GDPR. Four simple letters that should strike fear into the heart of every event planner, if they plan to take advantage of an event app without adequate preparation. If you don’t believe these new laws apply to you as you operate outside the European Union or believe this is just something for “big business,” you should think again – and quickly.
Sign of the Times
The General Data Protection Regulations came into force in May 2018. These laws represent a significant change to data handling and privacy, designed to protect the rights of the individual.
As an event planner you are at least a collector of data and could also be a data processor (as defined by the law). If you work with a mobile event app supplier, then they are the data processors, but you have an implicit relationship with them and must know how they operate.
If you capture any information relating to an EU citizen, then you must be careful how you treat it. You need to make it clear to these individuals how you will use their data and must give them the opportunity to agree to this, clearly and unequivocally.
If they have given you their permission, ensure that the data you store the data as safely as possible and in a non-identifiable fashion. You must also notify the regulators if you suspect that a data breach has occurred and some of this information may have found its way into the hands of a third party.
There are hundreds of event-specific apps on the marketplace now and they have made the lives of the event planner a lot easier. Almost every one of them relies on data analysis and much of this is specific to the individual in attendance at the event. Each one of these apps must now follow the GDPR laws, or there is a significant risk to both the app designer and you, as the event planner.
At the least, a new user must first see a clear and understandable description of their rights under GDPR whenever they first sign in. It must tell them why you’re gathering this information about them and must include a clear link to the full privacy disclosure and data protection page.
If the planner will use their data for a variety of different purposes, they must receive consent from the individual at each stage. You must also ask them whether they want to be in a network environment and whether they agree to take part in a chat session. It’s best to set the opt-in box to “no” by default so they show that they have given their consent freely.
Storage and Access
Assuming you comply with all this, you must make sure that the data within an individual record is time stamped and unambiguous. This must keep it in a secure environment and it should use encryption or pseudonymization, so it is not identifiable. This provides an additional layer of protection for you under the GDPR regulations.
It Takes Two to Tango
As the event planner, you value the data that the app generates. You may believe the app designers need to worry about gathering this and GDPR issues, but you (as the end user) share this responsibility. Therefore, you need to ask the app designer some specific and searching questions.
How to Talk to the App Provider
Besides asking them whether they are GDPR compliant, you need to dig into their security policies and find out how they store their data. You need to make sure they have steps in place at each stage whenever a new use is found for the data, so they get an updated approval.
You need to understand how and where they store data and who has access to it. GDPR regulations may not permit the transfer of any data outside of the EU to international servers, so you need to find out if they plan any such data transfers.
One of the biggest risks is a data breach and the app provider needs to have a policy in place to deal with this. If they use encryption or other methods, are they comprehensive and would these methods satisfy GDPR scrutiny?
People now have the “right to be forgotten” and to opt out permanently. If they request this, is the app provider ready? How long does this take and how seamless is the transition?
Finally, you need to understand how the app provider works and whether they rely on subcontractors or other third parties to provide their service. If so and these other organisations have access to the data, are they still compliant under GDPR?
Is This Just the Start?
The event industry has undergone a radical transformation during the digital revolution and event apps are here to stay. While GDPR may seem to be onerous, it is a sign of how governments view the subject of privacy protection and may be only the start of a trend. You need to ensure that you are on the right side of the fence here and ensure that you are compliant at all times.