What Event Organisers Need to Know About GDPR

Another GDPR post? I guess you’re probably sick of hearing about GDPR by this stage. However, we’re a bunch of sadists at Get Invited, and we simply want to add to your pain 🙂

So, sit back – grab a beer (or wine) to ease the pain and enjoy our guide to making a smooth transition to ensuring your event planning process is GDPR compliant.

Disclaimer

GDPR is different for everyone, and this article is intended as a guide only. You should always seek the guidance of a lawyer to advise on your situation and ensure you’re complying with the law.

What is GDPR?

The General Data Protection Regulation is a new set of regulations that govern how personal data is handled.

Any individual or organisation who collects personal data has a responsibility to ensure they are appropriately handling this data.

Essentially, GDPR is about ensuring personal data is being used for the correct reasons and the owner of the data clearly understand how their data is being managed.

Breaches can result in you being fined up to £17 million or 4% of your annual turnover, whichever is larger. You don’t need us to tell you that that’s a lot of money!

How Will GDPR Affect Event Organisers?

If you’re running an event, you will naturally be collecting, processing and storing personal data about your attendees.

You most likely use some third-party services for collecting and storing this data, like Get Invited for ticket sales or MailChimp for email marketing. While these services are partly responsible for ensuring that data is stored securely, it is your responsibility as an event organiser to ensure you are handling data properly and that you communicate to your attendees:

  1. What personal data you are collecting
  2. What you will use this data for
  3. If you share this data with any third party
  4. Where and how the data is stored
  5. How long you will store the data for

You also have a responsibility to ensure the data is stored securely – more on this later.

Event Organiser Best Practices for GDPR

There are many things you must do to ensure your event planning activities are GDPR compliant. It’s not going to be easy, or fun but we’re here to help you through the process.

1. Create a Data Audit

Unmotivated woman on laptop

The term data audit probably makes you want to curl up into a little ball underneath your desk, but it’s simply a document that maps out what data you collect on your attendees, how you use this data and where it is stored.

You are required under GDPR legislation to perform a data audit. This step will also help you to better prepare for the next steps listed below.

Download or free GDPR data audit template to help you knock this out of the park in under 30 minutes.

2. Be Clear What You Will Use Attendee Data For

When someone signs up for your event, they will be providing their full name and email address along with any other data you collect. If you’re going to use this data for any purpose other than checking them into your event, then you should clearly state this on your event registration page.

For example, if you plan on emailing them news relating to the event or future events, then make this clear to them when they are booking a ticket.

We recommend that you write a privacy policy that explains what you will use the data for and then link to this on your event registration page.

3. Decide How Long You Will Retain Data

You should also explain to your attendees how long you will hold onto their data. Ideally, you should only store the data for the length of time that it is required for the purposes for which it was processed.

In other words, after your event has ended – you should remove the attendee’s data. If you plan on storing it for longer, then make this clear to your attendees and state the reasons why you are retaining it.

4. Ask for Consent

Woman's hand signing document

When someone registers for your event and you plan on sharing their data with a third-party (such as an event sponsor), or you’re going to send them marketing emails; then always ask for their consent to do so.

Third-parties also include any services that you use to manage attendee data, like your event registration tool or Facebook ads if you’re using mirror audiences.

When an attendee registers for one of your events, you can contact them with marketing offers that relate to your event, but you must give them the option to opt-out of receiving communications from you free of charge.

Always avoid using pre-ticked consent boxes for this. You can create opt-in boxes easily on Get Invited by adding a custom question.

It’s not just attendees you need to be concerned about either. If you’re going to share a speaker’s photograph and bio on your website or social media, make sure you ask for their consent to do this. Most people won’t object, but it’s courteous and good practice to ask.

The same applies to taking photos of people at your event, always ask consent before sharing photos online.

5. Provide Easy Opt-Outs

Attendees can withdraw their consent at any stage – if you’re sending email marketing campaigns, ensure you have a clear unsubscribe link to opt-out at any time. Use an email service like MailChimp to send email campaigns, and it will automatically include an unsubscribe link for you in every email.

Attendees also have the right to object to receiving marketing emails; having their data shared with third-parties, or their data being used for automated decision making.

6. Provide Personal Data When Requested

Under GDPR, every attendee of your event has the right to obtain a copy of the data you hold on them. This must be provided within 30 days, free of charge.

Your data audit from point #1 should document the data you hold on your attendees and where it is stored, so you should be able to easily locate it and send it to them.

7. Edit or Delete Personal Data Upon Request

If the information you hold on an attendee is inaccurate, you must be able to edit this upon their request. If you have shared incorrect details with a third-party, then it is your responsibility to correct any inaccuracies.

Attendees also have the right to request that you delete any data you hold on them. Ensure you have the means and know-how to achieve this upon request.

8. Ensure Good Security Practices

Computer Hacker

Make sure you choose secure passwords for any services you use for storing attendee data and don’t share these passwords with anyone else. Never store attendee data on any service that isn’t password protected.

If you’re sharing data with a third-party, like a sponsor or hotel, then make sure you understand and agree with their security practices.

Ensure that all team members adhere to the same security practices, and if a member of staff leaves your team – always make sure that you revoke access to any online services they have access to.

Your security practices should also extend beyond the digital realm – avoid using printouts of attendee lists at your event as these can easily be lost or stolen. Instead, use a digital check-in application like the free Get Invited app for managing attendees at your event.

What to Do in Case of a Data Breach

If you believe you have experienced a data breach, then you must report it to your relevant authority within 72 hours.

A data breach can range from something as simple as printing a hard copy of your attendee list without their permission to having your laptop hacked or stolen.

Whatever you do, don’t panic – if you’ve followed sound principles in preparing for GDPR and you can evidence this through your documentation (like your data audit), then you’re unlikely to run into any trouble unless you have shared a lot of personal data through gross negligence.

If in doubt, then always contact your lawyer for advice.

Next Steps

Let’s quickly recap what you need to do next to ensure your event planning process is GDPR compliant.

  1. Complete a data audit – map out all the data you’re collecting on your attendees, where it’s stored and how long you’re storing it for.

  2. Review your consent process and make sure that you’re asking permission from your attendees for all the reasons you use their data for. The more data you’re collecting and the more extensive the uses of it, the more complicated your consent process is going to be.

  3. Create a privacy policy for your event. Clearly state what information you will collect from your attendees and what this will be used for. If you’re going to be sharing this data, then explicitly state this upfront. Your privacy should use, clear easy-to-understand language.

Need Help?

Is GDPR providing one too many headaches for you? We’ve partnered up with Briefed to provide you with easy online GDPR training and some off-the-shelf privacy policies you can use.

Just click the banner below to get started.