Do you have European attendees at your event? If you are storing any data about them, you are subject to the new European Union’s General Data Protection Regulation (GDPR.) After May 15, 2018, non-compliance to GDPR can result in fines – the higher between €20M (approximately $23M USD) or 4% of annual revenues.
So take note – capturing names, titles, addresses, travel info, survey responses, or sessions attended by European attendees will put you under the influence of this EU legislation even if your event is held outside of Europe.
What Event Planners Need to Know
This law protects the privacy of Europeans and enforces responsible stewardship of its citizen’s data. As an event organizer, you will have to be familiar with these elements when looking to be compliance with GDPR:
- Consent – Active consent must be given by European attendees in order to store their data. The key term is active consent – so European attendees must explicitly agree to storage of their data as opposed to submitting a form where a “yes” agreement is pre-selected. Use an opt-in/opt-out functionality if your technology provides one.
- Breach Notification – You must notify those affected (attendees, exhibitors, sponsors, speakers, etc) and data protection authorities within 72 hours of discovering a security breach.
- Access – European attendees have the right to request digital copies of their personal data collected by event organizers.
- Right to be Forgotten – European attendees can request to have their personal data purged. This also implies that event organizers must stop sharing the attendees’ information with 3rd parties and these parties must in turn also stop utilizing that attendee’s data. So as the personal data is shared between organizations, so must the ability to remove the individual’s data records from all systems.
- Data Portability – The right to have attendee data moved from a storage area (database) to another. While this will minimally impact the event industry, it is still worth considering that a European attendee could request their personal data be moved from one event app (or registration system) to another. Event planners must be able to export and distribute the record in a commonly accepted electronic format.
- Privacy by Design – This is a new requirement that calls for security and protection to be built into all processes and systems that house personal data. Ensure your tech providers can demonstrate their commitment to data security. The United States has one of the most lenient sets of data privacy laws in the world so preparation for and adherence to the stricter EU guidelines may seem a bit overwhelming.
- Data Protection Officer – While not relevant for most event planners, some multinational organizations must have a data protection officer when dealing with criminal convictions data.
GDPR and Event Tech
To summarize the effect of GDPR on event technology, after May 2018 event planners must be able to quarantine, distribute, and delete any data collected on European attendees. And they must be able to prove that security and data protection have been infused throughout their chosen technology and processes.
As a mobile event tech vendor, we are working to ensure that our customers will be fully GDPR-compliant well before May 15, 2018. This includes the ability to find and isolate attendee data and purge it from our systems if the need arises. As the leading provider of secure mobile event app technology, our commitment to data protection continues to ensure our customers are leveraging enterprise-grade security and cutting-edge technologies now and into the future.
If you would like to find out more about how QuickMobile can help you become GDPR compliant, feel free to email us at firstname.lastname@example.org.