Disclaimer: This is an example of a student written essay.
Click here for sample essays written by our professional writers.

Any opinions, findings, conclusions or recommendations expressed in this material are those of the authors and do not necessarily reflect the views of UKEssays.com.

Christmas Event to Bring Staff Together: Planning and Budget

Info: 4203 words (17 pages) Essay
Published: 8th Feb 2020 in Leisure Management

Reference this

  1. Description of the proposed idea

 

It is my intention to coordinate a Christmas event for employees, suppliers, clients and their families, complete with a Santa visit for their children.  Whilst there is no financial business benefit from this, it will strengthen relationships between our employees, suppliers and clients.  From organising previous events similar to these for other companies it has been shown to increase recurring business from clients and ensure better service from providers.

Get Help With Your Essay

If you need assistance with writing your essay, our professional essay writing service is here to help!

Find out more

The intention is to issue all children with a personalised Santa ticket, with children under the age of 4 receiving a soft toy from Santa and over 4’s receiving a selection box.  Therefore, first names, age range and details of food related allergies any of the children have will be required for each child attending. 

Santa and his helper will be hired from an external company and will be provided with the name and age range of each child attending in the form of a ticket containing the information.  They will be advised that these tickets are to be left in a box for disposal once the event is over.

As health data of under 16’s will be captured, and we will be using existing personal data for a new purpose a DPIA[1] (Regulation EU, 2016/679, Rec.84, 90-94; Art.35) is required to ensure this is compliant to GDPR.

  1. DPIA [2]

 

  1. Description of Processing
  1. First Step – An initial event spreadsheet of people will be collated in October of the relevant year.  The spreadsheet will have 4 tabs, 1 for employees, 1 for providers, 1 for clients and 1 for people attending the event.  Each of these tabs will contain the names of invitees and their business email addresses (work email address for staff and the email address provided for business contact by providers and clients). 
  1. Invites – The invitees from the list will be contacted by email with an invitation to attend and advised what data will be collected at this time, the invitation will contain ‘Yes/No’ response options, advised that by accepting the information they will be requested to provide additional information and a date by which responses must be submitted.

The lawful basis for the original collation of personal data is legitimate interest[3] (Regulation EU, 2016/679, Art.6(1)(f)), to enable us offer the event to individuals.  Individuals will be provided at this point with the option to opt-out of the event and further contact in relation to same.

  1. Responses – When ‘Yes’ options are received the details will be added to the ‘Attending’ tab of the spreadsheet and assigned an attendance number.  Where ‘No’ options are received the individual’s details will be deleted from the relevant list.  Once the response date has passed the employee, provider and client tabs will be deleted thus removing details for anyone who has not responded and leaving only details for those attending. 

Once the responses are received the basis for holding the data moves to consent[4] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7) with the option to withdraw consent[5] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7) being available.  A record of consent[6] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7) is to be maintained for the duration of the event.  Emails are to be saved to a specific folder in the event coordinators Outlook and to be deleted by December 31st.

  1. Further data – For attendees a second email will be sent requesting:
  1. additional data in relation to their children to include:
  • the child’s name(s) – to facilitate personalised Santa tickets child and experience with Santa;
  • the child’s age range – to provide them with an age appropriate Santa gift;
  • details of any food related allergies for children aged 4 and over as the gift is food related.  Parents will have the option to elect for their child to receive a soft toy and therefore not provide this information.
  1. consent[7] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7) to hold this data for the duration of planning and executing the event and advising that the data will be deleted by December 31st of that year;
  2. providing the details for the external company providing Santa and his helper and advising of the personal data they will receive about each child, first name and age range on the attendance ticket which will then be left with us to allow disposal;
  3. providing contact details for the event coordinator through which all queries can be submitted or to enable them to withdraw their details at any stage if they no longer wish to attend;
  4. providing suppliers and clients with a link to our Privacy Statement, which includes advice that their details may be used for another business-related purpose where prior notice is given;
  5. providing employees with a link to the Employee Data Protection Policy, which also includes a line stating that their details may be used for another business-related purpose where prior notice is given.

The basis for processing remains consent[8] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7), except for the capturing of allergy details where the basis for processing is vital interest.

  1. Once these details are received back the event spreadsheet will be updated with the data and the appropriate gifts can be sourced. 

Personalised Santa tickets will be drafted in MS Word and saved to the restricted access server drive.  They will then be printed and placed in an envelope with the family’s attendance number on the outside of the envelope.  The envelopes will be placed in a box in numerical order.  The ticket to see Santa will be colour coded to show which colour wrapping paper each child should receive on their gift. 

