GDPR
      Back to home
      1. Knowledge Base
      2. Training
      3. GDPR

      GDPR FAQs

      1. What happens if we collect more data than necessary?

      It is not aligned with the principle of minimization of data collection. If a breach of data happens and you have more data than needed, It is risky.
       
      2. Any requirements for storing data in terms of timeline? How long should we keep data?
      There are no specific measures. The security measures must be relevant to the data and to the place in which they are stored. So, in case of a breach, you must prove that you did all you could to protect that data.
       
      3. What is considered 'sensitive data' in terms of GDPR?
      Sensitive data can include sexual orientation data, medical data, and religious beliefs data. At GP, there is no form in which we ask participants to fill in data regarding their religious beliefs therefore such data is not collected.
       
      4. Who is the Data Protection Officer at GP?
      GP does not need a Data Protection Officer. We have a data protection manager at GP (Dion Kandima) who keeps in contact with the GDPR Consultant (Flavius).
       
      5. Let’s say we have an event at GP in Latin America. Sometimes we have people who speak Spanish. We want to capitalise on the people who attend our events (summits, events other than JOG). Can we collect their contact data?
      Yes, if we receive their consent to be contacted. At registration, they should tick a box to agree on being contacted further.
        
      6. One of the principles is to collect only necessary data. Who sets the rule for what is necessary and what is more?
      You internally set the rules, but you should keep in mind the purpose and principle. Every information you collect must have a purpose and you should make sure that the person has given their consent. Data must be collected for specific data and have received consent.
       
      7. GP is based in the US but has people globally. Our Data Protection is based on GDPR. Is GDPR the most comprehensive data protection in the world?
      Until now, yes. There are other ones in other parts of the world, but they are not as comprehensive as GDPR.
       

      8. Regarding the storage limitations time frame for employees, what does indefinite mean? For example, when has someone left GP do we need to remove all their information from our files?

      You must establish a retention period from the law (Tennessee Law). If the law doesn’t provide you with one already then we must establish a reasonable time frame based on how long you require the data. When the person’s time comes to an end, we need to delete or anonymise the data.  

      9. We have volunteer Facilitators who source data that is held on paper. Does the moment we collect information from participants become part of the process? Do we need to ask the Facilitator to destroy that paper and how do we control this?

      Volunteers must have a contract that says they respect the process, including destroying the data collected on paper and confirming this through an email of recognition.

      10. Is the sign-in sheet GDPR compliant?

      Currently, it is not compliant with GDPR as we need Individual consent to store their data with a record of this consent stored with the data in HubSpot. The 2023 version of the JOG’s registration process is compliant.