As an event planner, or any roles that related to the event, your attendees’ personal data is of utmost importance, and GDPR compliance should be a top priority. This is especially true in 2023, as GDPR has been active for five years now, and the regulations are continually evolving. By ensuring compliance, you can protect your attendees’ personal information and avoid the risk of facing hefty fines that could harm your business.
Here are some essential dos and don’ts to remember to help you navigate GDPR compliance in the event industry. Following these guidelines ensures that your event complies with GDPR.
• Do: Be Transparent About the Data That the Event Will Collect
• Don’t: Share Attendee Information With Non-related Departments or Sponsors/partners Without Consent
• Do: Obtain Parental Consent for Minor Attendees
• Don’t: Retain Data for Longer Than Necessary, and Only Use It for the Original Purpose for Which It Was Collected
• Do: Ensure That Data Collection is Compliant Across All Event Technology Platforms
• Don’t: Use Attendee Data for Advertising Purposes Without Obtaining Double Opt-in Consent
Be clear about the data the event will collect and why it is necessary. Attendees should be fully informed and give explicit consent. This can be done through a checkbox, which is great evidence of consent.
Some suggestions for doing so include:
• Providing attendees with a clear and concise notice at the point of data collection, such as a pop-up or banner that clearly states what data will be collected and why.
• Minimizing the amount of data collected to only what is necessary for the event.
• Providing attendees with the option to delete or modify their data at any time.
Ensure that sponsors/partners cannot access the attendee information unless consent is given. In addition, keep attendee information private from non-related departments. For example, the B team shouldn’t have access to A team data if attendees are looking for product A.
If you are planning an event that involves minors, you must obtain permission from their parents.
According to iubenda, if your business directly targets minors (people aged 13 to 16, depending on each state’s rule), you need to get consent approval from their parents before processing any data. This step is challenging because it brings more people to the process. The parental consent can be confirmed in various ways, from the copy of the ID card/passport or the credit card information. But everything starts with asking the users how old they are before getting any data into your system.
One interesting example is when you need consent to send the newsletter, you must send two confirmation emails simultaneously. One goes to the primary user, the minor themselves, and another to their parents. You’re good to go if you got the consent confirmation from the last email.
Don’t Retain Data for Longer Than Necessary, and Only Use It for the Original Purpose for Which It Was Collected
We recommend implementing a data retention policy to ensure the timely deletion of attendees’ personal data when it is no longer required for any relevant purposes.
Suppose you organize an event, and you collect attendee data for the purpose of sending follow-up emails and updates about future events. However, several months after the event, one of your sponsors asks for the attendee list to send out a promotional offer. Without proper data retention policies in place, you may be tempted to share the attendee list with your sponsor. However, doing so would be a violation of GDPR regulations.
In short, quickly deleting the attendees’ information will prevent you from accidentally violating the GDPR in the future.
All of the event tech tools somehow processing the data, from the registration system, mobile application, to the lead capture application. It is important for you to check and ensure that all the tools are comply with the GDPR.
The double opt-in method ensures a heightened level of confirmation from event attendees by requiring two stages of verification. The first occurs during the registration process, while the second involves attendees confirming their participation through their personal email accounts. This approach serves to prevent unauthorized use of email addresses and ensures that marketing newsletters are only sent to intended recipients after their confirmation.
Apart from all the DOs and DON’Ts mentioned above. There are also other things about GDPR that you need to know. For example, transactions and invoices cannot be deleted for tax purposes, but no longer necessary data should be deleted as soon as possible. And for the fine, minor offenses the is at 2% of the annual global turnover or 10M EUR, while for major violations, it can be up to 4% or 20M EUR, depending on which is greater.
In conclusion, GDPR compliance is critical for event planners in 2023 and beyond. Implementing the above dos and don’ts ensures your event is GDPR compliant and avoids potential fines. Remember, protecting your attendees’ data should be a top priority for any event planner.
Choose Happenn for GDPR-Compliant Event Technology
If you want to ensure that your event technology is fully GDPR compliant, Happenn is the perfect choice. Our platform is designed to collect and handle attendee data with full compliance to GDPR regulations. We provide transparent and clear instructions to attendees regarding data collection and usage, and we ensure that all platforms used for data collection and management are GDPR compliant.
If you want to learn more about how Happenn can help you with your next event, don’t hesitate to contact us through our website’s contact page or email us at firstname.lastname@example.org. We are always ready to assist you in making your event successful and GDPR compliant.