Preparing for GDPR
Within the Events Industry, we collect and manage a vast amount of data from attendees every year. Data is collected through a number of sources including registration forms, ticketing systems, social media, event apps, post-event surveys and so on. Event organisers rely greatly on the collection of personal data and this data is frequently across different mediums for marketing and networking purposes.
With planning for many events in 2018 and beyond already underway, it is essential that event organisers understand and prepare for the new data protection guidelines, GDPR coming into effect on the 25 May 2018. Ignoring new guidelines can result in serious financial consequences - large fines will be enforced for non-compliance.
What is GDPR?
GDPR is the EU’s General Data Protection Regulation (GDPR), the successor to the Data Protection Act which becomes enforceable across Europe, including the UK. GDPR is a complete update and overhaul of our existing data protection regime, which dates from 1995. The modernisation takes account of changes to technology, updating legislation from the time of floppy disks, to that of the cloud. It also puts individual rights at the heart of the legislation. These new rules apply to all your records, in all media and formats.
The UK Information Commissioner is responsible for enforcing the Data Protection Act 1998 and the General Data Protection Regulations (GDPR) for the United Kingdom. They have published a guide to GDPR which they are updating on a regular basis and is available here.
Important considerations for Event Organisers
- These new regulations will apply to both new & old data – it’s important to review your existing database to check what data you already hold and ensure any personal data you have is stored safety and securely.
- Ensure personal data is stored in an encrypted system and be mindful of who has access. Consider changing passwords on a regular basis.
- Ensure any personal data on-site at an event is stored securely.
- Soft-opt out is no longer an option. Pre-ticked check boxes with the requirement to opt out will no longer be acceptable under the new regulations. Instead, individuals need to actively consent to their data being collected and stored.
- Under GDPR, it’s important that’s the purpose of data collection is identified along with a clear description of how the data will be used.
- Third-Party Suppliers - many event organisers use third-party suppliers such as registration platforms or agencies to process personal data. It’s important to contact any supplier you currently use and ask them to verify GPPR compliance. You should also be aware of the timescale that any external suppliers will be holding personal data for.
- Create awareness within your organisation of the new guidelines. Ensure everyone understands the changes and the impact GDPR will have on how you work with data.
- Preparation is key – run a review of all your existing data to ensure you have the appropriate consent, you have adequate procedures in place to protect and safe-guard your data and that all your processes comply with GDPR guidelines.
- Check out the Information Commissioner’s Office Guide to GDPR.
- GDPR can be a complex matter. If you need any clarification or guidance on next steps, please contact the ICO directly.