Event data protection in a post-GDPR world
As meeting planners, the General Data Protection Regulation (more commonly known by its initials GDPR) has changed the way you’ve collected, stored and used information about your attendees since its introduction in 2017. Part of EU legislation, it’s now a necessity to cross all the t’s and dot all the i’s to get your event up to GDPR’s requirements if any of your guests are EU citizens. Less daunting than it seems, we’ve pulled together this 3-point checklist of focus areas to make sure you – and everyone you’re working with on your event – meet the demands of the law to protect both yourself and your attendees.
FIRST THINGS FIRST: THE OPT-IN
Under the GDPR, no marketing communication can be sent without the express permission – or “opt-in” – from those receiving it. This requirement holds also for legacy contacts who may have signed up to your mailing lists before the GDPR legislation took effect. In short, anything other than a verifiable “yes” to receiving your messages is in fact a “no,” which is why all of our inboxes probably received a rush of opt-in messages this past spring. So how best to meet the law’s requirements while still getting messaging about your event out where it needs to go? Besides a clearly-worded opt-in message sent to all your earlier contacts, many meeting professionals are also coupling this with increased activity and visibility on other platforms like Facebook and LinkedIn to get the word out.
KEEP IT UNDER LOCK AND KEY
From step one, ensuring the safe storage of your attendees’ data is key as once their personal information is in your hands before, during or after an event, it’s your job to keep it protected. Besides ensuring all sign-up forms meet GDPR standards for data collection, it’s also a must to make sure that access to attendees’ information is given on a need-to-know basis – freelancers and interns most likely don’t need it. Furthermore, keep all data in password-protected files on secure servers you know and trust. Only send this information via encrypted e-mail – and don’t leave attendee list printouts laying about in the office!
CHECK YOUR LOCATION’S VIRTUAL SECURITY
We’ve written about the importance of in-person event security before, but under GDPR you can also be held liable if a venue’s wi-fi is insecure and a data breach occurs. Make secure access to the internet part of your location selection process.
While you and your team may have followed GDPR’s requirements to the letter, it’s important to double-check with any third-party event technology providers that whatever they’re providing for your event is also up to snuff. Make sure you know where their data is stored and how it’s transferred from point to point. Additionally, GDPR rules dictate that any data breach is reported within a 72-hour deadline, so ensuring your providers are capable of reporting within that time is worth asking directly.