The GDPR (General Data Protection Regulation) was passed on 25th May 2018 by the European Union. The aim of this regulation was to harmonise data protection in the EU and give EU residents more control over their personal information such as what data is collected and how it is used. Companies must ensure they comply with the GDPR or else risk hefty fines. For severe violations, you can expect to pay 20 million euros or up to 4% of the company’s total global turnover of the preceding fiscal year, whichever is higher. Therefore, to avoid being caught out, it makes sense for your company to strictly adhere to the regulation. This is especially important when collecting personal data for events such as conferences or seminars. Here, we explain which fundamental points you should consider to make your event GDPR-compliant. In addition, each event has its own individual requirements.
How to make your events GDPR-compliant
For event organisers, the GDPR is extremely important since personal data needs to be collected from the attendees. It doesn’t matter whether it’s a small event in the office or an external seminar where thousands of people are expected to attend, compliance rules are always the same. It is of the upmost importance to obtain clear consent from the attendees before you can gather and use their data in any way. Be as transparent as possible so the attendee can make an informed decision. Among other things, always tell a participant what data you plan to collect and for what purpose, who is going to receive this data, and when it will be deleted again. Point out the responsible body (usually your company), the contact information of your data protection officer, and describe the rights of the participant as a so-called "data subject". It’s crucial to make it easy for them to withdraw consent at any time and have their data deleted (this is known as ‘the right to be forgotten’). Here are some tips to ensure data protection at your events:
- Review your forms: Check all the forms you want to use for your event to make sure they are GDPR-compliant i.e. event registration forms and privacy notice. Make sure the systems and processes your company uses are updated and conform to the specifics of the GDPR. If an attendee wants all their data deleting, is the system able to get rid of EVERYTHING relating to this person? It should always be taken into consideration that, for example, tax-relevant documents such as invoices are subject to a statutory retention period and cannot be deleted.
- Get consent through opt-in: Clearly state the purpose of data collection, how you'll use the data, how long you'll keep it, and whether it will be shared with any third parties. Note that you may only use the data for the approved purpose. Any other use requires renewed consent. Avoid legal jargon and keep things simple. In the past, you could assume you had an individual’s permission unless they stated otherwise, but under new law, individuals must decide whether they want to give consent or not, therefore pre-ticked consent boxes are not permitted.
- Check your mailing lists: You might have mailing lists that are years old, but don’t think you’re out of the woods when it comes to using them. Are you aware of where the data came from and whether you ever got consent to contact these individuals? If you aren’t sure, act like you don’t have their consent. We do not recommend writing to the contact to ask for consent. If they didn’t consent in the first place, the mere request may constitute a data protection breach. In this case, the data was processed without the legal basis of consent to contact this person. This also applies if you buy mailing lists – check that the company you bought them from was adhering to the GDPR. If not, you might bear the brunt of the violation even if it wasn’t technically your fault.
- Get clued up on the GDPR: The regulation not only governs how and which data is used, but also gives the owner the right to ask for their data at any point in time. Do you have the means to be able to do this? Other parts pertaining to the GDPR include letting the supervisory authorities and, in case of a high risk, the individuals know within 72 hours if there has been a data breach, deleting all data if a user insists (companies have 30 days to respond to requests or risk non-compliance), and being transparent about who is collecting the data and how the data is being used. You should also be aware of ‘data minimisation’, which means that once the data has been used for its intended purpose, it cannot be used for any other purpose and must be destroyed. Furthermore, you should only ask for the data that is absolutely necessary for the implementation of an event. Other information is purely voluntary and mandatory fields must therefore be clearly marked.
- Hire a Data Protection Officer: Since conforming to the GDPR is imperative and huge fines can result if companies slip up, it makes sense to have one person designated to ensuring adherence – a Data Protection Officer. It would then be their job to make events GDPR-compliant, for example.
This checklist is especially helpful when it comes to GDPR for event organisers. Note that even if your company isn’t situated in the EU, the rules still apply if you collect data from EU residents, which may well be the case if you hold an international event.
ALSO offers support for GDPR-compliance.
