GDPR for events: Ensuring your event is compliant
As event professionals we collect more data and information than ever before, which allows us to connect and engage with our clients and event attendees in ways that were unimaginable just a decade ago. However, more data means more compliance regimes… and for good reason. The General Data Protection Regulation (GDPR) is one of these, and it has significant implications for the events industry.
We’re taking a deep dive into GDPR and what it means for professional event planners, including your obligations and the processes you need to undertake to achieve compliance. This shouldn’t replace expert advice, and the GDPR itself should be your first point of reference.
What is GDPR?
With the exponential growth of technologies that rely on data collection, so too has the risk of cybercrime increased exponentially. With hackers and criminals out to steal credit card details, account passwords, personal information, and who knows what else…what’s a meeting planner to do?
Back in 2018, the European Union (EU) recognized that a unified approach was required to protect personal data and privacy for EU citizens, so they adopted the General Data Protection Regulation (GDPR). As the GDPR applies across the EU, companies avoid the complexity of complying with many different local data protection laws.
Unfortunately, if a company is found to be in violation of GDPR, they can be penalized millions of Euros.
The importance of consent with events
One of the critical components event planners need to be aware of concerning the GDPR is the issue of consent. Companies must also ask for consent or permission to process an individual’s personal data, and the consent must be given in a way that is freely given, specific, informed and unambiguous.
In the context of the events industry, consent means that every attendee to your meetings agrees to give you their personal data. Whether on a written form, by telephone, email, or an online registration form, you need proactive consent. This means that the GDPR requires event planners to obtain and record a proactive consent from each attendee for you to access and use their personal data.
In other words, you have to ask for their consent, and your attendees have to agree to give you consent.
So, how hard can that be? It’s easy to display a check box and ask your attendees to check it. What’s a little bit harder is understanding the issues and requirements about consent.
GDPR for event planners
While the EU established the GDPR, the regulations have global impacts for the events industry.
If a single EU citizen signs up for your marketing email list or registers to attend your event, the GDPR applies to you. So unless you restrict your email list from European registrations, you will need to be GDPR compliant – or risk fines and sanctions.
Let’s take a closer look at the rights and obligations the GDPR introduces for both event attendees and planners.
The rights of your event attendees
In addition to the issues surrounding consent, the GDPR stipulates that EU citizens have specific and detailed rights to understand how their data is being used, how long it will be used, and ultimately, have full control over their personal data.
Along with other rights described in the GDPR, your event attendees have the right to:
- Consent to having their personal data collected
- Be forgotten, by having their personal data deleted or anonymized
- Know what personal data is stored and used by the meeting organizer
- Know what third parties have seen or accessed their personal data
- Withdraw consent at any time
- Have data corrected whenever requested.
Important obligations as meeting planners
Under GDPR, meeting planners are specifically required to:
- Receive and track consent from attendees to collect their personal data
- Report any data breach to authorities within 72 hours
- Allow access to personal data upon request
- Ensure personal data can be “forgotten” including deletion, anonymization and notification to third parties
- Provide personal data portability upon request
- Track when personal data has been sent to third parties
- Demonstrate that processing is being performed in accordance to GDPR
- Appoint a Data Protection Officer.
Important obligations of your technology partners
Your technology vendor is also part of this equation. As Data Processors under GDPR, they are obliged to:
- Follow the instructions of the Data Controller (you)
- Provide technical and operational measures to ensure GDPR is met and the rights of the Data Subject are protected
- Communicate with the Data Controller about all third-parties that see personal data
- Communicate with the Data Controller about any security breaches in a timely manner
- Appoint a Data Protection Officer.
Critical steps for GDPR compliance for events
The steps you’ll need to follow in order to be GDPR compliant as an events planner are already well documented, so we’ve kept this short. If you need more assistance, your best bet will be to seek advice from the many consultants and professionals specializing in GDPR compliance. But to get you started, here’s a simple list of items to consider:
- Identify your Data Protection Officer and train staff on data privacy standards.
- Define your internal policies for removing personal data from past events.
- Identify fields in past and current events that contain personal data.
- Define and document your data processing consent policies.
- Apply data consent policies for all events.
- Review any reports and exports that third parties can access.
- Provide documentation of personal data to attendees upon request.
- Remove or “forget” personal information upon request.
- Advise third party processors of all requests to “forget” their personal data.
1. Identify your Data Protection Officer and train staff on data privacy standards.
The Data Protection Officer is the lead member of your organization to oversee and direct your data policies and practices.
2. Define your internal policies for removing personal data from past events.
When you no longer need personal data, it needs to be removed. How long after an event will that happen, and how will you remove data from past, archived events?
3. Identify fields in past and current events that contain personal data.
It will be easier to delete personal information if you have profiled your database and understand which fields contain personal data for current and past events.
4. Define and document your data processing consent policies.
Data processing consent policies are statements shown to a contact before they submit their personal information and confirmation of consent to you.
5. Apply data consent policies for all events.
Apply your data consent policies consistently so you can capture consent for all registrations.
6. Review any reports and exports that third parties can access.
Event planners require a process to track and record each time you export data or create a report that can be accessed by third parties, and each time such data is accessed.
7. Provide documentation of personal data to attendees upon request.
When an event attendee or marketing subscriber requests a copy of their personal data you have collected, you’ll need an efficient process for finding and providing this information.
8. Remove or “forget” personal information upon request.
A requirement of GDPR is to honor all requests from event attendees to “forget”, delete, or remove their personal information. However, you are also able to retain key historical data where required, such as to meet financial or tax obligations.
9. Advise third party processors of all requests to “forget” their personal data.
You are required to notify third party processors of your attendees’ requests to “forget” their personal data. This is because they may have stored the information in locations other than those you can manage directly, e.g. on a backup server.
How can our event technology solutions help to improve your next event?
At EventsAir, we understand the importance of selecting the right event technology partner – someone who can help turn your valuable data into information gold, and manage the associated regulatory and compliance issues associated with managing that data.
Our technology is fully compliant with GDPR, and we also offer our customers a Data Protection Toolkit – a fully integrated set of tools and processes designed to help meeting organizers provide superior data protection for their clients’ personal data. It will also help you achieve the standards of reporting, logging and tracking required for full GDPR compliance and other data privacy regulations.
We have one simple mission: to help event planners deliver the WOW in their events with the world’s most powerful event management technology. We’ve delivered some of the world’s biggest events, and we’d love to help you too.
Reach out to request a demo, and one of our team members will be in touch shortly.