GDPR For Every Area of Your Event

Heard about GDPR for events but not sure how it will impact your live event? Don’t worry – we’ve got you covered.

The General Data Protection Regulations come in to play on May 25th, 2018 and will mean much more stringent rules around the way companies gather and store data. If you fail to comply, you could be looking at a hefty fine – around 4% of global turnover, or £17 million, whichever is higher. Wowzer.

There’s no doubt you need to take the new regulations seriously, but there’s no need to panic either. If you’re using event tech to gather data at your event, there are several easy to implement checks that you can do to ensure you are staying on the right side of GDPR.

Here are the things to be aware of at every stage of your live event data capture: 

Pre Registration

When asking people to fill out pre-registration details including name and contact details, you’ll need to make sure that you’re GDPR ready. The rules will apply if the data includes any personally identifiable data, such as a name, email address or phone number that could be used to identify someone.

What do I need to do?

Data Permissions 

• Keep an audit of everywhere that this data will be used and stored

Data Access

• Always make sure that you give full and easy to understand explanations about how and where this information will be used and who will have access to it

Data Storage

• Have a system in place to ensure that you can remove people’s details from your database ‘without undue delay’ if requested

Data Transfer

• If you’re going to share the data with any third party companies, you need to state that clearly before someone hits ‘submit’

Top Tip: Include the name of your event tech suppliers as data processors in your pre-registration T&C’s. You can even link the process of buying tickets and registering for the event with asking delegates to agree to have their data processed by event tech suppliers and any other third parties e.g. exhibitors/sponsors

On Site Registration

When people register at your event, they will be providing ‘personal data’. This data may have been supplied in the pre-registration form, or they may supply it on the day if they did not pre-register. Either way, you will be gathering and processing data, so you need to ensure you are in a GDPR defensible position.

Top tip: If someone opts out of providing you with their personal data, the regulations state that you are not allowed to deny them access unless you have expressly stated this in the event’s Terms and Conditions during pre-registration

What do I need to do?

Data Permissions

• Never share anyone’s personal data with any third parties or individuals unless they have given you express permission
• Have a copy of your GDPR and privacy policy on hand during registration in case anyone requests to see it
• Print the URL for your privacy policy on your name badge – you could even print a summary of data touch points in the event and how their data will be used at each point

Data Access

• As above, ensure that you give full and easy to understand explanations of who will have access to people’s data and how it will be used – if you don’t state it now, you will be breaking regulations if you decide to do it later!

Data Storage

• Do a security review of all of your data storage to ensure they are not vulnerable to a data breach

Data Transfer

• Review all of the on site wi-fi networks and processing systems for potential hacks or data breaches
• Think about how you are transferring and processing data. If you are storing CSV spreadsheets you should encrypt them before sending
• Consider using an API for real time data updates between two systems

Session Scanning

Ensuring delegates register for each seminar can help you to keep track of numbers, control room capacity, understand which sessions were most popular and gather potential leads for those who are speaking. When people use RFID name badges to check in for a session you can also offer to send them notes and speaker profiles direct to their inbox too.

Just like the event registration, every time someone registers their details to attend a session, either manually or using event tech, you are gathering data, so you need to ensure that you’ve thought about compliance in this area. Remember, you can’t deny someone access to your sessions if they refuse to give up their data, unless you have made this extremely clear in the event’s Terms and Conditions.

What do I need to do?

Data Permissions 

• You can’t repeat those clear and easy to understand explanations enough! If this data is going to be handed over to the session leaders so that they can see who attended, make sure you state that clearly when people are signing up. If you’re going to use this data to follow up with suggested content that people might want to read, state that clearly. You can never be too clear or to detailed when you outline the way people’s data will be used.
• Identify your Data Protection Officer and make them available to talk to anyone who has questions or concerns about data storage

Data Access

• Be clear about all of the third party companies who will have access to this data

Data Storage

• Do a risk assessment for any possible hacks or weaknesses in the data storage system

Data Transfer

• Think about how you will store and transfer the data from the session sign ups. Is it vulnerable to hack? Do you need an encryption system?

