Is this yet another GDPR article? Yes, but before you click on past, this article is a bit more specific, focussing on Event Organisers and a few important aspects relating to them.
If you have somehow managed to miss the basics here is a quick recap (otherwise skip the next two paragraphs). GDPR, the General Data Protection Regulation, comes into force on May 28th 2018 and is as dull as the name suggests but that doesn’t mean it should be ignored. GDPR is, in effect, a beefier version of the Data Protection Act and there are some significant aspects which have changed.
First off, the fines if you are found to be breaching the regulations could be huge – up to 4% of annual worldwide turnover (up to €20 million). Secondly, the onus with GDPR is focussed much more on how and why, with supporting documentation – no more simply ticking a box to say you comply. Lastly, and perhaps most significantly, with GDPR there is much more appetite to enforce, along with more resources to audit.
Nearly all of the material currently circulating is focussed around the more obvious areas of customer, supplier and employee data; everything from email addresses to bank accounts and the harvesting of information from websites, social media and direct mail campaigns. This is all valid and needs to be considered seriously, however, for events there are some additional areas which could too easily be overlooked.
CCTV
CCTV is not necessarily something that initially comes to mind when it comes to GDPR but it is very much part of it. The holding and releasing of CCTV footage is already well controlled but the new regulations go much further requiring information on camera placement, field of view and reasoning for coverage needed, coupled with proof of deployment and signage. This is a significant uplift for events compared to the current approach and will need to be factored into planning and deployment from the start.
It is also important to note that ANPR (Automatic Number Plate Recognition), drone and body-worn cameras will all need to be assessed too.
In practical terms, we are now expecting all temporary CCTV installations at events to undergo an audit during the build phase documenting the camera locations and reasoning for those locations. Field of view into public areas external to the event is especially important.
Agreement on how long footage is held for, the release process and who can receive the footage will also need to be under much tighter control.
Public Internet Access
Many events allow public access to the internet on an event Wi-Fi network after a ‘splash page’ which may capture details such as an email address to be used after the event to send marketing information. In the future this information is more controlled and must use explicit ‘opt-in’ clauses before the email address can be used.
Even the logging of an IP address (the identifier used when a device connects to the network) coupled with the user information is governed by GDPR, however, this information is required to be stored under the Investigatory Powers Act 2016 (aka the Snoopers’ Charter) so the way it is stored and who has access to it is very important.
For events which offer public internet access the method of access and what information is captured and stored will need to be reviewed, with likely changes to the Terms & Conditions and opt-in statements.
Supplier & Volunteer Registration Systems
Employee and customer data is called out in nearly all GDPR overviews but it is important to remember that GDPR covers all data including anything recorded for suppliers and volunteers. Any system (paper or electronic) which stores personal information must be assessed including aspects such as what information is stored, where it is stored, how it is stored, how it is used, how the owner can remove it and who has access.
Visitor/Attendee Information
Any personally identifiable information gathered on attendees, such as an email address falls under the same regulations – this could be via initial ticket purchase, attendee registration or at the event itself. Particular attention must be paid to any direct marketing as the attendee must explicitly opt in to any future communications and have means to update or remove their information.
Many of these areas are likely to require a Data Protection Impact Assessment (DPIA), this is a new tool and process which must be used when new technology is used or when there is high risk to individuals.
The new regulations also broaden the scope of ‘personal information’ to cover just about everything from a name, email or social information through to genetic, economic and cultural information. The holding of this information has to be shown to have positive, clear consent from the individual using ‘plain English’ type agreements.
An individual must be given the ability to view and update information, and importantly has the right ‘to be forgotten’, which means complete removal from all systems.
These changes may initially look very onerous, however, a lot can be covered by a sensible review and improvements to existing processes. The important thing is not to ignore it – the changes are coming and a lack of preparation will not be a defence if you are found to be in breach.
For events we work on we will be working closely with organisers to assist and make sure all aspects are covered, providing templates and guidance wherever possible. If you would like to discuss any aspect of GDPR impact on your event then please contact us and we will be happy to help.