Event Manager’s Guide to GDPR Compliance
GDPR was introduced in May 2018 and presented a set of requirements concerning personal data processing and event registration software design.
GDPR was introduced in May 2018 and presented a set of requirements concerning personal data processing and event registration software design.
Our guide is dedicated to event organizers who process attendee personal data for many reasons and in many ways, including the use of an event management platform. We present the requirements imposed by the regulations and the methods you can employ to adapt to them.
GDPR compliance is a group effort and every organization that collects, stores, or processes personal data in any way, needs to take necessary actions to ensure data protection.
GDPR, or General Data Protection Regulation, is a regulation issued by EU authorities to unify, modernize, and strengthen personal data protection. It became enforceable as of May 25, 2018.
The aim of the regulation is to ensure the free flow of personal data between EU Member States, but also to introduce rules according to which the processing of personal data will be unified throughout the EU.
In short, every organization that stores or processes personal data based in the EU and organizations that store and process personal data of EU citizens. In particular:
Data controller is an entity that processes personal data to its own ends. This means end users of collected data - you. You use this data to provide service to your attendees. Before and during the event, you probably access it on a daily basis and that’s what you need to do. Booking accommodation, sending reminders, marking attendance, printing ID badges, last-minute changes - all this is data processing. This is fine as long as you have the attendee’s active and explicit consent and a valid legal basis.
Data processor is an entity that stores or processes personal data on behalf of the data controller. This means providers of technological solutions - developers of event registration software and mobile event applications - us. We store it in databases, we make sure it’s properly protected and you have means to easily comply with the GDPR. And we sometimes process the data on your behalf.
Let’s face it - it feels good to do good. And while the GDPR might pose some technical and organizational challenges, it’s designed to empower persons to control their personal data processed by organizations. In a way, it forces you to respect your attendees’ privacy. It promotes transparency and convenience. You do want your customers (attendees) to feel comfortable using your services. Satisfied attendees will trust and like your client or yourself, making them more likely to attend again. The main point of this section, however, is you. Most of us want to be liked, not only because of financial issues. You don’t want your brand to be seen as an evil, scheming corporation, do you? Honesty will get you a long way.
I somewhat related to this point in the previous section but that’s not all. The common idea is that a well-perceived, honest, and transparent brand increases revenue. It does that because:
The other point I’d like to touch on is your contact list and the contact lists of your clients and vendors. You see, under GDPR, you need to gather separate expressions of consent to add personal data to marketing lists and to transfer them to other organizations. This implies that you will probably be able to gather fewer marketing contacts, and even fewer of them can be added to the vendors’ lists. However, once you have a contact that has consented to all of the above, that lead is really interested in the offer. This will let you build healthy lists without sending communication to people who are not interested. Instead, you can focus your resources on the contacts that are likely to generate revenue.
Last but not least, we are simply forced to comply. I know it’s not the most pleasant point and that’s why I put it last. Just in case you’re still not convinced. This one can really hurt you. If you fail to comply to the GDPR’s stipulations, you are subject to fine of up to €20 million or 4% of your global annual turnover of the previous financial year, whichever is higher. The amount depends on the risk created by non-compliance and the scope of noncompliance.
Apart from the fine, the data protection institution of your country can also order you to fix your processes to be GDPR-compliant or limit your data processing rights to storing it, effectively halting your business. This can be worse than the fine.
But these are only the penalties imposted by the state. If your non-compliance caused damage to persons whom the data you process concerns, they can sue you for damages.
You know you have to comply and why you need to. But how do you go about it? I will describe all the key changes you need to take into account and then show you what you need to do and what we have done to comply.
You obviously need consent. But some things have changed:
Make sure your clauses are precise, specific, and properly divided. Formulate their content according to the requirements above and you’ll be fine.
We allow you to add any number of clauses to the event registration form and link them to documents with terms and conditions. For every integration with external data processing services, you can make a condition that only attendees who ticked an adequate clause will be automatically exported to other services. Moreover, every clause selected by an attendee becomes a part of that attendee’s record. You will be able to prove you have appropriate consent and from which IP consent was given.
In case of a security breach that puts the privacy of your attendees at risk, first you need to contain its effects, describe how it happened and your planned reaction. Then, if required, you must report such event to data protection authorities and affected persons within 72 hours from that event.
Well, monitor your registration records.
