Is 25 May 2018 marked off in your diary? It should be. That’s because it’s the day new data protection legislation comes into force and it affects everyone hosting events and collecting the personal information of EU citizens.
Non-compliance with the General Data Protection Regulation (GDPR) legislation could mean fines of up to €20 million, so it’s vital for event organisers to understand the new requirements. The legislation applies to everything from registration systems, event apps and surveys to social media, collecting business cards and scanning badges.
If you’re surprised about this, you’re not alone. A survey by law firm Irwin Mitchell found only 34% of hospitality and leisure companies were aware of the upcoming data protection changes. But there’s no need to panic. To help you prepare, we have compiled a guide to the most important elements of GDPR that you need to know.
And if you’re already using Eventbrite to collect registration details you can rest assured that your attendee data is safe, secure and compliant in our system.
What Is GDPR?
GDPR aims to address outdated data privacy regulations which were put in place 20 years ago before modern technology completely changed the way companies use data. It also aims to simplify compliance by providing a single law applicable to businesses in all EU countries, rather than having 28 different laws.
With regards to Britain’s exit from the European Union, GDPR will still apply to UK-based firms for the 10 months before Brexit officially completes. It is not clear what UK data protection law will look like after this point, however, UK-based event organisers will continue to be bound to GDPR if they are holding the data of any European citizens (this includes people from Ireland or anyone with dual British/EU citizenship) or hosting events in EU countries.
How Does GDPR Impact Event Organisers?
Crucially GDPR means you will have to go to greater lengths to gain consent to hold, use and share people’s data. The law stipulates that you must clearly explain how people’s data will be used and that they must provide “active” consent to that.
Passive acceptance through pre-ticked boxes or by failure to opt-out will no longer be acceptable. In order to validate your existing email lists, it will therefore be necessary to ask anyone on it to reaffirm their consent.
What’s more, you won’t be able to add people to mailing lists simply because you’ve collected their business card or scanned their badge. While they might be giving you permission to contact them once, it is not permission to contact them on a regular basis. You must make them expressly aware that having their badge scanned by an exhibitor will result in them being added to that exhibitor’s email marketing list and seek unambiguous consent.
According to the new legislation, event planners must also play a bigger role in securing the personal information they’ve collected. This means not only having robust systems in-house but also ensuring that third-party suppliers are GDPR compliant (for example if you use external event tech or data collection tools).
In practice, what this means is you will no longer be able to manage your event data using spreadsheets, which so many event planners still do, despite the prevalence of more sophisticated tools.
And it’s not just about attendee data; it also applies to staff and supplier details – the personal information of any individual must now be held in an encrypted format. This includes everything from contact information and employment details through to gender, disabilities and dietary preferences. Essentially you are responsible for protecting the privacy of each and every individual your business deals with. So if you have unsecured data on your system and get hacked it could land you in big trouble.
Key GDPR Changes
GDPR focuses on the rights of individuals over companies. It aims to give EU citizens more control over how their personal data is used, the right to know what data is being stored and shared and the ability to opt-out at any time. Here’s an overview of the key changes:
Consent: Event organisers must be transparent about how they will use the data that they store and obtain “active” consent.
Mandatory Breach Notification: If a security breach that is likely to “result in a risk to the rights and freedom of individuals” occurs, it is compulsory to notify both users and data protection authorities within 72 hours.
Right to Access: If an individual requests details of the information you hold on them, you must be able to provide them with electronic copies of that data. It must also show where the data is stored and what it’s being used for.
Right to be Forgotten: At any time an individual can request you delete their personal data and also stop sharing it with third parties who are then obligated to stop processing it.
Data Portability: Upon request, you must be able to provide an individual with the data you hold on them in a “commonly used machine-readable format” so they can transfer it to other data controllers.
Privacy by Design: Data security must be built into your products and process from their inception.
Data Protection Officers (DPO): You must appoint a data protection officer in charge of compliance if you are a public authority, carry out large-scale systematic monitoring of individuals (for example, online behaviour tracking); or process certain categories of data, such as data relating to criminal convictions.
Things You Need to Do
Move your data into a secure database – Stop using unsecured spreadsheets and move to an encrypted system. Be aware who has access to the data (e.g. temporary staff) and update the password regularly. If you print event data treat it as sensitive and be careful who has access to it outside of your organisation.
Contact your technology providers – get in touch with any event registration or event management platforms you use or the providers of any other apps or tech that use personal data and ask them to prove GDPR compliance.
Cleanse your data – Make sure all your existing data is squeaky clean by getting people to re-opt-in and destroying any data you can no longer use or that you don’t need. Don’t forget to obtain permission for all the ways you will use their data by unbundling consent e.g. provide separate tickboxes for phone contact, contact by email and sharing with third parties like venues, sponsors and speakers. Third parties must be named.
Contact third parties – Contact anyone you have shared data with such as event sponsors, partners or stakeholders and ensure anyone who has requested removal is removed. Make sure they are aware of their obligations under GDPR.
It’s no good burying your head in the sand over data protection – these changes are coming and apply to you. Get your team together now and draw up an action plan for implementing the necessary changes over the next seven months. It will be a significant undertaking but ultimately you will benefit from having databases that are fit for the future.