On Wednesday, January 17, a group of 22 event professionals gathered at our brand new office for the 1st Insight Session of 2018! The new privacy law GDPR was the central theme of this 1st session.* Although it’s only a matter of months before this new regulation will be in force, many event professionals still have a lot to learn about this topic. Time to discuss some practical applications!
* The new privacy law is called General Data Protection Regulation (GDPR).
1. What will this new law change for event professionals?
The new European privacy legislation will enforce that personal data are protected more carefully. As an event professional, you’ll need to have a clear picture of the types of personal data you process, and whether this is done in a sufficiently secure manner.
Your suppliers play a big role in this: who can access these data - and do they handle them carefully? You are obliged to sign a Data Processing Agreement (DPA) with all suppliers that will process data on your behalf. Examples are (on site) registration partners or event software providers.
2. Who is responsible and accountable?
Your organisation has the final responsibility for the personal data. When working with partners or suppliers (sub processors), you have to ensure that the processing of the data is done in a safe way. Your sub processor (e.g. a registration or software partner) is also accountable for parts of the process.
You and your sub processors should have a clear understanding on the type of data you will each process - and how and where they are to be processed and secured. These elements must all be covered in a Data Processing Agreement (DPA). This agreement will be obligatory as of May 25, 2018.
3. What is a DPA?
A DPA is an agreement between you and the suppliers/partners that process data on your behalf. You point out responsibilities, types of data, duration and place of data storage, and what to do when a data breach occurs.
Momice offers a DPA that is custom made for event registration, covering all mandatory elements. If you use this DPA as a starting point, it will save you and your (software) partner a lot of time!
4. Which personal data (not) to request?
It is advised to discuss which data you should (not) include in your registration process with your security & privacy officer. Standard data (name, company, email) require a lower level of security than special data (social security number, credit card details, medical information). Processing this type of information is risky. Search for alternatives that match the security policy of your organisation.
5. Do you have to inform event website visitors what you will do with their personal data?
Yes, for every event website that involves data processing, it is mandatory to explain what your organisation will do with the requested data. You can include a link to your company’s privacy policy page, or when different policies apply to each event, you can include them in the event website text.
6. Can you avoid the strict European rules by processing and storing data in the US?
No, this is not possible. As a European organisation, you are required to follow European rules. YOU are responsible for handling the data correctly, no matter if you store them in the UK, Germany or the US. Working with US companies does have consequences: their privacy laws are less strict, and may not meet the European standards. Keep this in mind when selecting partners overseas!
7. How can I safely share presentations and registration lists with my colleagues or suppliers?
Controlling the destination of your data is most important. Therefore, it is advised not to send files containing large amounts of personal data via email. If you are working with event software, you can import your lists directly, or make a connection to your CRM system.
If email is the only option, protect the file with a password and share the password separately via SMS or WhatsApp. For large (privacy sensitive) files you can use WeTransfer. In the paid version, you can add a password. It is wise to sign a DPA with them as well (soon to be made available to all their users).
8. How to best handle printing of badges and event scripts at copy centres? Is this part of GDPR? And is it considered a data breach when information gets lost?
Event scripts involve personal details, but in smaller amounts. They are not processed as such, so there’s no risk here. In case of badge printing, however, there are risks. You send a file containing personal details to a supplier. Printing is considered processing of data; therefore your copy centre is considered a sub processor and needs to sign a DPA.
9. What does privacy by design mean?
Privacy by design means that the software is designed in a way that the client data is secured. For example, by being transparent in what will be done with the data and by not storing data longer than absolutely necessary.
Momice helps its clients by offering privacy by design: all registration data will automatically be deleted from the servers max. 30 days after the event. If you use Momice event software, a lot of your responsibilities as an event professional are covered in advance!
10. How to approach the GDPR as an events agency?
If you’re working for an events agency, three parties are involved: the principal (your client), the executor (your agency) and the processor (your event software partner). The party that receives the invoice is accountable and responsible. In this case, if the processor (your event software partner) sends the invoice to you, your agency is responsible for safely storing all personal data.
Your client will have the final responsibility for the data involved in this event. We therefore advise to sign one DPA involving both your client and your sub processor(s), covering all responsibilities. In the end, your client will also want to have a document that includes the entire chain of (sub) processors - so everybody will benefit.
11. If someone signs up for an event, can I send other emails to this person too?
No, by registering for this event, this person has signed up to only the event-specific email list. This person does not give you permission to send him/her emails concerning other topics/events. You can choose to include an opt-in for other emails, so your contact can easily tick a box to sign up. Be transparent and clear about what mailings this person can expect - and their frequency.
Conclusion
The new privacy legislation, which will go into effect on May 25, 2018, has a significant impact on event professionals. Partly because they often process a large amount of personal data and collaborate with various suppliers. By mapping the work flow and suppliers, you can ensure the events are organised safely and effectively, and in compliance with the new privacy law.
Previously we published 3 blogs and a white paper on the GDPR:
