As a business event organizer, you collect, access, manage, and share information about your attendees. It is therefore essential to know the basic principles of GDPR to ensure that your data collection and management methods when running your event are compliant with this regulation.
What is the GDPR?
The General Data Protection Regulation is in force since May 25, 2018 in the European Union.
Its objective: to strengthen the legal framework for the protection of personal data, and to standardize it throughout the European territory.
As an event organizer, you need to address 4 points to comply with the GDPR:
- Obtain explicit consent from participants
- Centralize and control data management Appoint
- Appoint a Data Protection Officer
- Choose your event platform carefully
1) Obtain explicit consent from participants
The first requirement is to obtain the explicit consent of your audience to receive communications from your company before, during and after your event.
Obtaining consent (known as “opt-in”) must:
- Explicitly inform your attendees of how their personal data will be used
- No tricky wording that will lead the participant to the desired response
- Not be “pre-ticked” by default.
Example of good practice: “Would you like to receive our weekly newsletter? – Answer: Yes or No”.
Once the initial consent is obtained and the participant is enrolled, it is no longer necessary to ask for consent to send communications to registrants, which are then considered “transactional” communications. Transactional communications are directly related to the reason why participants have registered.
For example: confirmation of registration, sending a badge, sending practical information.
For past events, you must be able to prove the consent of your participants with dated proof. If this is not the case, it is necessary to renew the request for consent before any new sort of communication is made.
For future events, you must explicitly request consent from your participants and inform them of how their personal data will be used.
If an attendee requests it, you must be able to provide them with a history of the data collected about them throughout the event cycle. You must also give them the opportunity to freely unsubscribe from event-related communications at any time.
2) Centralize and control data management
Sharing participant data with partners
You may only share the list and contact information of event attendees if your attendees have consented to the sharing of their personal data with third-party organizations.
It is crucial to be careful about this to avoid substantial consequences in the event of a justified complaint from an attendee.
Sharing participant data internally
You can only share the list of participants to add to a prospecting list, or to a newsletter’s sending list, if you have obtained the consent or opt-in of the participant for any type of communication you wish to send in the future: commercial contact, subscription to the marketing newsletter, invitation to a webinar, etc…
3) Appoint a Data Protection Officer
If you don’t already have a Data Protection Officer (DPO) in place, one should be appointed within your organization to oversee and validate all data collection and use activities (including your event operations).
Responsabilities of a DPO
- Train internal teams to respect the standards required by the GDPR in terms of data security and confidentiality
- Report any non-compliant activities regarding the data collection system, and ensure that the necessary corrective measures are put in place
- Validate the sharing of data with external partners and manage any disputes with participants.
Even if your organization is based outside the EU, GDPR is relevant for all data relating to residents of the European Union.
4) How to choose your event platform
Professional event organizers will rely on their event management solutions to ensure the GDPR compliance of their events. It is therefore important to choose the right platform!
Difference between Data Controller and Data Processor
The Data Controller: this is the company or person who decides what data to collect, and who defines the purpose of this data collection
The Data Processor: this is the company or person who processes the personal data on behalf of the data controller
The event organizer is the Data Controller, while the event technology providers are the Data Processors.
The fundamentals of a GDPR compliant event platform
- Be built on a solid state of the art structure in terms of application security and integrating the “Privacy by Design” standards
- Allow for physical destruction of data upon request by the organizer
- Have a cookie management policy on the Front-end applications that guarantees a strict classification rule for cookies (essential / non-essential)
inwink and the GDPR
With the inwink SaaS platform, as an organizer you can:
- Add your own legal notices to each data collection form and detail the data collection and processing flows that are specific to them
- Create a form to collect participants’ requests for access to their personal information of for usingtheir right to be forgotten
- Create pages to allow identified participants to consult and modify their personal information
- Return all data collected on an event participant upon request or delete it physically, and therefore permanently.
In summary, the GDPR calls for your transparency as an organizer of professional events. It is your responsibility to ensure that you obtain the opt-in of participants, to be attentive to the modalities of sharing the collected data, and to make sure that all communication with your participants remains clear and unequivocal on this matter.
The choice of the event platform is essential to allow the correct application of the GDPR directives.
Get started with inwink today