On May 25 the much-hyped General Data Protection Regulation (GDPR) will start being enforced across Europe. While the law has been in-place for two years, the start of enforcement aligns in our industry with a busy weekend featuring F1’s Monaco race, the Champions League Final, and the start of the French Open.
GDPR updates the laws that protect individuals’ personal data in response to massive increases in the amount of information that is gathered and processed about all of us each day. Simply put, GDPR ensures individuals’ rights and control over their personal information being held by companies. It also prescribes how companies must process, store and protect that data.
How to Comply with the New Law When Inviting Guests to an Event – Just Four Steps
When inviting guests to an event, there are just four precise steps to take to achieve GDPR compliance:
1. Guest personal data and rights disclosure
Invited guests must be told: Why you are asking for their data; on what legal basis the data is being processed*; who the data will be shared with; how the data will be protected; and for how long it will be kept. Guests must also be told about their eight rights under GDPR and whom to contact about fulfilling their rights concerning their data.
*If you heard that consent is a key element of GDPR, it doesn’t apply to events because consent must be freely given and unless it is possible to offer a way to register for the event without providing any personal data, which is not possible, consent cannot be considered freely given. So events need to rely on a different legal basis for collecting and processing guests’ personal data.
This disclosure is the easiest-to-see, public-facing statement whether you are complying with the new law or not, so this element carries overweight importance.
2. Protecting guests’ data
Guests’ data must be protected from its collection through ‘processing’ (managing guest needs and logistics ahead of and during the event) to deletion after the event.
The personal data governed by GDPR includes names, the RSVP “yes” or “no”, contact details, and when needed, travel itinerary, transfers and accommodation details, and emergency contact information. Some events collect even guests’ photos, passport details and a credit card. All falls under GDPR’s definition of personal data and must be protected, from the simple to the clearly more private and secure.
Whether you are processing the data in-house or retaining a vendor for this, the event or agency (the data ‘controller’) is ultimately responsible for guests’ data. The law calls for appropriate technical and organisational measures that build necessary safeguards in order to address risks and protect the rights of data subjects.
Organisational measures include data record-keeping, processing documentation, operating policies, and staff training.
Technical measures are connecting to ensuring the security and protection of the personal data, like ensuring that data is always encrypted during transmission, and when that data is held ensuring that it has layers of access controls and protection to prevent improper release.
3. Be prepared with paperwork and for inquiries
Be prepared to respond to clients and regulators about your operations and compliance with this new law. Many specific elements are required of data controllers, and while many of these can be supported by a strong processing partner, the requirements and responsibility ultimately reside with the controller.
Among the requirements, each event/agency and, where applicable, the event’s vendors, shall maintain a record of processing activities under its responsibility. This requirement is about controlling baseline information that can be pulled together, written once and then copied and adjusted minimally event to event going forward. If hiring a guest management technology company, this should be part of the package delivered to you as part of ordinary business. For events/agencies with fewer than 250 employees, there’s a record-keeping exemption – however, this exemption is nullified if collecting common event needs around medical accessibility or dietary restrictions, meaning the specific record-keeping requirements will usually remain in-place for our industry.
Be prepared to respond to inquiries from individuals seeking to exercise their rights from access to all data you are holding about him or her, to replying to a request to change or delete data, to stop processing their data or to not delete data as normal post-event, or even to be able to export the data in a machine-readable form. Few individuals are likely to exercise these rights based on the clients, events, and specific data collected, but being prepared is a step for clients and regulators judging your compliance.
4. Deleting guests’ data post-event
By default, all guest personal data must be deleted promptly after the event. It is permissible to retain select data for audit, transaction or other legitimate purpose, but this must have been spelled out in the initial guest-facing disclosure. Other data, not need for such specific purpose, must be promptly deleted.
As a side note, data deletion is a strict and serious requirement, so to the extent any data was emailed, and therefore already not securely handled, compliance problems are compounded by adding the technical and organisational difficulties of deleting email archives.
This document is not intended to be comprehensive, it is offered as general information only, to be verified by your legal counsel, especially in light of your specific situation, contracts, policies and other unique factors. And if hiring us, whilst Sports Systems has sound experience delivering GDPR compliant systems, we do not guarantee full GDPR compliance of all data controller requirements and each client should conduct its own review of all requirements and seek its own legal guidance where necessary.
The ICO have a lot of good practical advice on their website, including useful checklists and myth-busting practical guidance for different types of organisations.
Sports Systems is a resource to you. Some of the technical requirements of GDPR are difficult to implement but we can be your technical team – we’ve got it done and have been delivering GDPR-compliant systems for several months, ahead of the implementation deadline. While there are other guest management companies, Sports Systems alone serves the specific, and unique needs of VIP hosting at major sports events through our GuestFirst service.
What’s a Data Controller versus a Data Processor?
GDPR distinguishes two types of companies that handle the personal data of individuals:
1) A controller is an entity that alone or with others decides the purpose and manner that personal data will be used. Note that most data privacy, protection and individual rights fulfilment operating responsibility, legal burden and financial exposure is carried by the data controller.
2) A processor works with the data on behalf of the controller. Processing is obtaining, holding or adapting personal data. An advanced processor will deliver beyond its own compliance, providing documentation and support for the controller’s compliance.
Crack On, Don’t Panic
To conclude: Healthy GDPR compliance is not about avoiding fines, nor just ticking legal boxes. Nor is it about approaching this from a perspective of fear and dread: comply or die. GDPR compliance is about doing the right thing and for event hospitality programmes, with the right partner, compliance is achievable without unreasonable burden.
Have more questions about the GDPR implementation? Find some answers here: Hosting Hospitality Events – GDPR FAQ With Misconceptions!