Lead Capture

If you have exhibitors or sponsors at your event, you might want to encourage them to gather contact details for the people they interact with so that they can follow them up as leads later. Great event tech will help you to do this. RFID name badges allow exhibitors to gather contact details with a simple tap on a dedicated reader. But that means an exchange of data. So what do you need to do to comply?

What do I need to do?

Data Access

• Ensure that all delegates have agreed to a clear data use agreement before entering the event so they have been provided with easy to understand details of what data exhibitors will have access to and how this data could be used
• Hold a briefing for all of your exhibitors to fill them in on GDPR regulations and the specific agreements that delegates have been given for this event
• Provide each exhibitor with a copy of data use agreement to show to delegates who have questions
• If exhibitors are receiving lists of the data gathered at the event, ensure that they understand that it is their own responsibility to delete that data from their database without undue delay if they are asked to do so by the data subject

Data Storage

• Ensure that all data is encrypted from the time it is handed over to the time it is needed for processing

Data Transfer

• Ensure that all data is encrypted when in transit

Data Permissions

• Use event technology where capturing data cannot be accidental e.g. RFID smart badges or barcode scanners can’t be accidentally scanned

Follow Up Emails

Want to stay in touch with your delegates? If you’re going to send out follow up emails to your delegates then you’re going to need to ensure that you’ve got permission to do so.

What do I need to do?

Data Access

• Only send out emails that comply with that original agreement

Data Storage

• Ensure all data including name and email address is encrypted during storage – even in your bulk mailer system. Most commercial mailer systems offer this as standard, but it is worth checking

Data Transfer

• When importing or exporting names and email addresses for your follow up emails, ensure it is encrypted and that precautions have been taken against potential hacks

Data Permissions 

• Delegates must have agreed to receive follow up emails when they initially handed over their data during registration or pre-registration or via some other definitive action such as tapping their badge
• Always include an option for people to opt out of receiving further communication from you

Data Storage

Now that you’ve gathered all of that lovely and useful data, you want to keep it on file so you can process it and learn from it. So how do you do that, whilst still making sure you’re on the right side of GDPR?

What do I need to do?

Data Access

• If there are any hacks or data breaches, you must inform the local data protection authority within 72 hours

Data Storage

• Only store data that is deemed ‘absolutely necessary for the completion of duties’
• Always ensure that data is encrypted before it is stored

Data Permissions 

• Ensure your data is managed in a way that ensures it can be corrected or removed upon a users request
• Consider automating the process for removing people’s data when requested – this will remove the possibility of human absence or error
• Create a clear process and name a Data Protection Officer who will be responsible for overseeing that due process is being followed

Mobile App

Just like any other data processing, when people sign up for your event app, you need to ensure that you are looking after their data responsibly.

What do I need to do?

Data Access

• Be clear about who is able to access the data gathered via your event app and include information about all parties who will be able to access the data in your Terms and Conditions

Data Storage

• Ensure all data gathered via your event app is encrypted

Data Transfer

• Create a clear method for transferring and gathering data from your event app
• Ensure all data is encrypted when being transferred between event apps

Data Permissions 

• Create clear Terms and Conditions when people log on to the event app
• Ensure that the Terms and Conditions are clear, detailed and easy to understand
• Ensure that everyone who uses your event app has accepted these Terms and Conditions

Top tip:

When in doubt, consult an expert! Many event tech providers are experienced in dealing with GDPR and ensuring that data is fully compliant. They may be able to help you to review your system and ensure you are following regulations. Be warned though – as soon as they hand the data back to you, you’re responsible for ensuring it is handled in a fully compliant manner.

So, that’s it – all you need to know to ensure you’ve got this GDPR for events thing all figured out! Looking to work with an event technology company who understand GDPR for events? Give us a call! We’re always happy to talk all things data and technology-related (yes, we did have friends in school – honest).