The acronym GDPR stands for "General Data Protection Regulation".
It came into force on May 25, 2018 and regulates the processing, use and dissemination of personal data in the European Union. The GDPR thus applies to any organization within the EU, regardless of its size and whether it uses personal data for its own account or not.
The scope of application of the GDPR is therefore vast and event management is part of it. Therefore, we have decided to give you here our top 5 tips not to be missed in order to successfully set up and apply the GDPR for your event agency or your event project.
Understand and comply with GDPR standards in event management
As a starting point, it is important to note that the GDPR is based on five concepts: consent, confidentiality, security, portability and access.
You must obtain consent and authorization from the participants of your events to store and use their data. To do so, consent requires a transparent explanation of how their personal data will be used.
Secondly, confidentiality must also be respected. The participants of your events must thus be able to ask you at any time to delete their data from your database, to stop sharing it. In terms of security, the GDPR obliges the event organizer - the event project manager - to report any security breaches in data sharing within 72 hours.
Portability refers to the fact that attendees may want you to transfer their data to them in a format that they themselves can then share with another data controller. Most importantly, you have an obligation to provide - within 30 days maximum - access to their data and to tell them how it is being used.
That being said, here are our tips to make sure you follow the principles of GDPR in events. - And you can find all our measurements right here.
Be transparent regarding the consent of personal data
The first trick is of course to respect all these prerequisites. And this requires first of all transparency in the collection and consent of the participants' personal data.
Namely, there are several risks and sanctions incurred for companies that do not comply with the GDPR.
According to the rules, in the case of infringements, bad applications or non-compliance with the GDPR, there is "a fine that corresponds to 4% of global turnover for large companies, or 20 million euros fine".
Therefore, it is necessary to be precise concerning the opt-in.
In data collection, opt-in is a lever by which the person voluntarily decides to give you permission to contact him or her.
However, the wording of the opt-in should not influence the participant's answers or agreement. Nor should the opt-in box be pre-ticked by default.
Be aware that once the first agreement has been obtained, the registered participant will no longer need to ask for his or her consent. Unless this is no longer the main reason why the participant responded positively.
In any case, you must always give your clients, your guests, the opportunity to unsubscribe from your event communications.
Manage and control all guest data in one place
In order to properly manage and control your guests' data, we recommend that you centralize, i.e. have all your personal data in one place.
In fact, as an event agency or project manager, you have surely set up automations to manage and share all the collected event data. However - be careful - you cannot automatically share your lists, and the contact details of your event participants! You have to be very careful about this. You can only do so if these participants have agreed to share their personal data.
In order to comply with the GDPR for events, you must obtain the participant's consent (or opt-in) on each communication channel used.
Have a Data Protection Officer
Another tip not to be missed is to have a Data Protection Officer - DPO within your event structure. That is to say a person in charge of the protection of your customers' and participants' personal data.
This person will be in charge of supervising and validating all the steps, actions of data collection and use.
Be aware that having a DPO is only mandatory for public institutions and organizations that frequently use personal, confidential data, and this for a large audience.
Furthermore, it will only concern data for residents of the European Union.
Optimize your existing data
Finally, our fifth trick is to optimize existing data. To continue to use its databases in stock. However, in order to continue to keep and use them while respecting the GDPR, one must be able to answer for the purpose of the database (what it is used for) or for the precise date of the participant's consent and clear authorization.
(Small advice : if you wish to know the best SaaS tool to collect consent in your corporate website, check PrivacyBunker.io in the great SaaS Community website)