Table of Contents
The International Association of Privacy Professionals has estimated that Global 500 companies have prepared to spend $7.8 billion on GDPR compliance. (iapp.org)
As an event planner, you need to prevent your business from being fined for breaching privacy rules- especially now that more people have become aware of their rights concerning information they share with organizations. You can do this by ensuring that all data you collect during event registrations, surveys, and more are kept secure and do not infringe on customers’ privacy. GDPR is one of the regulations you must take seriously to avoid privacy issues.
What is GDPR
GDPR is the acronym for General Data Protection Regulation. It was introduced by the European Union (EU) on May 25th, 2018, to bring consistency to data protection and to improve the rights and control that individuals have over their data. GDPR allows businesses to have more precise and more straightforward legal requirements to follow across the 28 EU countries instead of dealing with different sets of laws in each country.
Organizations that breach GDPR may be fined up to €20million, or 4% of their global annual turnover- whichever is the highest. Thus investing in technology and personnel to ensure that your organization complies with GDPR is worth it. Even though this regulation protects UK/EU citizens and residents, you still need to comply with it if your event occurs outside the UK/EU.
Still, you want to allow UK/EU citizens to participate, or you have EU residents or citizens patronize your content online- and have to leave their personal information with you. It may help that you comply with privacy laws outside the EU since it is one the strictest. According to legal jobs, 66% of Americans may want the US to adopt personal privacy laws similar to the GDPR.
The GDPR is concerned with the security of stored data, website safety, rights of customers to have their data deleted, how easily customers can access their data, and more. Suppose you find your current situation does not currently comply with the GDPR. In that case, you may need to perform an audit on personal data you have collected and amend your policies and procedures to ensure you process data safely and securely. (ico.org.uk)
GDPR for Event Planners
As an event organizer, GDPR affects most of your activities- as the nature of your job requires that you collect highly sensitive data from your customers. According to legal jobs, over 1000 online publications -in the US and other countries outside Europe- have blocked EU readers because they are not ready to comply with the GDPR. Thus, they miss out on the EU market, which is not the best.
We recommend you know how the GDPR comes into play as an event organizer and take steps to comply with it so you can cover the European market as well. Here are some areas GDPR affects.
During in-person events, be very clear on what information you need during the registration process. (ieeemce.org)
2. Internal list sharing
Within your organization, GDPR does not allow you to share lists around different departments if they do not use the data solely for the purpose for which they collected the data. For instance: if individual signs up for product A but your organization has products A, B, and C, the GDPR does not allow you to add their data to the mailing lists of products B and C. Adding people to lists they have not opted-in for would likely get them to unsubscribe even without the GDPR, and that is still not good for the image of your organization. (21ilab.com/blog/)
3. Sponsorship and partnerships
88% of sponsors attend events to increase awareness. Hence, it is okay for you to help your sponsors and partners increase their market reach. Under GDPR, you cannot share your customer/attendee information with any third party unless customers have opted in. Even with their consent, you need to be careful about the kind of information you share. (ieeemce.org), (guild.co)
Delegate data is considered personal data; hence, you must comply with the GDPR when sharing them with clients. In addition, this information sharing requires that you have a privacy notice that unambiguously explains that you can transfer personal data to sponsors.
Apart from delegates giving their consent, there are other common scenarios where you can share delegate data with partners. These scenarios should include the data transfer necessary for the performance of the contract with the delegate, or the transfer must be required for your ”legitimate interest” and must not prejudice the rights of the delegate.
Ideally, delegate interest is determined by letting them tick a box or sign a contract. This consent should be evident and easy to understand and separated from other consents you need for marketing purposes. You are required to allow delegates to withdraw their consent if requested. You must also keep records of individual delegates’ consent and the dates they were given. (guild.co)
Note that for you to receive valid customer consent, the individual must be older than the age of digital consent, which is currently set somewhere from 13-16. For younger individuals, you need to make a ‘reasonable effort’ to get the permission of their parents. (realbuzzregistrations)
4. Lead capture
When capturing leads at the event, let attendees know who is getting the information and who is not.
