On 25th May 2018 the EU introduced what is arguably the most significant legislation of the digital age. The General Data Protection Regulation (GDPR) revolutionises the way data is processed online across all platforms, putting a never-before-seen emphasis on the rights that individuals have over their personal data. GDPR will therefore have a significant impact on the way that data is processed in the events industry.
This is not something to be taken lightly. The International Association of Privacy Professionals estimates that Fortune 500 companies have spent a combined £5 billion to prepare for GDPR , with breaches facing fines of €20 million.
So, with such serious penalties for GDPR breaches, is your event compliant? We work with events around the world asking that very same question. Here’s everything you need to know about GDPR as an event professional. We’ll give you a general GDPR overview, and cover some of the key points you need to be aware of in the events industry.
1. Introduction to GDPR for the events industry
2. What GDPR means for your event
3. GDPR and event entrant data
4. Event entrant data rights under GDPR
5. Event marketing under GDPR
6. GDPR and data security
7. GDPR next steps
1. Introduction to GDPR for the events industry
What is GDPR?
GDPR is an EU regulation four years in the making that came into effect on 25th May 2018. Its main purpose is to bring consistency to data protection laws across Europe, whilst simultaneously improving the rights of individuals and the control they have over their personal data.
For more detail on GDPR, read the latest 88-page revision of the legislation here .
Why was GDPR introduced?
Companies the world over are tearing their hair out over GDPR. From Marketing and Sales to IT and Project Management, there are few areas of business that aren't be affected. Events are no different.
So why is Brussels making us jump through all of these hoops at such a high cost? Quite simply, the existing legislation isn’t fit for purpose anymore. In fact, it’s surprising that it’s taken this long for something like GDPR to be introduced.
Before GDPR, the majority of data protection in Europe was based on dated legislation. In the UK, for example, organisations were largely governed by the 1998 Data Protection Act . As you’ll be especially aware of in the events industry, the volume of data processed around the world in this day and age is magnitudes larger than it was in 1998. According to an IBM study, over 90% of all data online has been created since 2016 . So, in a world of major cyber security data protection breaches, online fraud and almost unfathomable volumes of data, doesn’t it make sense to update cyber security laws that are almost 20 years old?
2. What GDPR means for your event
All data protection malpractice in the UK is investigated by the ICO . After 25th May 2018, the ICO will be able to fine organisations up to €20 million, or 4% of their global annual turnover - whatever is highest. To put that into perspective, cyber security experts NCC Group examined the £880,500 in fines imposed by the ICO in 2016 , and analysed how they would have been handled under GDPR. They found that there would have been a staggering 7,736% increase in fines, with the penalties handed out rocketing to £69 million. Telecoms company TalkTalk alone would have found their record-breaking £400,000 fine increase to £59 million.
So as you can see, no matter how much it costs your event to become GDPR ready, it’s well worth the investment.
Will anyone actually be fined €20 million for GDPR breaches?
Whilst this is the maximum fine available under GDPR, it’s down to the individual member states how they choose to penalise breaches.
The ICO never actually used the full force of the £500,000 fine that was available to them under the Data Protection Act. However, that’s not to say that nobody will be fined €20 million post-GDPR, especially if a governing body wants to flex their newfound financial-penalty muscles to set an example.
The most simple solution? Follow the rules of GDPR for your event and you won’t have to worry about fines.
Does GDPR affect my event?
Even without knowing the backstory of every event professional reading this, in all likelihood the answer to this common question is ‘yes’. GDPR compliance and its sphere of influence is a complex matter. To simplify the situation, if you store or process data on any EU citizens in the process of organising your event, GDPR applies to you. Even if your events aren’t in the EU, if you want to allow EU citizens to enter your event then you need to comply with GDPR.
My event is in the UK - will the UK be exempt from GDPR after Brexit?
When GDPR was first announced, there were rumours circulating that Brexit would be a get-out-of-jail-free card for businesses in the UK. Surely if the UK was no longer part of the EU, then an EU-led legislation like GDPR wouldn’t apply to UK businesses?
The ICO were quick to state that this wouldn’t be the case, and the UK Government confirmed their stance in August 2017 with the announcement of the updated Data Protection Bill . One of the main aims of this Bill was to ‘bring the European Union’s General Data Protection Regulation into UK law.’ That means even post-Brexit, GDPR will still apply to UK-based events.
