One year on, it seems many in the events industry are still struggling with GDPR. In fact, the findings of a new research study unveiled that an overwhelming 90% of event planners are facing a number of challenges around GDPR compliance, with on-going issues around consent management, running GDPR checks with event suppliers and controlling how third parties are using attendee data.
Interestingly, however, these challenges don’t seem to be the only things events are having trouble with. The study also identified a number of other areas that organisers are still unclear about when it comes to meeting compliance requirements – including things like event photography, how to manage data scanned by exhibitors, the length of time you need to store attendee data and what constitutes a data breach.
We spoke to Hellen Beveridge, Privacy Lead at Data Oversight and head of the LinkedIn community group – ‘Who’s who in events’, who has been actively championing the importance of GDPR in our industry over the past couple of years. She shared with us her views on how events have dealt with the new legislation over the past year – and answers some of the top questions event planners still have about GDPR.
GDPR Q&A with Hellen Beveridge, Privacy Lead, Data Oversight
Since May last year, we have seen three approaches to the GDPR and updated Data Protection Act 2018. They represent quite a range of thinking:
- Aren’t we clever, we didn’t bother (other than slapping a privacy notice on our website – maybe) and we got away with it.
- We’re fine. We’ve ticked all the customer-facing boxes, we can now get back to business as usual.
- This impacts every part of our business, every day. To do this properly we are going to need to embed this into our organisation’s culture.
Our experience over the last 12 months has shown us that there is a lot more of approaches 1 and 2, than of 3. So reading through the EventsForce study has been an interesting exercise: More than 80% of respondents believe they are complying with the regulations, yet 20% say they have a limited understanding of GDPR.
Another 30% are struggling with managing their supplier relationships – and 16% are still unsure what legal basis they should be using for processing their attendee data. Most worryingly, only 12% of respondents said that they had stopped buying lists of data post May 2018. This suggests that some of those who believe they are complying with the Regulation, patently aren’t.
What these statistics (and our experience interacting with event organisers) show is that there is still a fundamental lack of understanding of what the GDPR is asking organisations to do, or what ‘compliance’ actually looks like.
If we are going to get geeky about it, there are only a few Articles in GDPR that deal with legal basis for processing, and yet this is the most persistent theme that companies home in on. The Articles dealing with supplier relationships, security, records of processing and all the other back-room activities take up a lot more space but are often ignored.
By answering some of the questions asked during the survey for the ‘Are Your Events Complying to GDPR’ report, we hope we can help fill a few more of the knowledge gaps that still exist amongst event planners. So here goes…
What attendee data should be held (for legal purposes) even after a requested deletion?
OK – so if someone asks you to delete their data you have two options: either delete all or retain some, if there is a legal obligation to. Examples of the latter would be details of a financial transaction, CCTV footage for evidential purposes and employee records. Basically, anything that the law says that you must keep. Remember, however, that you still have to stick to the data minimisation and retention principles (i.e. only keeping the data that is absolutely necessary for that purpose and only for as long as the law tells you to).
If the question relates to marketing data information (i.e. someone has asked you to take them off the database because they are tired of receiving emails from you), then you need to ask them if they are exercising their ‘right to restriction’ or ‘right to object’ – rather than their ‘right to erasure’. If so, then you can keep the absolute minimum amount of data on a global suppression list to make sure that they don’t accidentally get put back onto your database. You would use ‘legitimate interests’ as your basis for processing this data, so consequently you will need a Legitimate Interests Assessment (LIA).
How best can we use photography at events within the rules of GDPR? How to we manage photography when some people have said no?
If you are going to make photography a consent-based activity, then you have to have some way of identifying who has said you can’t use their image for any purpose. Some organisers have got around this by giving attendees a different coloured lanyard. So when the photographs are taken, they don’t use any with these individuals in them.
In other instances, photographers have become very adept at taking images where the individuals in the photographs are identifiable. You need to work out how important the photographs are to you, what you are going to use them for and a simple, practical way of being able to identify those you can’t use. If you are going to use images for advertising purposes, you might want to think about using models or staff members or anyone who can legitimately sign an image release waiver.
Remember also, that anyone can withdraw their consent at any time. ‘Yes’ today could be ‘no’ tomorrow. If you reference the capture of images in your event terms and conditions for specified purposes, make sure that you cover off everything you might want to use the images/videos for. Again, a person will still have the right to tell you that you can’t use their image, so be careful with regards to expensive collateral or advertising campaigns.
As the organiser of an exhibition, do I have the right to check the scanned data of our exhibitors, before giving these to them?
Well, you can look, but you can’t touch – that is unless you have contracted terms and conditions which give you the right to withhold data if you think that an exhibitor has been abusing their scanner privileges.
It’s a bit complex, but you need to understand the legal basis under which the data is being transferred. The organiser to exhibitor scanning activity is different to scanning on entry or for access to a workshop theatre.
When an exhibitor scans a visitor’s badge for the purposes of sending them more information, the visitor is exercising their right to portability. They are instructing the organiser (the data controller) to send their contact information (electronic business card) to the exhibitor. The organiser cannot interfere with this process and should append the data subject’s record with information about the transfer, including date and mechanism by which the request was made.