Event entrant data rights under GDPR
Delegate/event attendees enjoy the following rights under the GDPR.
1. Right to be informed.
When collecting data, you must tell delegates the purpose for processing their data, how long you will retain the data, and who else would have access. It would be best if you did this transparently. (ico.org.uk), (wired.co.uk)
2. Right to access
Individuals have the right to ask for information on data you hold on them. Before the commencement of the GDPR, organizations could charge a fee whenever individuals request information. Today, you cannot charge fees, but the law gives you 30 days to grant their request. You should be able to provide digital copies of their data. (ico.org.uk) (ieeemce.org)
3. Right to object
If an attendee asks you to stop processing their data for direct marketing purposes, you must do so immediately. You have no other choice in this instance. In other instances, you may have the right to continue processing the data if you have a compelling reason to do so. The law requires you to tell individuals of their right to object. (ico.org.uk).
4. Right to rectification
Attendees have the right to change the information they gave to you. For instance, they can request a change in the address when they relocate or ask you to change their phone number. You have between a month and two to make the changes depending on the complexity of the change. It is your responsibility to inform third parties you have sent the data to make the necessary changes at their end. (ico.org.uk)
5. Right to be forgotten.
Your customers have the right to request that you delete all the data you hold on them. Unless you have a good reason to keep the information, you need to grant the request. If you have shared the information with a third party, you need to let them delete the data unless they have good reason to retain it. (ico.org.uk) (ieeemce.org), (wired.co.uk)
6. Right to restrict data processing
The customer has the right to tell you to stop further processing of their information. Thus, you can keep their data but do not use it for any additional activities. You prohibited from adding them to mailing lists. (ico.org.uk)
7. Right to data portability
When a subject requests data, you must provide the data in a format that would allow them to reuse it for another service or purpose. They have the right to request that you send the data to another organization-which can be your competitor. (ico.org.uk)
8. Rights to automated decision making, including profiling
Automated decision-making refers to the act of making a decision solely by automated means without human involvement. Profiling refers to the automated processing of personal data to evaluate specific attributes about an individual.
The GDPR protects individuals when you have to carry out automated decision-making that has legal significance. You can only make these decisions when necessary to carry out the contract for which applicants signed on, when you are authorized by domestic law to do so, or when the individual has given their explicit consent. (ico.org.uk)
9. Breach notification
You must notify both your customers and data protection authorities within 72 hours of discovering a security breach. Failure to do so can attract heavy fines. There have been over €359 million in significant GDPR fines. (legal jobs)
10. Privacy by design
GDPR is not precisely a right of your customer but more of a responsibility on your part as an event organizer. The GDPR requires that you ensure data security in your products and services. All technology you use- right from start to finish- must secure your customers’ data and provide them with security and safety.
11. Data protection officers
If your organization collects large amounts of data or deals with very sensitive data- such as health records or criminal records-, you are obliged to have a Data Protection Officer (DPO). The DPO is to ensure that the right systems are in place to avoid breaching the GDPR. They need to train staff on privacy issues, ensure documentation of all data processing activities, and ensure that data protection policies are updated. (wired.co.uk)
According to recent GDPR statistics, the demand for Data Protection Officers has risen by over 700%. (legal jobs)
We have discussed how the GDPR affects you and your organization. Strict compliance with it would ensure that you protect the privacy rights of your customers. This protection not only allows you to act within the confines of the law but also enhances your organization’s image and helps you avoid large fines or bad publicity associated with non-compliance.
It’s vital to strictly follow the regulations when working within the UK/EU or with UK/EU residents/citizens. Nevertheless, applying it in any part of the world would help boost your organization’s image. According to legal jobs, nearly 8-in-10 US companies have taken steps to comply with the GDPR. So it would help if you were on top of the competition. Visit https://ico.org.uk to learn more about the GDPR.