  1. The Event – On the day of the event two copies of the list of attendees (attendance number and first and last name of the business contact) and number of attendees per family will be printed and brought to the venue.  The event coordinator and HR manager will be at the entrance of the venue and will check each family in upon arrival.  The envelope with the relevant attendance number will be given to the family.

When each family visits Santa they will provide the helper with their tickets which will enable Santa to speak to the children as if he knows them and provide them with the correct gift using the colour coded wrapping paper for older children.

  1. After the Event – Santa tickets will be left in a box in the room to be destroyed by the host company once the event has finished.  The event coordinator and HR manager will take responsibility for ensuring this occurs.

Once the event has concluded all data relating to same will be deleted/destroyed.  This includes documentation and emails.

  1. Necessity and Proportionality of Processing

The outlined processing is necessary to achieve the projected outcome of the project. 

Individuals have the ‘right to object’[9] (Regulation EU, 2016/679, Rec. 50, 59, 70, 73; Art.21) to the processing at the initial invitation stage and, if consent[10] (Regulation EU, 2016/679, Rec. 32,42,43; Art.4(11), 6(1)(a), 7) is given, have the right to withdraw this at any time, with contact details to do so provided.

Compliance to the Data Protection Principles[11](Regulation EU, 2016/679, Rec. 85; Art.5(2))

Lawful, fair and transparent[12] (Regulation EU, 2016/679, Rec. 39; Art.5(1)(a)) – the lawful basis relied upon are detailed in section A.2, A.3 and A.4 of this report.  The process is fair and transparent as it is advised in the Privacy Statement and Employee Data Protection Policy that ‘your contact details may be used for another business-related purpose where prior notice is given’.  All individuals can avail of the ‘right to object’[13] (Regulation EU, 2016/679, Rec. 50, 59, 70, 73; Art.21) and ‘right to withdraw’[14](Regulation EU, 2016/679, Art.7)  at any stage of the event once they have received the initial invitation.

Purpose Limited[15](Regulation EU, 2016/679, Rec.50; Art.5(1)(b)) – all data provided regarding the children will be used for the purpose of this event and then deleted.

Data minimisation[16](Regulation EU, 2016/679, Rec. 39; Art.5(1)(c))  – only the child’s first name, age range (over or under 4) and food related allergy information is requested.  Where parents feel providing allergy information is too intrusive, they can opt for the child to receive a soft toy instead.

Storage limitation[17](Regulation EU, 2016/679, Rec. 39; Art.5(1)(e)) – data is held for 3 months.

Data accuracy[18] (Regulation EU, 2016/679, Rec. 39; Art.5(1)(d)) is ensured as the parents provide the childrens’ information and the data is received in October, use in December and so is not out of date.

Integrity and Confidentiality  - the data held will be up to date,

-          the data security measures[19] (Regulation EU, 2016/679, Rec.29, 71, 156; Art.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32)

-          outlined in section C ensure the data will be held securely;

-          access will be limited;

-          all recipients of data (both internal and external) will be bound by GDPR compliant contracts, which include confidentiality.

No 3rd country transfer of personal data occurs.

It was determined that the processing is not ““likely to result in a high risk” for the purposes of Regulation 2016/679”[20] (WP29 Impact Assessment Guidelines) and therefore there was no need for prior consultation[21] (Regulation EU 2016/679, Rec.94-95; Art 35(4)-(6), 36) with the DPC in this instance.

It was decided that, due to the small scale of the project and measures in place to protect personal data that it is not necessary to seek the views of data subjects as part of this DPIA.

  1. Risks Identified and an outline of measures taken to address them

Risk

Likelihood

Measures taken to address identified risk

Unauthorised access to physical and logical data

Low given measures decided upon

  1. This spreadsheet will be password protected, with the only the event coordinator and HR manager having access to the password.
  2. The spreadsheet and word files will be saved on a drive on the server which only the event coordinator and HR manager have access to.
  3. Neither party with access to the data will access from a portable device, however, should this change the device will be encrypted.
  4. The tickets will be placed in pseudonymised envelopes and kept in numerical order in a box which will be locked securely in the HR cabinet to which the HR manager is the only person with access to the keys to the cabinet and will bring the box to the event. 
  5. Two lists will be printed and brought to the venue on the day of the event.  The list will contain the name of the business contact and their attendance number.  When they check in they will receive the pseudonymised envelope containing the Santa tickets.  The event coordinator and HR manager will hold the lists and check in the families.

