Event management is a different world than it was just a few years ago, transformed by technologies that have changed the very way we approach our work. We collect more information than ever before, and we can access our event planning and reporting tools from wherever we need to work. This has enabled us to connect and engage with our clients and event attendees in ways that were unimaginable just a decade ago.
But there’s a downside to these technologies: they’ve introduced the new and significant challenge in securing our attendees’ data against cybercrime. With hackers and criminals out to steal credit card details, account passwords, personal information, and who knows what else…what’s a meeting planner to do?
It’s a difficult problem that affects all industries, not just ours. The European Union (EU) recognized that a unified approach was required to protect personal data and privacy for EU citizens, so they adopted the General Data Protection Regulation (GDPR). The GDPR applies across the EU, so companies avoid the complexity of complying with many different local data protection laws. It also reaches globally, so if a single EU citizen signs up for your marketing email list or registers to attend your event, the GDPR applies to you.
Enforcement begins on May 25, 2018, and companies found in violation can be penalized millions of Euros. But a recent study by Deloitte revealed that 85% of organizations surveyed did not expect to be fully compliant by this date. Many businesses are finding it difficult to audit their current processes, model their information flows, and understand their data risk.
We’re taking a deep dive into GDPR and what it means for modern meeting planners, including your obligations and the processes you’ll need to undertake to achieve compliance. We hope this will give you a stronger foundation as you evaluate your current position and start the crucial conversations about how to deal with GDPR requirements. However, this shouldn’t replace expert advice, and the regulation itself should be your first point of reference.
Essentially, GDPR documents the key rights of EU citizens (your attendees), and the obligations of Data Controllers (you) and Data Processors (any providers of technology you use to manage event registration or other personal data). The following lists are provided as a guide only.
Along with other rights described in the GDPR, your event attendees have the right to:
Under GDPR, meeting planners are specifically required to:
Your technology vendor is also part of this equation. As Data Processors under GDPR, they are obligated to:
The steps you’ll need to are already well documented, so we’ve kept this short. If you need more assistance, your best bet will be to seek advice from the many consultants and professionals specializing in GDPR compliance. But to get you started, here’s a simple list of items you should consider as your organization prepares for GDPR.
The Data Protection Officer is the lead member of your organization to oversee and direct your data policies and practices.
When you no longer need personal data, it needs to be removed. How long after an event will that happen, and how will you remove data from past, archived events?
It will be easier to delete personal information if you have profiled your database and understand which fields contain personal data for current and past events.
Data processing consent policies are statements shown to a contact before they submit their personal information and confirmation of consent to you.
For all future events and all events currently in progress, apply your data consent policies so you can capture consent for any new registrations.
If you have registered attendees, you should reach out to them and obtain consent to collect their personal data.
Event planners require a process to track and record each time you export data or create a report that can be accessed by third parties, and each time such data is accessed.
When an event attendee or marketing subscriber requests a copy of their personal data you have collected, you’ll need an efficient process for finding and providing this information.
A requirement of GDPR is to honor all requests from attendees to “forget”, delete, or remove their personal information. However, you are also able to retain key historical data where required, such as to meet financial or tax obligations.
You are required to notify third party processors of your attendees’ requests to “forget” their personal data. This is because they may have stored the information in locations other than those you can manage directly, e.g. on a backup server.
Our solution is part of your solution
EventsAIR by Centium Software has been producing event management software for over 30 years. As technology pioneers for the meetings industry, EventsAIR has been fully GDPR compliant since its inception.
The platform is built around the Microsoft Azure Cloud and offers a powerful Cloud App structure that includes highly secure and private databases for every client. It also incorporates the highest degree of Payment Card Industry Data Security Standards (PCI DSS) to ensure all personal data and credit card details are fully protected.
The team behind EventsAIR has recently released the EventsAIR Data Protection Toolkit – a fully integrated set of tools and processes designed to help meeting organizers provide superior data protection for their clients’ personal data. Using the toolkit for ongoing registration and event management also enables EventsAIR clients to achieve the standards of reporting, logging, and tracking required for full GDPR compliance and other data privacy regulations.
For more information about GDPR, see: