A Guide to GDPR and the Event Industry

The General Data Protection Regulation Act (GDPR) took effect on May 25, 2018. Its stipulations further strengthened the privacy rights of EU citizens and gave them more control over their personal and sensitive data.

This posed a new challenge to businesses, as non-compliance comes with a hefty fine. Any company that collects and processes data of EU citizens needs to follow GDPR, including those in the events industry.

If you host events in the UK or if you’re using event management software that lets you collect data from guests (even if your vendors are located outside the EU), then you need to make sure your data collection process is up to date.

Key GDPR Changes

Although GDPR covers all of Europe, each country can introduce their own law to augment it. In the UK, for instance, the Data Protection Act 2018 was also introduced in May 2018 to replace the Data Protection Act 1998.

Under the GDPR, any company that processes personal or sensitive data of EU residents needs to be aware of the following changes:

• Consent forms: you need the permission of every user before you get their information. It should be through a positive opt-in that clearly details all the data you would gather and what you intend to do with them. For reference, you can go to the Information Commissioner’s Office (ICO) and look at their comprehensive guide on consent.
• Legal compliance: you need to have an in-house data protection officer (DPO) who will oversee large-scale data collection. Companies with more than 250 employees need to have proper documentation of the data they collecting and their processes. On top of that, you also need data protection policies and data protection impact assessments.
• Reporting: in the event of security breach, the ICO and all the people affected should be informed within 72 hours.
• Request for transparency: individuals have the right to file a Subject Access Request (SAR) so they can see the kind of data you have on them. This should come at no cost. They also have the right to have their data removed, transferred, or object to how their data is processed.
• Fines: small offences can be fined up to €10 million (£8.8 million) or 2% of the company’s global turnover (whichever is greater), while grave offences can be fined up to €20 million (£17.6 million) or 4% of the company’s global turnover (whichever is greater).

How does GDPR Impact Corporate Event Management?

Event management is a world away from what it was a few years ago. With new technologies having transformed the event industry, we are able to market and stream events on social media and collect more information than ever before. We are also able to connect and engage with attendees far more productively.

However, this also opens the door for cyber criminals looking to hack into systems and steal personal or sensitive information to advance their own illegal ends. The Facebook-Cambridge Analytica scandal early this year is a prime example of this, as millions of users’ data were accessed by a third-party app and allegedly swayed the US presidential elections.

One of the key reasons why GDPR came into force is because previous legislation just doesn’t properly cover the nuances of the internet, social media, and other modern data collection technologies.

In the events industry, we are affected by GDPR in the following ways:

• Use of data collection tools: we use various tools (e.g. registration systems, mobile apps, surveys, lead capture) to collect attendee information. These tools need to be regulated, so guests will not be subjected to the same situation as that of Facebook.
• Collecting sensitive information: we gather attendee names, contact details, employment information, gender, disabilities, and dietary preferences—all of which are sensitive in nature and can be used for criminal purposes in the hands of the wrong people.
• Data-driven marketing: with data-driven marketing starting to be crucial for meetings and events, you need to understand the kind of information you are allowed to collect, and what to do with it.

Organisers have to be aware of the stipulations of this law as it completely changes how you will gather, process, and protect information of EU residents, especially in the use of marketing and personalisation.

Sharing with third-party organisations (e.g., venues, sponsors, agencies, tech providers) is also covered by law—both your company and the vendor must be compliant, regardless of location.

What About Brexit?

In mid-2017, the UK confirmed GDPR compliance despite its looming EU exit. In fact, prior to its May 25th implementation, studies show that 61% of UK organisations were already compliant, as they performed data audits, documented processes, and trained employees. However, there are still those who expect to be compliant only a year or so after implementation.

Today, four months after GDPR took effect, research shows that only a third of EU-based companies are actually compliant. Fulfilling SARs has been the primary challenge, as companies could not return user information within one month (as per GDPR stipulations).

Five Steps to Staying GDPR-compliant

If you haven’t yet, we’ve prepared a list of items you should consider so you’ll stay GDPR-compliant:

1. Assign a DPO and train your staff

Compliance begins with upper management. To make sure the entire team is compliant, you need to:

• Hire a DPO: your data protection officer will oversee data policies and practices within the organisation, making sure you’re legal every step of the way.
• Create awareness: your DPO cannot carry this out on their own. Create a GDPR-driven mind-set within the team and train them, ensuring that everyone is on the same page when it comes to data management and that they understand the implications of GDPR.

2. Audit data and define internal policies

Begin with a complete information audit of the data you currently have. Your audit should include your current database, where you got these data from, how you processed them, and which third-party organisation you’ve shared them with.

Afterwards, define internal policies for the following:

• Removing personal data: how long after an event can your remove data? And what is the process for this?
• Come up with consent policies: consent policies are to be shown to a contact before they agree to share personal information with you. Then, apply this policy to all current active events and future events.
• Review registration forms: make sure you review your forms and add all required information that event attendees need to know (e.g. purpose of data collection, processing data, who you are, where will the data go, etc.). Consent boxes also should not be pre-ticked, as they need to decide whether they want to have their data collected or not.
• Develop a process for data breach: although you would not want this to happen, it’s vital that you have a system in place for breach detection and management. According to the law, you need to report data breach within 72 hours of finding out, so your process should be timely and efficient.
• Develop a process for access request: your guests can, at any time, request to have a copy of their information or have them deleted. To process these requests faster, come up with an automated system that allows for individual access without needing to send a request. You should also train your staff to respond efficiently.

3. Obtain consent

The crux of GDPR is to strengthen an individual’s control over their data, so double check their rights, especially those with regards to access, erasure, data portability, and others.

• Reach out to attendees who have not yet provided consent: if you have active events currently with registered guests, communicate with them and obtain their consent.
• Provide copies of personal data to attendees: you are legally mandated to provide attendees a copy of the personal data you have on them upon their request.
• Remove personal information: if a guest requests to “forget” or have their personal information deleted, you are also legally mandated to comply.
• Provide separate tick boxes: unbundle consent in your forms, so they can provide consent for each information you need (e.g. phone number, email, sharing with third parties).
• Acquire consent where children are concerned: the GDPR is especially protective of minors, so make sure that consent are also obtained from parents or guardians.

4. Contact all third-parties involved

Even if the third-parties you work with are not located in the EU, they are still subject to GDPR. Get in touch with them and make sure that everyone who requested to be removed from their databases is removed.

This is applicable to any software or app you use for event registration or management, as well as event sponsors, partners, and stakeholders.

5. Move data into a secure database

Invest in an encrypted system, instead of old-fashioned spreadsheets. You’ll be less vulnerable to cyberattacks, you can control who has access to data, and you can update logins/passwords regularly. Be careful as well of who has access to any printed data.

Stay Compliant

Four months into its implementation, staying compliant is proving to be a challenge for a lot of companies. Regardless, you need to make sure you draw up an action plan as you run the risk of hefty fines. You can also seek advice from GDPR consultants to make sure you’re operating within legal bounds.