When the European Union (EU) passed the General Data Protection Regulation (GDPR) into law in May 2018, it gave EU residents more control over the personal information that is gathered and how it is used. Now that GDPR is in effect, how organisations deal with data has changed for everyone – that includes event organisers and event app users.
Rightfully, many global businesses are concerned about ensuring their efforts and events are compliant with GDPR. The penalties for failing to follow procedures are stiff, a fine of €20 million ($23 million) or 4% of annual revenue may be levied against your organisation. So, what can you do to be sure your event programs are following GDPR best practices and avoiding fines?
1. Make Sure Event Planning is Compliant
Whether you are in the business of planning corporate internal events or external conferences, you will need to make sure everything you do is GDPR compliant. If you are gathering personal information from attendees, whether it is during pre-event registration, on-site, or during the event, this affects you. In particular, you should:
- Obtain clear consent to gather and use the data in any manner
- Make it easy for people to withdraw consent
- Name any third-parties that will have access to the data
- Show that consent was freely given
- Require consent in order to use your service
Those are just the provisions on the front end. You will want to read on to see the rest.
2. Check All of Your Forms
Review all of your forms, including registration forms and privacy notices, to make sure they are GDPR compliant. In addition, you will want to review your systems to ensure they are capable of handling user data and they are compliant with the law's specific provisions. For example, are you able to process and verify a request to delete an individual's entire data trail upon request?
3. Capture Consent by Requiring People to Opt-In
Ensure you offer clear explanations of how an individual's data may be used and provide them with a pathway to give you consent to use that data.
Previously, you were able to assume you had permission unless someone specifically requested to opt out. Now, you need to have expressed permission from users in order to use their data in any form. Here are a few helpful examples: 10 Examples of Opt-In consent forms
The Information Commissioner's Office in the UK provides a good checklist to make sure you are following the rules.
4. Review Mailing Lists
Make sure you have clear consent from participants before providing any data to any third party. This includes using your mailing list or sharing contact information with participants.
If you are purchasing mailing lists, make sure the company providing them to you will provide you with proof of consent and indemnification against claims if they violate GDPR.
5. Be Careful With Data Collected in The Past
Don't think that just because you already had the information in hand prior to GDPR’s effective data of May 25th that you are good to go. You will need to get permission to use any previously gathered data. The best advice is to treat all personal information as if you do not have permission and request it – with a clear explanation of how you will use it – before proceeding.
6. Learn the Key Provisions of GDPR
GDPR not only regulates how the data is used, but it also covers the user's right to access their personal data. Are you prepared to provide that data upon request? That is just one of the key provisions you should account for when dealing with data in addition to consent provisions:
Other GDPR Provisions
- Clear and plain language in forms
- In the event of a breach, users must be notified within 72 hours
- Users have the right to know who is collecting their data and what that data is being used or processed for
- Users have the right to request removal of their data upon request (also known as "The Right to be Forgotten")
- “Data minimisation” means you can only use the data for its intended and stated purpose
- You must have a Data Protection Officer responsible for compliance
Even if you are not a company in an EU country or doing business in the EU, the rules still apply to you if you process the personal data of any EU residents. If your event allows international guests, then GDPR may likely apply. If your event registration website allows EU visitors, then this applies to you too.
7. Evaluate Third-Parties
You may think you are safe from liability if you do business with a third-party vendor that does your data processing or fulfills some function, such as handling your mailings or registrations. However, GDPR places “equal liability” on the organisations that own the data (called data controllers) and outside organisations that help manage the data (data processors). If a third-party you work with is not in compliance, you can be held liable. Make sure any company you work with will verify they are GDPR compliant.
As an event organiser or manager, you are at the forefront of executing critical functions like registering attendees and managing pre, during, and post-event communications. It is crucial that you and your team are leveraging the best practices for GDPR and that you are working with vendors who understand the regulations inside and out.