What does GDPR mean for my event?
It means a whole lot, but in short you’ll potentially have to completely change the way you think about and treat personal data. In their advice on GDPR, the ICO says that you’ll need to put in place “comprehensive but proportionate governance measures” and that these measures should “minimise the risk of breaches and uphold the protection of personal data”.
If you haven't done so already, you’ll need to perform an audit on all of the personal data you process for your event, and document the policies and procedures you have in place to make sure that said data is processed safely and securely.
Do we need to appoint a Data Protection Officer under GDPR?
GDPR only requires you to appoint a Data Protection Officer if you meet one of the below criteria as outlined in Article 37 (1):
If you don’t feel your event meets any of these criteria, then you aren’t obligated to appoint a Data Protection Officer. Even if that’s the case, it’s still good practice to have someone in your organisation whose responsibility it is to oversee your data compliance.
3. GDPR and event entrant data
What exactly is ‘personal data’ under GDPR?
GDPR defines personal data as follows in Article 4 (1):
Essentially, if data can be used to identify an individual then it is classed as personal data under GDPR. That includes information you are likely to collect from your event entrants, such as name, address, date of birth and email address.
What does ‘processing’ data mean under GDPR?
GDPR defines processing as follows in Article 4 (2):
As you can see from that extensive list, practically anything you do with the personal data surrounding your event constitutes processing. This will range from collecting entrant data when they sign up for your event, to how you communicate with your entrants via both electronic and physical media.
Is my event a data Controller or a data Processor?
There are two key parties when it comes to processing data under GDPR; the data Controller and the data Processor. Both parties are expected to follow the rules of GDPR, but their responsibilities regarding how data is processed differ slightly.
The data Controller is the organisation or entity that dictates what data is collected and how it is used, whilst the data Processor is the organisation or entity who facilitates said processing and usage.
For example, if you use realbuzz registrations for your event’s online entry, you are the data Controller. You choose what data we collect, and why you need that data. It is your responsibility as a data Controller to process all data relating to your event in line with GDPR.
We (realbuzz registrations) are the data Processor, in that we process the data through our platform as per your instruction. It is our responsibility to make sure that data is processed securely as laid out by GDPR.
What are the rules I have to follow when processing personal data?
How long have you got? It’s hard to provide a GDPR summary when the full legislation is 88 pages, and all 99 Articles in GDPR largely relate to the processing of personal data.
However, Article 5 (1) does outline some key rules to follow. To summarise, personal data needs to be:
- Processed lawfully and transparently
- Collected for a specified and legitimate purpose
- Limited to what is necessary for the purpose of processing
- Kept for no longer than is necessary for the purpose of processing
- Processed securely
How will GDPR affect my existing event data?
One of the most significant implications of GDPR is that it is retroactive. All data you store and process for your event needs to comply with the regulations set out by GDPR, even if you collected it before 25th May 2018.
If you haven't arleady, you should perform a full audit on the data you currently store to check that it is GDPR compliant. Any data that doesn’t meet the guidelines needs to be deleted.
Whilst many events are panicking about this mass loss of data, you should actually see this as a good opportunity for some digital housekeeping. If you hold data on an individual that you have no legal rights to process, then why would you want it anyway? It’s likely that this data is no longer of any use to you, and it will no doubt be costing you money to carry on processing it. This is the perfect time to improve the quality of your mailing lists, and ensure that you’re only storing the data that you actually need.
Does GDPR have specific rules for children?
Yes - Article 8 (1) states that to be able to give valid consent, an individual must be older than the age of ‘digital consent’. Member states can set this anywhere between the ages of 13 and 16, and the UK have chosen to set this as 13 years old. That means a child under 13 years old cannot give consent for their own data to be processed. Instead, you’ll need consent from one of their parents to process their data.
GDPR also states that you must make a ‘reasonable effort’ to verify that parental consent has been given. In practice, that means if you allow children to enter your event, you may not be able to rely on a simple checkbox that says ‘I have parental consent’, as this can easily be bypassed by children under the age of 13 who do not have parental consent.
