25 May 2018

GDPR and the Event Professional

The Future is Now Alec Sonenthal

The Future is Now

Event management is a different world than it was just a few years ago, transformed by technologies that have changed the very way we approach our work. We collect more information than ever before, and we can access our event planning and reporting tools from wherever we need to work. This has enabled us to connect and engage with our clients and event attendees in ways that were unimaginable just a decade ago.

But there’s a downside to these technologies: they’ve introduced the new and significant challenge in securing our attendees’ data against cybercrime. With hackers and criminals out to steal credit card details, account passwords, personal information, and who knows what else…what’s a meeting planner to do?

It’s a difficult problem that affects all industries, not just ours. The European Union (EU) recognized that a unified approach was required to protect personal data and privacy for EU citizens, so they adopted the General Data Protection Regulation (GDPR). The GDPR applies across the EU, so companies avoid the complexity of complying with many different local data protection laws. It also reaches globally, so if a single EU citizen signs up for your marketing email list or registers to attend your event, the GDPR applies to you.

Enforcement begins on May 25, 2018, and companies found in violation can be penalized millions of Euros. But a recent study by Deloitte revealed that 85% of organizations surveyed did not expect to be fully compliant by this date. Many businesses are finding it difficult to audit their current processes, model their information flows, and understand their data risk.

We’re taking a deep dive into GDPR and what it means for modern meeting planners, including your obligations and the processes you’ll need to undertake to achieve compliance. We hope this will give you a stronger foundation as you evaluate your current position and start the crucial conversations about how to deal with GDPR requirements. However, this shouldn’t replace expert advice, and the regulation itself should be your first point of reference.

So, what exactly is GDPR all about?

Essentially, GDPR documents the key rights of EU citizens (your attendees), and the obligations of Data Controllers (you) and Data Processors (any providers of technology you use to manage event registration or other personal data). The following lists are provided as a guide only.

The rights of your event attendees

Along with other rights described in the GDPR, your event attendees have the right to:

  • Consent to having their personal data collected
  • Be forgotten, by having their personal data deleted or anonymized
  • Know what personal data is stored and used by the meeting organizer
  • Know what third parties have seen or accessed their personal data
  • Withdraw consent at any time
  • Have data corrected whenever requested

Your important obligations as meeting planners

Under GDPR, meeting planners are specifically required to:

  • Receive and track consent from attendees to collect their personal data
  • Report any data breach to authorities within 72 hours
  • Allow access to personal data upon request
  • Ensure personal data can be “forgotten” including deletion, anonymization and notification to third parties
  • Provide personal data portability upon request
  • Track when personal data has been sent to third parties
  • Demonstrate that processing is being performed in accordance to GDPR
  • Appoint a Data Protection Officer

Important obligations of your technology providers

Your technology vendor is also part of this equation. As Data Processors under GDPR, they are obligated to:

  • Follow the instructions of the Data Controller (you)
  • Provide technical and operational measures to ensure GDPR is met and the rights of the Data Subject are protected
  • Communicate with the Data Controller about all third-parties that see personal data
  • Communicate with the Data Controller about any security breaches in a timely manner
  • Appoint a Data Protection Officer

Critical steps for complying with GDPR

The steps you’ll need to are already well documented, so we’ve kept this short. If you need more assistance, your best bet will be to seek advice from the many consultants and professionals specializing in GDPR compliance. But to get you started, here’s a simple list of items you should consider as your organization prepares for GDPR.

  • Identify your Data Protection Officer and train staff on data privacy standards.

The Data Protection Officer is the lead member of your organization to oversee and direct your data policies and practices.

  • Define your internal policies for removing personal data from past events.

When you no longer need personal data, it needs to be removed. How long after an event will that happen, and how will you remove data from past, archived events?

  • Identify fields in past and current events that contain personal data.

It will be easier to delete personal information if you have profiled your database and understand which fields contain personal data for current and past events.

  • Define and document your data processing consent policies.

Data processing consent policies are statements shown to a contact before they submit their personal information and confirmation of consent to you.

  • Apply data consent policies for all active events.

For all future events and all events currently in progress, apply your data consent policies so you can capture consent for any new registrations.

  • Send communications to all attendees that have not provided data consent.

If you have registered attendees, you should reach out to them and obtain consent to collect their personal data.

  • Review any reports and exports that third parties can access.

Event planners require a process to track and record each time you export data or create a report that can be accessed by third parties, and each time such data is accessed.

  • Provide documentation of personal data to attendees upon request.

When an event attendee or marketing subscriber requests a copy of their personal data you have collected, you’ll need an efficient process for finding and providing this information.

  • Remove or “forget” personal information upon request.

A requirement of GDPR is to honor all requests from attendees to “forget”, delete, or remove their personal information. However, you are also able to retain key historical data where required, such as to meet financial or tax obligations.

  • Advise third party processors of all requests to “forget” their personal data.

You are required to notify third party processors of your attendees’ requests to “forget” their personal data. This is because they may have stored the information in locations other than those you can manage directly, e.g. on a backup server.

 

Our solution is part of your solution

EventsAIR by Centium Software has been producing event management software for over 30 years. As technology pioneers for the meetings industry, EventsAIR has been fully GDPR compliant since its inception.

The platform is built around the Microsoft Azure Cloud and offers a powerful Cloud App structure that includes highly secure and private databases for every client. It also incorporates the highest degree of Payment Card Industry Data Security Standards (PCI DSS) to ensure all personal data and credit card details are fully protected.

The team behind EventsAIR has recently released the EventsAIR Data Protection Toolkit – a fully integrated set of tools and processes designed to help meeting organizers provide superior data protection for their clients’ personal data. Using the toolkit for ongoing registration and event management also enables EventsAIR clients to achieve the standards of reporting, logging, and tracking required for full GDPR compliance and other data privacy regulations.

Further reading

For more information about GDPR, see:

https://www.ico.org.uk/

https://www.eugdpr.org/