As an event planner, is it enough to teach yourself or would you recommend a GDPR specialist to review your processes?
Well – I would go for a specialist – though you would expect me to say this. But the fact of the matter is that you can’t mark your own homework. You will always look at your processes in the light of what you want your business to achieve, so are likely to fall prey to the plasticine problem – moulding the legislation to fit your business rather than changing your business practices to fit the legislation.
Plus, the rules are complex, particularly if you are managing multi-national data. If you are happy to spend the rest of your days constantly reading about data protection law then by all means go ahead. Otherwise, find yourself someone who enjoys doing this and is happy to distil the information down for you.
Third party data – i.e. emergency contact details. Where does that sit under GDPR? How do we know we have consent? How long do we keep their information for?
This is another place where consent causes confusion. Next of kin information isn’t processed under consent because the data subject concerned can’t effectively say ‘no’, and ‘yes’ is very difficult to obtain. The information is collected to protect the data subject’s vital interest. You could also argue that the information is required to protect the data subject’s legitimate interests.
How long can you keep it? Essentially until the need for it ends. So for an employee, you need to delete the information the day they leave the company. For an event attendee, the day the event finishes.
What constitutes a data breach?
A breach is loss, alteration, destruction or denial of access.
The most common way the first one occurs isn’t via a big hack, but by human error. It could be someone sending a spreadsheet of data to the wrong person by email. This is one very good reason to get your data into a secure CRM system and have access rights enabled.
If you have a major IT issue which means that you cannot access your data, this is also a data breach. Dependent upon the type of data you are processing, it might be reportable.
That doesn’t mean you have to go trotting off to the ICO every time someone loses a memory stick. Whether a loss is reportable or not depends very much on the risk to the data subjects and the number involved.
However, you should be able to record every incident on your records of processing, not least to see if there is a pattern of behaviour you need to break. On a cautionary note though, don’t get blasé. Just because you might judge a particular data loss as non-reportable, it doesn’t mean someone won’t make it into a news story.
Keep your data safe at all times, get people to tell you what has happened and have a mitigation process already in place so that you don’t get caught on the hoof.
Read: The Event Planner’s Guide to Data Security – find out the 8 things event planners need to STOP doing to prevent a data breach!
What are the BREXIT implications on GDPR?
Where to start…
Firstly, the GDPR has been adopted into UK law, the DPA 2018 references it throughout. On leaving the EU, the UK will adopt the UK GDPR, translating the Regulation directly into UK law. So, whatever happens, it is not going away.
If your events involve the processing of non-UK data, then be prepared for some seismic changes. Not least that you will find yourselves in a dual-regulatory environment. This means that if you have an incident which results in a fine from an EU regulator, then you are likely to also face a fine from the UK’s ICO – two fines for the price of one.
Plus, you are going to have to go and learn all of the variations of EU data protection law for the other 27 members because UK law will no longer apply in a European context. And finally, you are going to need to appoint an EU Representative (these make DPOs look inexpensive) and you may have to register with the ICO equivalent in an EU country.
Most privacy policies I see are still about protecting the company, not the individual. When will the ICO step in to correct this?
Very observant – though the question does carry the subtext of “how long can I carry on doing the naughty stuff before the teacher catches me out”.
This goes against the core principle of data protection, which is doing the right thing because it is the right thing to do. Lots of organisations take an off-the-shelf notice and apply it to their business because it seems quick and easy. But beware, a privacy notice is a direct reflection of how seriously you are taking your data protection responsibilities.
While the ICO doesn’t, as far as we know, go looking for these kind of misdemeanours (because frankly there are lots of other low hanging fruit they can go after), a badly executed privacy notice has impact in many other ways. For example, if someone is going to issue you with a Subject Access Request (SAR), they generally do so when they are cross with your Privacy Notice being the first place they look. If there are no contact details or there is no notice at all, then you are just making them crosser. When they go to the ICO to complain about you, it’s easy pickings if your ‘notice’ is incorrect.
The other way a poor Privacy Notice can impact you is commercial. Procurement which involves data will now often have the input of a company’s DPO or privacy specialist. When I do this, the first two things I look at are the ICO register of fee payers and the company’s Privacy Notice. If either of these are missing, the company doesn’t get to first base. If the Privacy Notice refers to DPA 1998 or has absolutely no reference to the data processing activity that we are potentially contracting for, then it’s the same result or I will be sending out a supplier assurance questionnaire.
You might not know (unless you are part of a formal tendering process) that you have lost the business because of this. So don’t take the risk on something that is relatively easy to fix.
Overall, the key advice is to keep asking questions on how the legislation applies to your business. There is no ‘one size fits all’. Event organisations use large quantities of data in a fast paced environment, so it is critical that all of the back room ducks are in a row. And remember, GDPR compliance is not a destination. It is a journey. And you might need to get an expert driver in from time to time to keep you on the right track.
Follow Hellen Beveridge on LinkedIn: https://www.linkedin.com/in/hellenbeveridge/
If you would like to get regular articles on all things event tech, along with some expert advice on new trends and how to maximise your technology investments, then join our growing EventTech Talk community today!