Event organizers know that in the era of event personalization, collecting attendees’ data is key to providing them with an engaging, customized event experience. But managing your attendees’ data comes with responsibility for their privacy and security.
With the European Union’s General Data Protection Regulation (GDPR) compliance deadline coming up fast (May 25th 2018—if you haven't already marked your calendars), the event world is preparing for how to collect and utilize meaningful personal data from their attendees without compromising attendee security or risking breaching the GDPR.
New to GDPR compliance? Start with our first GDPR blog to learn the 6 key GDPR rules that event planners need to be aware of.
In order to address GDPR compliance, there are people, processes and systems to consider. The first step is to get a full picture of what personal information is being captured, which suppliers are getting access, as well as where and how this data is being stored. To do this, your organization needs to map which services and processes depend on which pieces of personal data in a GDPR Data Map. Without a clear and complete picture it’s impossible to sensibly implement GDPR within an organization.
To help with this initial step there’s already an emerging set of specialized software solutions that offer GDPR data compliant inventories such as OneTrust and Vigilant Software. For some smaller organizations, an Excel document or Google sheet may also suffice. Your GDPR Data Map should compile the following items:
- Data items (e.g. names, email addresses, personal records, health information, etc.)
- Formats (e.g. online data entry, hard copy forms, your organization’s database)
- Transfer methods (e.g. digitally, by mail or phone, internal and external data transfers)
- Locations (e.g. offices, Cloud, third parties you share data with)
Take extra care to audit your data for any “special category” data. Special category data is any particularly sensitive information including political affiliation, ethnic origin, religion, biometrics and others. There are substantial rules and restrictions around the collection and handling of special category data outlined on the European Commission’s website.
Once you’ve completed your GDPR data map showing who is using what pieces of personal data, the second step is to implement the functional and technical requirements of the GDPR framework.
Data Protection Officer (DPO)
Organizations that regularly process large amounts of customer data as part of their core business require a DPO to be responsible for both the technology and the processes implemented regarding personal data. In this function, the person has to be reporting to the board or the CEO. Before starting up recruitment efforts understand the scope of the DPO's responsibilities as relates to your specific business. In many cases there are external DPO services which can help you with compliance.
Data controllers or your organization’s DPO must report any breach to data protection authorities within 72 hours of becoming aware of the breach. Many organizations already have a process like this in place for security breaches.
The data subject (visitors, attendees, exhibitors, etc. whose data the organizer manages and controls) must freely give their consent. GDPR sets high standards for how your users give consent—for example, you’ll need to use checkboxes that are initially blank and users actively tick instead of having pre-ticked boxes, or provide clear yes/no options. If they refuse to give consent to their data, this can’t result in negative consequences, such as the inability to attend your event.
Data subject rights
Understand the rights of your data subjects, and be sure they understand them as well. When collecting personal data from your event attendees or clients, ensure that you have provided them with accurate information about their rights and security. They have the right to access their data; have inaccuracies corrected; have their data erased; prevent direct marketing; and ensure their data is being transported safely.
Subject access requests
This refers to your user or attendee’s ability to “pack up their data” and go, should they wish to do so. This means your organization needs to be able to provide users with a copy of all of their personal data within a month (or less). You may also be asked to delete all of this data after you have provided it to them.
Privacy by design
Companies should incorporate organizational and technical mechanisms to protect personal data as part of their systems and processes. Privacy and protection must be ensured by default.
Preparing for GDPR is no small task for large organizations, but it’s also not an option. Although the new regulations will cost companies up front as they update their processes and contracts, the new laws are there to protect individual security. As event marketers enter an increasingly digital era, the privacy and security of their attendees is becoming a higher priority and GDPR helps to ensure that all organizations are upholding this.