26 July 2018

Getting Ready for GDPR – It’s All About Consent

Louise Flynn

This is the second blog in our GDPR series. To start at the beginning, read our GDPR and the Event Professional.

We all know business revolves around data. It’s a fact of life that gets more and more prominent with every passing year. We also know getting access to that data means big money and lots of attention.

In Blog 2 of our latest series on GDPR we look at the important role that Consent now takes in your relationship with your event attendee, client and suppliers.

GDPR stands for General Data Protection Regulation, and it is a series of regulations designed to protect the data privacy of European Union citizens.

There’s been a lot written and discussed on the topic of GDPR, especially understanding how it impacts the meetings industry.

Even if you register just one person from a European Union country, as a meeting planner you are obligated to protect that citizen’s personal information. There are specific and detailed rights that European Union citizens have in how they understand how their data is being used, how long it will be used, and ultimately, having full control over their personal data.

What’s equally important is the obligations that meeting planners face in protecting that data.

And that’s why it’s all about consent!

Consent is the process of every attendee to our meetings agrees to giving you their personal data. Whether on a written form, by telephone, email, or most commonly in an online registration form, meeting planners must obtain and record a proactive consent from that attendee for you to access and use their personal data.

In other words, you have to ask for their consent, and your attendees have to agree to giving you consent. 

So, how hard can that be? It’s both easy and hard.

It’s easy to display a check box and ask your attendees to check it.

What’s a little bit harder is understanding the issues and requirements about consent.

Here are a few important requirements that you, as a meeting planner are obligated to do:

  • Display your organizations policies around data protection and privacy. You need to make sure you display statements to the attendee that describe why you are collecting their data, how long you plan to use it, and you need to do so in clear and easy to understand language
  • You also need to tell them about any third-party businesses that you plan to share their personal data with. These can be hotels, transportation vendors, golf clubs, or any other organization that might have access to your attendee’s personal data.
  • You must also ask for consent before asking for any other personal data. In other words, if they don’t wish to provide you with their personal data, allow them to opt-out and not submit their information.
  • If you are collecting data on spouses or children, you must let your attendees know about that as well.

Managing Consent is a two-way street, however!

Under GDPR, you are also obligated to allow your attendees to withdraw consent at any time. But, you must think about what that really means to your organization!

If an attendee calls you up six weeks before an event and states that they wish to withdraw their consent, you must say OK and accommodate that request in a reasonable time frame.

But, you are operating a business, and that means that you may have to cancel their registration, offer a refund (per your stated cancellation policies) and more.

You are also obligated to fully remove their personal data from your databases. But, you can retain details of financial transactions, such as taxes, payments, refunds and more. You just need to work out processes to accommodate both sides of the request – your attendees right to privacy and your right to operate a business!

And it can be a little tricky to balance their two potentially conflicting issues!

One event management product, EventsAIR, knows that managing consent under GDPR was a crucial and detailed requirement. Their new Data Protection Toolkit had built in processes and controls for obtaining Consent and documenting internal policies surrounding data privacy.

I spoke to Trevor Gardiner, our CEO about how GDPR and consent impacts event planners.

“It’s a hugely important undertaking. Meeting planners must not only define and display their internal data privacy practices to their attendees, they need to proactively obtain consent and record the details of that consent being given.”

Mr. Gardiner noted that their technology doesn’t do the work of compliance for the meeting planner, but instead, gives them a practical and comprehensive technology to support the planner in complying with GDPR.

“Every meetings company will have different policies and practices,” Mr. Gardiner said. “Our goal has always been to empower our clients with the tools and processes they need to get their work done effectively and efficiently. Whether its managing a hotel rooming list or making sure you are complying with GDPR, we’re focused on making sure they can get their work done in the most efficient way possible!”


For more ideas on managing your GDPR compliance, talk to one of our EventsAIR consultants live online or contact us.

For EventsAIR Community, the tools for engagement are within your reach.

  1. Login to your EventsAIR Online Documentation Portal via your personal User Portal to access whitepapers and webinars to get started today.
  2. Data Protection in EventsAIR resources include several videos and whitepapers to help you configure your EventsAIR Protection Toolkit.