One of Europe’s biggest shake ups in data protection and privacy laws is coming into effect in May 2018 and preparations across the events industry are already underway. A new industry poll from Eventsforce this month has found that 95% of event planners have started planning for the new General Data Protection Regulation (GDPR) – but are they doing enough?
Why is GDPR So Important for Events?
GDPR is a new legal framework that is set to change the way we collect, process and protect the personal data of people in the European Union. We published an article on the topic a few months ago (Blog: What Event Planners Need to Know About GDPR), looking at what the new requirements meant for our industry, the implication of BREXIT and how non-compliance, compared to current data protection regulations, can bring serious financial consequences to organisations worldwide.
For event planners, specifically, there are three main reasons why GDPR matters:
- Responsibility for GDPR compliance extends to marketing and event operations – not just IT and legal departments. It will apply to every organisation hosting events in the EU and ANY organisation collecting data on EU citizens and residents – regardless of where the events take place.
- Events deal with high volumes of personal data collected through registration forms, mobile apps, surveys and networking tools (attendee names, contact details, gender, dietary preferences etc). With data-driven marketing increasingly at the forefront of meetings and events, it is inevitable that planners need to know what they can and can’t do under GDPR.
- GDPR requires event planners (and event management agencies) to play a bigger role in securing their event data and ensuring that third party suppliers (ex. event tech suppliers) are also GDPR compliant. Not doing so can result in hefty fines and lost business.
Did you know that a data breach is essentially what can get your events into a lot of trouble under GDPR? Find out what you should do to prevent your attendee data from getting lost, stolen or compromised by getting your copy of ‘The Event Planner’s Guide to Data Security in a Post-GDPR World‘.
Event Technology and GDPR Compliance
GDPR regulations require compliance both by data controllers (ex. company hosting an event) and data processors (ex. event tech companies like registration and mobile app providers that processes data on their behalf). The requirements clearly state that data controllers must show how they are complying with the new regulations. And part of that responsibility is making sure that all the data processors they are also dealing with are also fulfilling their legal responsibilities. If in the course of an investigation it is found that these parties have not been compliant, then the organisation hosting the event may also be found liable too.
It is therefore important for event planners to find out how their event tech providers are planning to meet their obligations around GDPR by asking them the following questions:
1. Where is Our Data Hosted?
Hosting and sharing data within the EU is legally not a problem – as long as your event tech providers meet the requirements of GDPR. What can create issues and a much heavier burden on you, however, is if the data in these systems is stored in servers outside of the EU. Remember, it is your organisation’s responsibility to ensure that data transfers outside the EU still meet GDPR standards. Some countries like Canada have equivalent standards, while others like the US don’t. US transfers may be covered by the ‘Privacy Shield’ agreement but this is currently under challenge in EU courts and can be a risky long-term option.
If your data is hosted in servers outside the EU, then you need to ask your providers what steps they’re taking to make sure your data transfers are compliant. They also need to explain clearly what contractual and legal safeguards they have in place to look after your data at all times.
2. Who has Access to Our Data?
It is not enough meeting GDPR requirements with just data storage and the location of servers. You also need to find out how your data is being used while it’s being processed by their organisation. Find out who from their organisation has access to your data and where are these people located. For example, the support centre of your event management solution provider will have remote access to your attendees’ personal data. If the support team is based outside the EU (event if data is hosted within the EU), then you will need to ensure that they’re also complying with GDPR standards.
Find out if they also subcontract any part of your data processing to third parties or if your data is accessible through other countries or legal entities within their own corporate group. If they do, then find out what kind of data processing agreements they have in place that meet the new standards.
Get your FREE eBook: ‘The Event Planner’s Guide to GDPR Compliance’, and learn what impact Europe’s new data protection regulation will have on event marketing, data management and event technology – as well as what steps event planners need to take now to get ready for the May 2018 deadline.
3. How Does Your System Allow Us To Store Consent?
One of the key changes that GDPR will bring is ensuring you have the right processes in place to store the consent you get from individuals when collecting their personal information. For example, if you’re using an event registration system, you would want it to store the date and time an attendee ticked a particular consent box, along with the IP address that was used. That way, if the person complains or there’s an investigation by authorities, your organisation can prove what consent was given, when it was given and how.
4. How Does Your System Help Us Delete Personal Data?
Similar to the earlier point, GDPR gives individuals the right to be forgotten – which means you need to have a process in place that allows you to quickly ‘erase’ any personal information you hold on people. So, if someone attended one of your events but wants you to remove all their information from your database, you need to make sure that your systems have the proper processes in place to help you do that – quickly and at little cost to your organisation.
Ask your providers how their system will help you delete the information, whether this data is also deleted in back up servers and how quickly this is done. Make sure they confirm in writing whenever they do this as this will give you protection if they’ve failed to delete as promised. It’s also worth asking them what their general policy is around data retention: how long do they keep your data on their servers, whether it is moved to other locations and whether or not they delete it after a defined period of time.
5. How Does Your Organisation Comply with GDPR?
Ask your tech suppliers how they themselves comply with GDPR. Having an EU-based tech provider will ensure that they’re also subject to the new regulations, which will limit your own risk of non-compliance. But that’s not enough. What is their understanding of the new regulations and how will they help you meet your own obligations? How important is data security for them as an organisation – do they follow best practices? How do they monitor vulnerabilities? Who has access to your data, how do they handle authorisation and what happens when someone leaves? And what about their own suppliers and third-party contractors who also have access to their data? Having the answers to these questions will protect you from any unpleasant surprises in the future.
If you haven’t already started, we would highly recommend that you start planning for GDPR now by thinking about how your events are collecting data on EU citizens, how you’re storing this information and what your event tech providers are doing in preparation for the new regulations – especially if their datacentres are based outside of the EU. Finally, implementing changes will be a team effort where everyone is aware of the new requirements, along with all the new processes that you’ll need to put in place.
Eventsforce offers a comprehensive set of event management solutions, services and expertise that can help support the event planner’s journey to GDPR readiness. If you’d like to have a chat about GDPR and how we can help you out, get in touch with us now on +44 (0) 20-7785-7040 or firstname.lastname@example.org.