GDPR Compliance for Events: What to Know & How to Prepare

Jun 28, 2024 Praggya Joshi

As we all know, data security and lawful management are not novel. However, they took a new, albeit complex, shape with the emergence of the General Data Protection Regulation (GDPR) in 2018. The landmark regulatory framework for protecting the personal data and privacy of people within the European Union (EU) has stringent requirements. Businesses who are not compliant have faced hefty penalties and consequent reputational damages. We are talking about fines of millions of dollars for processing customers' personal data wrongly! 

So, for event professionals globally, it is imperative to consider GDPR’s regulations seriously. Since every event requires you to collect significant personal data, process, and distribute it, non-compliance with the new regulations can be taxing. In this blog, we'll explain all aspects of GDPR for event planning. In addition, you will find a set of actionable steps to prepare yourself effectively. 

What Is GDPR? Overview and Principles
GDPR is a stringent security law which is central to EU’s privacy and human rights. This regulation for data privacy in the EU and the European Economic Area protects people with regard to the processing of personal data and its movement.  

GDPR applies to organizations who collect data of people from European Union or Iceland, Liechtenstein, Norway, and UK. So, companies whose target market is in the EU should abide by these laws. Similarly, if you are an event planner whose potential attendees belong to EU, you must comply by GDPR when collecting their data.  

The personal data you collect, how you process it, and the third-party who processes it on your behalf should adhere to the seven concrete protection and accountability principles which includes:  

1. Data Protection Principle
This GDPR principle mandates the following: 

• The data (names, emails, postal address, phone number, social media handles, headshots, payment, and disability information) should be processed fairly and transparently. 
• The attendee must know the purpose of data processing and you should process the data exactly how you have revealed it to them. 
• Abstain from collecting data without attendee consent. 
• Personally Identifiable Information (PII) should be stored according to a specified period. Names, last names, email addresses, contact numbers, and home addresses are some of the examples of PII. 
• Data processing should be encrypted to maintain confidentiality.

2. Accountability Principle
Event planners should be able to show that they are GDPR-compliant. It can be done by disclosing a privacy policy, setting up data processing agreements if you share personal data with other organizations, and implementing security measures for data protection. 

3. Data Security
It is essential to handle customer data using specific technical measures. This is done through encryption and pseudonymization (substituting personally identifiable information with pseudonyms or artificial identifiers). In addition, some other crucial security controls include Identity and Access Management (IDAM), Data Loss Prevention (DLP), Incident Response Plan (IRP), Third-Party Risk Management, and Secure Access Service Edge (SASE). 

Eventcombo’s event technology is fully compliant with GDPR. Check out the tools that help you protect attendee information and turn their data into a valuable source of growth.  

4. Data Protection by Design and by Default 
Data protection by design means enforcing technical measures to protect data in your operational processes, for example, by using encryption and pseudonymization. Data protection by default means processing data of customers with the highest privacy protection. An example is letting customers control their personal data. They should be able to access, correct, and delete it.  

5. Process Data Only When It Is Legal 
Data processing should happen only when you have the consent of the customer or if you are legally obligated for the same. An example is your audience opting to be a part of your marketing email list. Another example is you getting an order from the court to process data.  

6. Consent
According to GDPR, you should obtain the consent of your attendees to keep and use their data. They should actively agree on how you are using it. Active agreements are different from passive agreements, which occur in the form of pre-ticked boxes or opt-outs. 

SHOCKING FACT!
In 2018, Tax Return Limited was fined €200,000 for sending millions of unsolicited marking text messages without valid consent. 

7. Data Protection Officers (DPO) 
It is not necessary for every organization to appoint a DPO. This is applicable only if you are a public authority and act in a judicial capacity or if you need to monitor people systematically. Another instance in which DPOs are necessary is when you handle special categories of data on a large scale. It includes data showing racial or ethnic origin, political perspectives, religious or philosophical beliefs, biometric data or data about a person's sex life. 

How to Prepare for GDPR Compliance for Events? 
Event planners and organizers need to take some critical steps to protect data rights under GDPR and drive consented engagements which includes: 

1. Building a strategy to get consent for using personal data. It should be unambiguous, which means using unticked opt-in boxes distinct from other terms and conditions. You need to ensure that people are aware of what you will do with their data and get their consent.
2. Obtaining consent will change the way you share delegate lists with venues, speakers, and sponsors. You cannot directly ask, if you can share their details with your event partners. First, you must share the personal information you will disclose, with which companies, and how they will use it.
3. Thoroughly analyze all the reports and exports that third parties can access but your attendees do not know about. 
4. Gathering more data by leveraging multiple product offerings as the GDPR does not restrict internal data sharing after you get the customer’s consent.

DID YOU KNOW?
In 2012, Google set up a wide privacy policy by integrating 60 privacy notices. So, it merged data across services for a comprehensive pool of customer bases. Internal data transfers allowed it to boost its market position by collecting reams of data for targeted promotion and advertising! 

5. Provide documentation of personal data to attendees on demand. 
6. Have a legal basis for providing name tags to attendees. Seek their consent before printing their name on a badge. 
7. Marketing should be more about qualifying prospects and engaging them. You shouldn't incentivize your sales team to collect personal details of anyone who seems remotely interested.
8. Make a compliance contract with third-party vendors. It should comprise of Service Level Agreement (SLA) that explains the nature of services provided by your business and the key responsibilities of the vendor including- data security, work authority, access to data by the specific subject, notifying breach to subjects, and more. 
9. Safeguards like Standard Contractual Clauses or Binding Corporate Rules must be set when transferring attendees' personal data to areas outside the European Economic Area (EEA).
10. If an attendee demands to be removed, you should delete all their data with immediate effect. This includes event registration software, CRM, your email lists, erasing their row from your paper guest lists and XLS files. 
11. To ensure compliance with GDPR in virtual and hybrid events, check if your chosen platform is equipped with security measures to safeguard participant data during registration, sessions, and networking activities.
12. Leverage AI to make your event planning GDPR compliant. AI can be programmed for data processing to abide by GDPR regulations. For instance, AI systems can be made to process only the minimum necessary data and automatically delete it when no longer needed. It can also offer  individuals the right to access to manage their confidential data.

EYE-OPENING FACT!
TikTok was fined a massive €345 million after it was found that the platform improperly processed children’s data. It assessed the age verification and the processing of children’s personal data between 31 July and 31 December 2020. It was revealed that videos posted to children’s user accounts were public by default. The comments on those videos were also turned on by default. 

How  Eventcombo Enables Event Planners to Comply with GDPR Rights?
As an ISACA award-winning event technology provider, Eventcombo prioritizes you and your attendees' security and privacy. All our solutions for event planning and management are compliant with SOC2, PCI DSS, GDPR, CCPA, AND PIPEDA. This empowers event organizers to maintain the privacy of attendees while gaining high value from the insights they collate. 

Data security is at the core of our systems and solutions. Numerous clients have benefited from our data protection and GDPR approach. We'd love to assist you too. Reach out to us for a demo.