Excessive data retention

Low given measures decided upon

  1. All documentation relating to the event will be saved to the restricted access event server drive.
  2. All email correspondence will be issued by the event controller and saved to the ‘Christmas and Santa 201X’ folder within Outlook.
  3. The spreadsheet, associated documentation and all correspondence will be deleted once the event has occurred.
  4. The maximum retention of the data is 3 months from beginning to end of the project ie beginning in October and deleted by December 31st.

Excessive data collection

Low given measures decided upon

  1. Only capture first names for children attending the event.
  2. Do not record data for anyone who indicates they will not be in attendance.
  3. Do not capture address data for any invitee.  All correspondence is to be issued by email.
  4. To avoid capturing allergy details for individuals not receiving gifts a list of allergens for all other foods available on the day will be made available on each table.

Transfer of Special Category Health Data to a third party

Low given measures decided upon

To avoid providing a third party with the allergy data for affected children gifts for over 4’s will be wrapped as follows:

  • Red – for children with no allergies
  • Blue – for children with dairy allergies
  • Green – for children with nut allergies

This list will be expanded once the full list of allergies is collated.

The child’s personalised ticket will be colour coded to match the wrapping paper as per the above list, thus addressing health concerns on a pseudonymised basis.

A GDPR compliant contract will be in place with the company providing Santa and his helper.  This contract will include specific instructions regarding the returning of all personal data ie Santa tickets at the end of the event.  No further personal data will be provided to them.

Sign Off

The above DPIA has been reviewed by the HR manager and directors of the company and it has been decided that the measures in place are sufficient to safeguard the data being processed and the retention period of 3 months maximum will be sufficient.  All data will be deleted in line with this retention period.

This DPIA is to be reviewed on an annual basis prior to the commencement of the organisation of this event to ensure the measures taken as still sufficient.

Signed

                                                    

Director       Director

  1. Adding the entry to the Record of Processing Activities

The following data would be added to our record of processing for employees, providers and clients:

Lawful Basis

Categories of data subjects

Categories of personal data

Categories of recipients of personal data

Initial spreadsheet and invitation

Legitimate interest (to enchance relationships with suppliers and customers) – we have chosen to collate this data from various sources in our possession to enable us issue the initial invitation.  As the reason for collating this interest is not covered under contract or compliance and is not in the public interest we are relying on legitimate interest.  We have ensured that as little personal data as possible is captured to enable us provide the experience.

  • Employees
  • Providers
  • Clients
  • Full names
  • Business email addresses
  • Event coordinator
  • HR manager

Accepted invitations

Consent – consent is given to enable the use of personal data of their children to provide the experience and for the provision of holding health information relating to their children.

  • Employees
  • Employees children
  • Providers
  • Providers children
  • Clients
  • Clients children
  • Full names for adults
  • Business email addresses
  • First names for children
  • Event coordinator
  • HR manager

Further information including special category health data

Consent & Vital Interest – consent is provided to enable us collect the allergy information.  Where parents do not want to provide the information they can elect for their child to receive a soft toy.  The reason this is requested is to enable us provide diet appropriate selection boxes to the children visiting Santa and reduce the risk of allergic reaction.

  • Employees children over 4 years
  • Providers children over 4 years
  • Clients children over 4 years
  • First name of children
  • Allergy information
  • Event coordinator
  • HR manager
  • Santa and his helper on a pseudonymised basis.  This will be covered under a GDPR compliant contract.

[1] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 84,90-94 and article 35 

[2]Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 84,90-94 and article 35 

[3] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), article 6(1)(f)

[4] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[5] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[6] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[7] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[8] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[9] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 50, 59, 70, 73 and article 21 

[10] Regulation EU, 2016/679 of European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 32,42,43; article 4(11), 6(1)(a), 7

[11] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 85 and article 5.2 

[12] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 39 and article 5(1)(a)

[13] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 50, 59, 70, 73 and article 21 

[14] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), article 7

[15] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 50; article 5(1)(b)

[16] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 39; article 5(1)(c)

[17] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 39; article 5(1)(e)

[18] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 50; article 5(1)(d)

[19] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital29, 71, 156; Article.5(1)(f), 24(1), 25(1)-(2), 28, 39, 32

[20] Article 29 Data Protection Working Party, Guidelines on Data Protection Impact Assessment (DPIA) and determining whether processing is “likely to result in a high risk” for the purposes of Regulation 2016/679

[21] Regulation EU, 2016/679 of the European Parliament and Parliament and of the Council of 27 April 2016 (General Data Protection Regulation), recital 94-95 and article 35 (4)-(6), 36

 

Cite This Work

To export a reference to this article please select a referencing stye below:

Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.
Reference Copied to Clipboard.

Related Services

View all

DMCA / Removal Request

If you are the original writer of this essay and no longer wish to have your work published on UKEssays.com then please: