<img height="1" width="1" style="display:none" src="https://www.facebook.com/tr?id=1029501197232858&amp;ev=PageView&amp;noscript=1">

Data protection

Lyyti is GDPR-compatible. We meet or surpass all demands set by the General Data Protection Regulation.

In Brief

Taking effect on 25 May 2018, the European Union's General Data Protection Regulation (GDPR) is one of the most important international legislative changes in data protection in decades. The purpose of the regulation is to increase the individual's rights to manage and process their personal data and to harmonise legislation within the European Union.

Lyyti is firmly committed to the new Data Protection Regulation. In addition to complying with the regulation ourselves, it is important for us to help our customers with their compliance efforts. This goal will be achieved through training, instruction, and technical development of our software.

Lyyti offers tools and features for GDPR-compliant event management

Lyyti is a SaaS company specialized in participant data management, with millions of registrations and over 70 000 events handled yearly. Where events are handled, there’s always personally identifiable information and sensitive personal information involved. We want to set a high standard for data protection in event management and lead by example. Lyyti offers all clients all the adequate tools needed for creating and managing GDPR-compliant events, and more.

Based on hundreds of client interviews we’ve found that organizations around Europe battle pretty much the same issues when it comes to GDPR compliancy. This page is a roundup of these common data protection challenges, where we also present the tools and features Lyyti provides for adressing these issues.

All of our clients have access to the basic compliance tools included in their Lyyti license. However, our clients are different and have different needs. This is why we’ve bundled the advanced compliance tools into either the Compliance Center (included in Lyyti licenses purchased or updated after Jan 1st 2017) or the Enterprise license level.

For a quick overview of which compliance tools are included in which license type, please click to view the diagram at the bottom of this page.

Contents

Managing scattered registers

Privacy policy

Several registers - especially useful for event agencies

Collecting and managing consent information

Managing several consent questions

Right of access - participant data retrieval

Participant data retrieval from one or more registers

Data anonymisation

Anonymisation spanning one or several registers

Anonymisation of an entire event

Automatic anonymisation & anonymisation rules

Export consent information in an Excel file

Export consent information via API

Sensitive personal data management

Personal data removal in bulk

Managing scattered registers

Scattered registers, i.e. participant lists saved here and there can cause problems. Scattered registers form easily at events, when there’s an undeniable need to share specific participant information with third parties like catering or accomodation representants.

Lyyti offers one centralized participant database for safe storage of personally identifiable information. The data can be shared securely via online reports, which can be regulated closely by the sender: the report can be password protected, access can be restricted and the report set to expire at a certain time. Thanks to online reports, the recipient never needs to save any personal data onto their own device.

The online reporting feature is included in all Lyyti license types.

Privacy policy

The privacy policy is the document that clarifies to the registered person how and why their data is stored and handled. One organization can have several privacy policies due to having several registers, e.g. one for marketing purposes and another for customer data. The privacy policy needs to be accessible to the registered persons.

All our clients have the option of creating and publishing (in several languages if needed) one privacy policy for their Lyyti events. In practice this is sufficient when the client only maintains one register.

One privacy policy feature is included in all Lyyti license types.

Several registers – especially useful for event agencies

If an organization is managing events that form separate filing systems or registers (e.g. client events related to the marketing register or internal events related to the employee register), there may be a need to manage several different privacy policies.  

A person can be entered into a filing system in Lyyti based on explicit consent, where the person ticks a box to agree to be registered. The registration can also be based on other terms, which are to be clarified to the person about to be registered when they are signing up. In this case explicit consent isn’t needed, as long as the terms are presented clearly to the registered person.

Several separate registers in Lyyti is an especially useful model of conduct for event agencies. In this model, the client is producing events for their client, which makes them not a register controller, but a processor. An event agency can create client-specific privacy policies, manage client-specific consent questions and edit or remove data in client-specific registers.

The several registers feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Collecting and managing consent information

If the participant’s/registered persons explicit consent is requested for something (e.g. for a newsletter), the consent information can be stored and handled in Lyyti. The consent question feature is easy to use and transparent for both user and participant. If consent has been given in a previous event, Lyyti will recognize this based on the email adress connected to the participation, which eliminates repeated consent questions.

One consent question and consent management is included in all Lyyti license types.

Managing several consent questions

When a need arises for several separate consent questions (e.g. several different newsletters or other marketing consent), an unlimited amount can be created in Lyyti. The relevant consent questions can be selected for each event at the user’s discretion.

The several consent questions feature is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Right of access – participant data retrieval

According to Article 15 in the regulation the registered person (in this case the participant) has the right to access their personal data and information about how this personal data is being processed, and to request changes or erasure.

Lyyti has solved this by providing a search feature that retrieves all data on a participant and compiles it into either a PDF-file or machine language. The search can be executed either within the events belonging to one user, or within all events belonging to the entire organization.

Participant data retrieval from one user’s events at a time is included in all Lyyti license types.

Participant data retrieval from the entire organization’s events and the PDF or machine language file generation is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Participant data retrieval from one or more registers

When an organization manages more than one register, the participant data search can be performed in either just one register or all existing registers at once.

Participant data retrieval from one or more registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Data anonymisation

Personally identifiable information loses its sensitivity status when all data that could help tie the information to a natural person is removed. The process is known as anonymisation, after which the data isn’t subject to the GDPR anymore. Such anonymised event data can be used for statistics etc. The need for anonymisation may arise either from the registered person’s request or when the need to process certain personal information is gone (e.g. a sufficiently long time has passed since the event).

An anonymisation feature for processing an individual participant at a time is included in all Lyyti license types.

Anonymisation spanning one or several registers

When an organization controls several registers, a need may arise to find and anonymise a registered person within just one of many registers. A good example is a company that requires explicit consent for entering a participant in their participant register, but want to keep their participant register and marketing register separated.

Event agencies and conference organizers appreciate this feature, because this way different clients’ participant registers can be kept separately and the participant search is easy to direct to the correct register.

Anonymisation spanning one or several registers is available in Lyyti licenses that include the Compliance Center. The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Anonymisation of an entire event

Anonymisation of an entire event at one click is a handy feature for getting rid of personally identifiable data in e.g. old, archived events.

Anonymisation of an entire event is available in Lyyti licenses that include the Compliance Center. Since anonymisation cannot be undone, this feature is only accessible to the admin user.

Automatic anonymisation & anonymisation rules

Automatic anonymisation is a set of tools for the admin user to set certain organization-wide rules for anonymisation with. Data can be set to be anonymised at a certain point in time, or a certain field or question can be anonymised automatically at the admin user’s discretion.

This set of tools is particularly useful to large organizations and other clients who want to standardize and centralize data management and anonymisation practices for the entire organization.

Automatic anonymisation is available in Lyyti Enterprise licenses.

Export consent information in an Excel file

Event participation often acts as an expression of consent, e.g. when a participant signs up for an event and simultaneously agrees to receive a newsletter as stated in the marketing register privacy policy. In these cases the consent information, along with the participant information, needs to be entered into another system (e.g. a marketing platform), where the register is processed further.

Consent information export via reports and Excel file generation is available in all Lyyti license types.

Export consent information via API

Users who generally manage and process their registers in another system (CRM, marketing platform, HR-system etc) despite managing their events in Lyyti, appreciate the fact that the consent information can be managed automatically. Automatic consent information export (and import) can be facilitated via Lyyti’s API.

Export and import of consent information via API is available in Lyyti Enterprise licenses.

Sensitive personal data management

Information considering a natural person’s health situation, political activity or sexual orientation are examples of sensitive personal information. Sensitive personal information should only be processed and stored when it is absolutely necessary and removed once it’s no longer needed.

Lyyti offers tools for flagging certain questions as sensitive data and for scheduling removal of said data. The admin user can set the sensitive data rules for the entire organization, ensuring safe and certain removal of sensitive data.

Sensitive personal data management tools are available in Lyyti Enterprise licenses.

Personal data removal in bulk

Please bear in mind that events themselves don’t need to be deleted, because they are not personally identifiable information.

When it comes to personal data contained in past events, it’s good to reflect on these points:

  • Is the organizer under some legal obligation to retain the data, e.g. relating to proof of education or bookkeeping purposes?
  • Does the organizer have a lawful basis and purpose for data processing, e.g. in events aimed at customers who are already in the customer register?
  • Does the organizer have a reason to store the data in connection to legitimate economic activity or to fulfill contractual obligations (e.g. a recurring event where previous participation may affect future guest lists)?

If there’s no need to hang on to personal data from past events, it may be in order to anonymise e.g. events that have ended more than two years ago, instead of removing them completely. We recommend that this is done one event at a time, as anonymisation can not be undone.

If a client absolutely needs to anonymise entire events at a time, a Lyyti support team member will perform this action free of extra charge once per client.

A summary of  Lyyti's data protection features

Data protection features
* The Compliance Center is included in licenses purchased or updated after Jan 1st 2017.

Duizenden tevreden Lyyti gebruikers wereldwijd - Wordt er ook één!

Vraag een gratis demo aan om te praten met onze eventexperts over wat Lyyti kan doen voor jullie. Deze demo vindt online plaats, is gratis en zonder verplichtingen.