Here at realbuzz registrations, we’re currently developing a system that will allow events to automatically verify parental consent when entering children under the age of 13. When the system recognises that an under 13 is registering for an event, the entrant will need to provide the email address of a parent to provide consent. The parent will then receive an email, giving them the option to either provide or decline consent for their child to enter the event. This means you’ll be safe in the knowledge that all minors entered into your event have been verified in accordance with GDPR.
4. Event entra data rights under GDPR
GDPR states that people have the following rights over their personal data:
- The right to be informed
- The right of access
- The right to rectification
- The right to be forgotten
- The right to restrict processing
- The right to data portability
- The right to object
What is the right to be informed?
GDPR aims to make data subjects more aware of their rights, which ties in with the ‘right to be informed’.
What is the right to access?
The rules surrounding data access requests have changed under GDPR. Under the Data Protection Act, individuals had the right to request information on the data you hold on them. As the holder of said data, you were able to charge the data subject £10 to cover the cost of accessing this data, and you had up to 40 days to comply.
GDPR has tightened up the rules surrounding this. You can no longer charge a data subject to access the data you hold on them, and you now only have 30 days to comply with their request. If you take longer, you’ll need to be able to give a valid reason for this, for example if their request is particularly complicated.
What is the right to rectification?
As an event professional, you’ll no doubt have plenty of requests like this. An attendee or entrant gets in touch to let you know that their address or phone number has changed, and asks you to update your records.
Under GDPR you have to respond to these requests within a month, or two months if the information change is particularly complex.
If any third parties have been sent this data, it’s your responsibility as the data Controller to also inform them of the data rectification.
What is the ‘right to be forgotten’?
Under GDPR, data subjects have the right for their data to be forgotten (sometimes referred to as the right to erasure). Essentially, this means a person can request that you delete all of the data that you hold on them, unless you have a specific reason to continue processing that data.
You do have the right to refuse this request, but only if you have a good reason to do so. For example, you may need to store the data for legal reasons.
Again, if you’ve shared this data with any third parties things get slightly more complicated. Once a data subject exercises their right to be forgotten, you are also obliged to contact any third parties you have shared this data with and instruct them to delete the data (unless they have a good reason not to do so).
What is the ‘right to restrict processing’?
This is similar to the right to be forgotten, but instead of a complete wipe of all data, you’ll be able to keep storing the data as long as you don’t process it any further.
For example, you may need to retain an entrant’s email address on a ‘do not contact’ list to ensure that you do not communicate with them again in the future.
What is the ‘right to data portability’?
You’ll rarely come across this in the events industry, but the right to data portability means that you must provide a data subject with their data in a format that allows them to reuse the data for another purpose or service.
For example, in the banking industry, standardised data formats are in place, which customers can upload to price comparison websites.
The ICO gives an acceptable format as a CSV spreadsheet, if you ever do need to provide data in a portable manner.
What is the ‘right to object’?
This is a simple one - if a data subject asks you to stop processing their data for the purposes of direct marketing, you must do so immediately. There are no exceptions to this.
5. Event marketing under GDPR
Will I always have to have consent to process data?
No - one of the biggest misconceptions about GDPR is that all data processing can only be done so with the consent of the individuals whose data is being processed. In fact, this is such a common issue that the head of the ICO, Elizabeth Denham, has written a myth-busting blog post about what consent means under GDPR .
When you dig a little deeper, you’ll find that consent is only one of the six legal grounds for processing outlined in Article 6 (1) of GDPR:
As you can see, GDPR is not as unreasonable regarding data processing as many scaremongers are making it out to be.
For example if there is a medical emergency at your event and you need to get in touch with an entrant’s emergency contact, relying on consent would be unreasonable. Instead, you are free to do this immediately as it would protect the vital interests of the data subject.
What is important when processing any data is that you have identified one of the above legal grounds for doing so. It’s a good idea to clearly document this for all types of personal data that you process in the course of running your event. Not only does this ensure you are always complying with GDPR, it also acts as clear proof of planning and consideration should the ICO ever ask you for this.
One area where consent is important is direct marketing. Whether that be through email, phone or traditional snail mail, if you’re processing an individual’s personal information for the purpose of marketing your event, it’s very likely that you’ll need their consent to do so.