We can’t do much about that as successful attacks cannot be automatically detected by their very nature. Detected attacks are blocked without any harm to the data. All the personal data we store and process is stored on a server located in the EU. Non-personal data, like pictures and documents, is stored in the Amazon cloud, which is also compliant.
Every attendee (or any person whose personal data you store or process) has the right to demand that you give them a complete set of their personal data you have gathered. You are bound to provide that data in a commonly used, machine-readable format within 30 days.
React to such request. It would be a good idea to have a process ready for such events and have it documented. You should also verify that person’s identity before sending the complete set of data. You know, you don’t want to be held liable for personal data disclosure. What is a commonly used, machine-readable format? PDF or XLS is your best bet. The former looks better, should the attendee want to print it out, while the latter is easier to read and import to other systems (more on that below).
You will be able to let your attendees use a contact form to request a full set of their personal data. When you receive such a request, you can easily download a PDF file with the attendee’s full set of data and send it to them.
The rule sounds simple. The attendee demands to be forgotten so you forget about them. Delete all the data you’ve gathered on them and that’s it, right? Right. However, you need to delete all their data. This means event management software, CRM, mailing lists, and any other location they could be stored. Paper guest lists - erase. XLS files - delete the row. Another very important thing to remember is that every data processing has some legal basis. Don't delete the data recklessly! It could turn out that you are required to store it for some time.
I don’t think it needs any additional clarification. The most important thing is to be diligent, thorough, and timely. I cannot tell you in particular what to do because every organization has its own data network. And if you have had consent to give data to third parties and have done so, remember to remove data from these third parties - they need to stop processing it as well.
The contact form can also be used by the attendee to demand data deletion. After logging in and provided that you have permission to view this data, you can decide whether to remove the data or not. Mind you, you do have the right to keep the data if and only if it is necessary to carry out your part of the agreement. In this case, if you need the data to provide the service of participation in your event.
In essence, you have to make it possible to easily transfer personal data to other organizations. Most data processing systems accept CSV and XLS files for data import. Hence, it’s a good format to have personal data exported from your system.
Make sure you’re able to withdraw all personal data of an individual on demand and that it can easily be imported to most external systems. As in every case of transferring personal data, do make effort to verify the identity of the person requesting such transfer.
You can easily download a set of personal data onto your disk from the administration panel.
This means that data protection is neither a feature nor an option. It should be an underlying principle of any system and process related to personal data. Vague, isn’t it? But by adopting this mindset, you are almost sure to comply with the GDPR. It’s really reasonable and if you make personal data protection a part of your organization’s agenda, you will meet at least most of these requirements.
Revise all your processes, tools, and the entire system as a whole, asking the questions:
If you create additional system user accounts, you can limit their access to sections containing attendees’ personal data. Your browser session is terminated after 30 minutes of inactivity so if you leave your computer unattended, there is a smaller chance of someone accessing the data. We also provide our customers with subdomains of conrego.com that are all protected with an SSL certificate. As for external domains, you can purchase your own SSL certificate and we’ll help you install it or we can install a free Let’s Encrypt certificate.
The DPO assists the data controller or processor in all matters related to data processing. Some organizations will be required to hire a DPO. This most likely includes us all because having one is a must for:
For some conferences, you will gather data like dietary requirements, allergies, or passport number, which constitute sensitive personal data. “Large scale” here is far from precise. Hundreds of registrations is a lot but is it large scale when compared to corporations like Google Inc? It’s not clear but I’d stay on the safe side and appoint a DPO.
Appoint a DPO and have them train your staff about personal data processing, document your personal data related processes, and report any failures in compliance to authorities.
We have a DPO. The staff that deals with personal data is periodically retrained and we have documented processes in place regarding personal data processing and security breaches.
When the GDPR came into effect, it introduced the requirement to better protect personal data of our employees, customer, and suppliers.
I hope this guide was useful and eased your mind a little. As long as you make personal data protection your business and really put your mind into it, you will be fine. Fortunately, the regulation is really rational. On the other hand, it’s pretty vague and that could be alarming. After all, what you consider enough may be considered lacking by authorities. We don’t like uncertainty and therefore I wrote this guide taking into account extreme caution. This means that I even included elements that I consider a slight overkill. All in all, it’s better to be overly prepared than to try and justify your choices when your compliance is questioned.
Good luck!
Łukasz Krawczuk (CONREGO) Przemysław Kilian (rodoszczecin.pl)