Checking GDPR Compliance for Events Companies.
If you are handling personal data your events organisation will have been affected by the General Data Protection Regulation (GDPR) legislation that came into force on 25/05/18. It may sound like this happened a while ago but there are many companies that are currently not complying.
Don’t get caught out with this data protection legislation, with current downtime in the events industry there has never been a better time to check that your events company is complying. It goes without saying that by default all events organisers are collecting personal data every time a ticket is sold.
GDPR is an EU law on data protection and privacy in the European Union and the European Economic Area. It also addresses the transfer of personal data outside the EU and EEA areas. Just because your events company is based in the UK don’t think that this won't apply to you after Brexit, the legislation has been mirrored in the Data Protection Act 2018 to ensure that they continue to apply in the UK after the country leaves the EU.
If you want to read the full text of the directive you can check it here however it is long and rather dry but all is not lost check this brief summary of what you need to know. GDPR compliance is based on 7 key principles:
- Lawfulness, fairness and transparency.
- Purpose limitation.
- Data minimisation.
- Storage limitation.
- Integrity and confidentiality (security).
This can be broken down into a few actionable tasks that you should focus on:Data Collection.
Assuming that you are collecting personal data every time an event ticket is sold you should identify where that data is held, is this data personal or sensitive, how is it processed and who has access to it? These need to be documented and don’t forget to consider any venue entrance technology that uses biometric information. If you are then you may have to complete a Data Protection Impact Assessment (DPIA). This covers the collection of sensitive data when using new technology, tracking anyone’s location, processing biometric data and marketing to children for example.
Assign Responsibility Processes and Procedures.
Within your organisation assign someone with responsibility for GDPR compliance, this needs to documented and is a requirement. This individual will also be responsible for documenting all your GDPR processes and procedures. This includes your GDPR Compliance Plan and Privacy Policies that explains what you do with users’ information including:
- Include contact details of the company and its representatives.
- Describe why the company is collecting the data.
- Say how long the information will be kept on file.
- Explain the rights users have.
- Be written in simple language.
- Name the recipients of the personal data (if the company shares data with another organization).
- Include contact details for an EU representative and the DPO (if necessary).
The fines for data breaches are substantial, up to $23 million or 4% of annual global turnover. Note what happened to British Airways who were fined $230 million after the booking details of 500,000 customers were stolen in a cyberattack. When a data breach occurs, the affected company has 72 hours to inform their supervisory authority. They also have to tell users as quickly as possible. The procedures for any data breaches where personally identifiable information (PII) has been compromised are the notification of each individual affected if the data is unencrypted. If they encrypt the information, only the Information Commissioners Office (ICO) needs to be advised, as the encryption will prevent anyone from reading the data.
This is only a brief overview of the key elements of GDPR compliance, ensure you check the impact of this thoroughly on your events business.
If you use an events management software solution like FestivalPro you get built in GDPR compliant functionality for ticket ordering, fulfilling orders, management of deposit ticket accounts and distributing e-tickets to customers. The guys who are responsible for this software have been in the front line of event management for many years and the features are built from that experience and are performance artists themselves. The FestivalPro platform enables events organisers to process their customer data in a secure environment adding to peace of mind when considering GDPR.
<< Back to articles