Whilst direct marketing is listed as a legitimate interest by the ICO, it relies on you having an existing relationship with the individual. Instead of relying on a legitimate interest which could potentially be contested by an individual, it’s far more straightforward to seek direct consent for marketing activities.
How do I seek consent for event marketing under GDPR?
We’ve been living in a Wild West of seeking consent for marketing purposes, and GDPR has changed that. Gone are the days of sneaky pre-ticked opt-in boxes or confusingly worded opt-in statements. You can also forget about adding every single event entrant and attendee to marketing lists.
Now, consent needs to be a ‘freely given, specific, informed and unambiguous indication of the data subject’s wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her.’
Remember, seeking clear and freely given consent is a good thing. Whilst your marketing lists may reduce in size, they will also drastically increase in quality. Promoting your event to one interested individual is far more effective than marketing it to 10 people who couldn’t care less.
As mentioned earlier, GDPR is retroactive. If you have an email marketing list and it doesn’t meet any of the legal grounds for processing outlined above, sending emails to that list will be in breach of GDPR.
What should an opt in statement for event marketing look like under GDPR?
Let’s break down some of the key rules for consent, and work out how that would look in an opt in statement for your event marketing. We’ll use a mailing list subscription as an example.
Consent must be freely given
According to the ICO, this means data subjects need to have ‘genuine ongoing choice and control’. In practice, that means you can’t force a person to give consent. For example, making a mailing list opt-in checkbox a required field on your event entry form certainly won’t be allowed under GDPR.
Consent must be specific
You need to let data subjects know exactly what they’re giving consent for. So if you’re seeking consent for an email newsletter you send out, give a brief summary of what they can expect to read in those emails.
Consent must be informed
Consent must be unambiguous
Trying to trick people into opting in with confusing language isn't classed as valid consent under GDPR. Opt-in statements should be as clear and concise as possible.
Consent must be a clear affirmative action
The ICO have clarified that ticking an un-ticked opt-in checkbox is an affirmative action. Unticking a pre-ticked checkbox, or ticking an opt-out checkbox, is not an affirmative action. These latter examples are classed as inactivity, which is not a valid means of collecting consent under GDPR.
So, how does that all come together to create a GDPR-friendly opt-in statement? Here’s an example below.
Let’s do a quick run through of the consent checklist on the above opt-in statement.
Is the consent freely given with an affirmative action? Yes - the entrant needs to actively tick the box to sign up to the mailing list, and this is not a required field. The user therefore has free choice over whether or not to opt in.
Is consent specific? Yes - the entrant is told that they will receive a weekly newsletter with news and updates about the event.
Is consent unambiguous? Yes - the language used is clear, and it’s safe to assume that entrants will be fully aware what they are consenting to.
Can I share data with my event sponsors?
Unless you have clear, freely-given consent from an event entrant to do so, you can’t share their data with third parties. You should be checking any sponsor agreements now to make sure you’re not promising the provision of data that you can’t legally share.
If you have previously shared event data with sponsors that will not meet the consent requirements of GDPR, then you will need to inform those sponsors and request that they cease processing that data.
6. GDPR and data security
What does GDPR define as a data breach?
It’s practically impossible to read the news nowadays without seeing a report on another catastrophic data breach affecting a major company somewhere in the world. But what actually is a ‘data breach’? The ICO defines a data breach as any ‘breach of security leading to the destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.’
What are the most common forms of data breach?
The word ‘breach’ naturally makes you think of some form of forceful entry by a third party. Whilst malicious access to personal data is often caused by vulnerabilities in digital systems, it’s important to remember that not every breach is masterminded by expert hackers staring at a Matrix-esque bank of monitors filled with lines of code.
According to Baker & Hostetler’s Data Security Incident Response Report , 31% of data breach incidents are caused by phishing, hacking or malware. However, the second most common cause may be more surprising - 24% of all data breaches examined were directly caused by an action or mistake made by an employee. This could be something as simple as a member of staff leaving a device containing sensitive data on public transport. Or perhaps your staff members regularly send lists of event entrant data to each other without password protecting documents, which can then be intercepted by third parties.
