization controls several registers, a need may arise to find and anonymise a registered person within just one of many registers. A good example is a company that requires explicit consent for entering a participant in their participant register, but want to keep their participant register and marketing register separated.
Event agencies and conference organizers appreciate this feature, because this way different clients’ participant registers can be kept separately and the participant search is easy to direct to the correct register.
Anonymisation spanning one or several registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.
Anonymisation of an entire event at one click is a handy feature for getting rid of personally identifiable data in e.g. old, archived events.
Anonymisation of an entire event is available in Lyyti licenses that include the Compliance Center. Since anonymisation cannot be undone, this feature is only accessible to the admin user.
Automatic anonymisation is a set of tools for the admin user to set certain organization-wide rules for anonymisation with. Data can be set to be anonymised at a certain point in time, or a certain field or question can be anonymised automatically at the admin user’s discretion.
This set of tools is particularly useful to large organizations and other clients who want to standardize and centralize data management and anonymisation practices for the entire organization.
Automatic anonymisation is available in Lyyti Enterprise licenses.
Consent information export via reports and Excel file generation is available in all Lyyti license types.
Users who generally manage and process their registers in another system (CRM, marketing platform, HR-system etc) despite managing their events in Lyyti, appreciate the fact that the consent information can be managed automatically. Automatic consent information export (and import) can be facilitated via Lyyti’s API.
Export and import of consent information via API is available in Lyyti Enterprise licenses.
Information considering a natural person’s health situation, political activity or sexual orientation are examples of sensitive personal information. Sensitive personal information should only be processed and stored when it is absolutely necessary and removed once it’s no longer needed.
Lyyti offers tools for flagging certain questions as sensitive data and for scheduling removal of said data. The admin user can set the sensitive data rules for the entire organization, ensuring safe and certain removal of sensitive data.
Sensitive personal data management tools are available in Lyyti Enterprise licenses.
Please bear in mind that events themselves don’t need to be deleted, because they are not personally identifiable information.
When it comes to personal data contained in past events, it’s good to reflect on these points:
Is the organizer under some legal obligation to retain the data, e.g. relating to proof of education or bookkeeping purposes?
Does the organizer have a lawful basis and purpose for data processing, e.g. in events aimed at customers who are already in the customer register?
Does the organizer have a reason to store the data in connection to legitimate economic activity or to fulfill contractual obligations (e.g. a recurring event where previous participation may affect future guest lists)?
If there’s no need to hang on to personal data from past events, it may be in order to anonymise e.g. events that have ended more than two years ago, instead of removing them completely. We recommend that this is done one event at a time, as anonymisation can not be undone.