GDPR is a big issue for event planners right now as many come to grips with the changes the regulation will bring to the way they collect, store and manage the personal information of people coming to their events. The understanding of all the requirements is also no mean feat. In fact, a recent survey on ‘GDPR readiness’ across meetings and events found that nearly 50% of event planners are unsure if the steps they’re taking are sufficient in meeting GDPR requirements – despite 60% holding responsibility for compliance.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
Responsibility for GDPR compliance is something that goes through the entire event supply chain – from the organisation that is hosting the event and their event management team, all the way through to the third-party vendors that process data on their behalf. So even though your IT and legal team may be the ones dealing with implementation and processes, there are many important aspects of the new data protection regulation that event planners need to be aware of so they don’t put their organisations at risk.
Based on conversations we’ve had with clients and other event professionals across a number of industries, we have identified below the most frequent red flags around GDPR.
In no particular order, here are our current top ten:
1) Legacy Lists
The question is; how good are your lists and will they stand up to being audited? Your mailing lists are a good example when it comes to legacy lists. For years you may have been e-mailing people without their full approval. Maybe you didn’t realise you were doing so. After all, you may have inherited a database that had been built over time. If, however, you are not confident that your list meets the GDPR test then you would be better off deleting them.
One well known pub chain decided that they didn’t know their legacy lists well enough and decided to stop using them. That may sound extreme but for them it was the right decision. What is your decision?
Connected to legacy lists is the thorny issue of what legal basis you will use for processing personal data. Consent is one basis. If you meet the requirements of consent that is great. Alternatively, you could decide to use Legitimate Interests as your legal basis and if that is the case then you have to be sure that you meet the correct guidelines to comply or else you will be told to stop processing. Using Legitimate Interests as a way of contacting people is fine as long as your reasons are truly legitimate. If not, then you are likely to be having many discussions with the Supervisory Authority to argue your case. Our thoughts if you are not really sure about using Legitimate Interests as an argument, don’t do it. It is the weakest of the other legal reasons for processing.
Consent is quite confusing to many people. Firstly, it is only one of the methods that can be used to process personal data. One of the other methods is through contract. For example, if an event planner contracts a speaker, they do not then need to use consent as a means of staying in touch with the speaker in the lead up to the event. It’s clear that the speaker and event planner are working together and that is covered under the contract. If, however, the event planner wanted to market their event to speakers and didn’t have their consent to do so, then that would be a different matter.
When you do need consent make sure that there is no ambiguity in your message. Remember you cannot use any pre-ticked boxes anywhere regardless of whether they are on paper or in a device.
3) Processors Vs. Controllers
Are you a data controller or are you a processor or are you a mix of both? In the events space, it is easy for a number of organisations to be a mix and not even realise it. One example of being a mix of both applies to the Professional Conference Organiser (PCO). How much does it really matter anyway? After all the goal is to keep personal data secure. For clarification however, it is important to understand which hat you are wearing as that is especially important in the case of reporting data breaches.
In simple terms, if you are an event planner and you have a list of delegates that you are directly in contact with, then you are the controller. If for your event you provide that list to a registration company for name badges etc. then you have passed them to a processor. If you do everything in house then you are wearing both hats. The rule of thumb Is always to spell out in a Contract to a processor exactly what you need them to do. Then there is no ambiguity plus you have an auditable record that you can show the Supervisory Authority.
4) Business Size
This is again a red flag for us because there are some businesses that believe GDPR doesn’t apply to them because of their size. That argument is incorrect. Even if you are a business owner operator you will still need to have your own Data Protection policies and processes in place. Coaches, speakers and sole traders of all types are currently writing and updating their policies to ensure compliance.
Connected to this is a tangential flag which is about supplying services or products on a B2B or B2C basis. Again, it doesn’t matter. Both are affected.
5) Data Breach Deadlines
Data breaches have to be reported within 72 hours of discovering the incident. This might sound like a long time but it is pretty short. If you are a processor you need to notify the data controller. And of course, the Supervisory Authority needs to be notified. Think of what you can be doing to secure personal data to prevent a breach. In the world of busy event professionals using multiple devices on the road, the potential for a breach becomes heightened.
6) Subject Access Requests (SARs)
The rights of individuals as mentioned earlier is at the very heart of GDPR. Individuals are entitled to find out what information is held on them. It’s the same position today so that doesn’t change. What does change in the UK is that the deadline for providing the information is 30 days and not 40 days. And you can no longer charge for the information. Of course, the 30-day deadline starts once you have verified that the person asking for the information is actually who they say they are. Therefore, you need proof of identity processes in place to deal with the SAR requests.
7) Focus on Fines
Many speakers, consultants and blogs start with talking about the level of fines and penalties if breaches occur. It’s good. It grabs attention quickly. It scares people. However, the scarier issue which is often not mentioned is that the Supervisory Authority has the power to tell your business to stop work. Think of that. Stop your business. It’s time to get away from calculating whether your organisation will be in business because of a fine but what you will do when people are told to stop working.
Get your copy of ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation has on event marketing, data management and event technology.
8) Data Transfer Shortcuts
It is always busy working in the events space. There are many things to be done and time is always a challenge. That in itself can easily breed short cuts to get the job done. Unsecured spreadsheets with personal information are whizzed away to all sorts of venues, hotels, speakers and others. That will have to change. Securing documents with passwords, using encryption and other methods to keep data secure will need to be used. Remember, that the Supervisory Authority can come and audit your organisation which means your processes for sharing data will have to be recorded.
9) Geographical Location
“We will not be affected by your GDPR” is a phrase that continues to resound in our ears from organisations that are based outside of the European Union. It is a fair comment to a degree after all it is European Regulation. But, that is when you have to look deeper and realise that it applies for the benefit of European citizens and residents. Applying this to events then. Let’s take an example by way of European delegates coming to your event in Australia or New Zealand. You will be bound then by GDPR even though you are at least 10,000 miles away from the UK.
Our advice, it’s best to think of GDPR as borderless.
10) Inadequate Training of Staff
Accountability is a key principle of GDPR. Everyone in an organisation has responsibility for personal data. It is not down to HR. It’s not down to IT. It’s not down to the Board. It is down to everyone. What does this mean for you? Well it means that for any temporary staff or interns or volunteers that you use, they need to be made aware of your Data Protection practices and processes. Everyone is accountable. If you keep that as your mantra you will not go far wrong even in the very busy event periods.
The 10 flags above just touch the tip of the iceberg. They are provided to provoke thinking about what your organisation needs to do. In no way should this blog post be construed as legal advice.
You can expect the intensity on privacy rights to be top of mind for many people following the recent ‘Facebook’ news. One thing is certain, GDPR is only going to continue to evolve. It is best to make sure it’s included fully in all your event planning activities and if you do find that you need to make some changes to your organisational policies, then now is the time.
Need help tracking and managing consent on event websites and registration forms? Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR compliance – from audit trails and consent management to anonymisation of personal information and data security. For more info, please click here or get in touch: email@example.com