Clearly, it’s now more important than ever to make sure your event’s internal data-protection policies are robust and up-to-date. Even the most secure digital systems in the world won’t save you from a data breach if your staff aren’t properly trained.
Do we need to report every data breach to the ICO?
Not all data breaches need to be reported to the ICO. It is up to you as the data Controller to decide whether a breach is significant enough to alert the governing body, which will depend on the nature of the data that has been breached.
If sensitive data has been breached, for example credit card information, the ICO will definitely need to be involved. Remember, the ICO are not the enemy - they’re here to help, and their expertise will help you deal with a data breach in the best way possible.
What does GDPR class as a secure system?
Whilst GDPR doesn’t provide exact specifications for a secure system for processing data, it does set out some guidelines to follow in Article 32 (1):
Essentially, this means you should perform an audit on the personal data that you are processing as part of your event. From that, you should analyse the scale and scope of the data, and decide on the level of risk surrounding that data, and the appropriate level of security that risk demands.
As with anything related to the processing of personal data, it’s better to be safe than sorry. Here at realbuzz registrations, we ensure the data security of events using our platform by utilising the latest in security standards.
- All communications via our system are conducted over HTTPS between web-browser and client
- Passwords are stored in hashed format and therefore cannot be leaked or reverse-engineered to provide the original password
- Our web-framework (Django) provides extra security measures like cross-site forgery protection (to prevent ‘man-in-the-middle’ attacks)
- All data is protected via a system of authorisation and permissions
- We carry out regular penetration testing in partnership with security professionals to make sure the system is as secure as possible
Does my event data need to be hosted in the EU?
Event data doesn’t technically need to be hosted in the European Union to comply with GDPR, but it will make your life a lot easier if it is.
This is an extremely complex matter under GDPR, with the full Chapter 5 (Articles 44-50) being dedicated to the transfer of data to third countries of international organisations. This stipulates that you may transfer and store data outside of the EU, as long as the host country conforms to strict data protection principles. If you do store event data outside of the EU, you’ll need to constantly check that the host country is still conforming to those standards, otherwise you’ll be responsible.
You can take the headache out of this by making sure your event data is stored in the European Economic Area (EEA) of pre-approved European countries, or in a country that the EU has acknowledged as sufficiently following data protection principles. Here at realbuzz registrations, we store all event data securely on servers between the US and EEA. Storing data in the US is GDPR compliant because of the EU-US Privacy Shield agreement .
7. GDPR next steps
Is it too late to make sure my event is GDPR ready?
GDPR has already come into effect, but if you've not made any changes, you’re not alone. The DMA estimated that one in four UK businesses would not be ready for the introduction of GDPR . Many events still won’t even be aware of GDPR, and some who are aware will be hoping to carry on as they are and slip under the radar.
GDPR preparedness will require a lot of work, but there are some initial steps you can take. The ICO themselves have said in their blog that whilst there will be no grace period now that GDPR has been introduced, they accept that GDPR compliance is an ‘ongoing journey’.
If you’re taking the correct steps towards GDPR compliance, and you’re able to demonstrate that, then the ICO will take that into account should they ever examine your data processing practices and policies.
Where should I begin with GDPR as an event organiser?
Reading this guide is a good start! Now that you’re aware of the main issues surrounding GDPR, you’ll need to perform a full audit of the personal data you process as an event. The ICO provide guidance on putting together a Data Protection Impact Assessment , which will give you a good idea of the state of your existing data, and any future data you will be processing.
You also need to think about the third parties you work with, and how they interact with that data (if at all). Reassess your agreements, and double check that they’re following GDPR. As the data Controller, this is your responsibility.
If your audit raises any areas of non-compliance, start working up actionable plans with realistic timelines associated with all actions. This should also include areas of responsibility for relevant staff members. It’s not just IT specialists and members of your Marketing team that will need to be involved. Start from the ground up to build GDPR awareness across your event staff. It’s likely that they all have some involvement with data, even in a very minor capacity, so they need to know about the key issues. Basic training will go a long way to avoiding simple mistakes like not encrypting data correctly when shared, or leaving sensitive documentation in view.
If you’re looking for a GDPR-friendly online registration platform for your events, you can find out more about realbuzz registrations here: https://www.realbuzzregistrations.com/features/