I know we are in the middle of a pandemic but GDPR still applies. There have been various stories on the news about GDPR being ‘left’ to one side assuming the Pandemic creates flexible rules – but it doesn’t, we must still be GDPR compliant.
When GDPR was announced I like many panicked slightly, but we were already managing our event data well, we just formalised the process to meet the rules.
Here are some of the basic measures you should have in place, to help you manage your event data in a compliant way.
Policy, procedures, and planning
- GDPR Policy
Create a policy that you review & update for each event. It details why you are collecting the data, what data you are collecting, how it will be used, any third parties who the data will be shared with if appropriate, and how long it will be stored for.
Most organisations should have a GDPR policy in place, but it is worth creating an event specific policy as data might be used in very different ways.
If you are using a company like MEDIAmaker to manage your registration and event data, ask to see their policy. You have a duty to make sure any third parties are handling your data correctly.
- GDPR Procedure
A procedure document detailing how you manage, handle and store data is key. This should also include how you will manage any potential breaches.
Schedule in time to review and delete any data you are holding. Housekeeping is very important and should be part of your plan.
- Plan carefully what data you need to collect for the purposes of the event.
- Only collect the data you need. If you are not going to use it, don’t ask for it.
- Sensitive data – things get more complicated once you step into the realms of sensitive data, such as medical, ethnicity or political opinion data. Again, only ask for information that you need for the purpose of the event. We treat special dietary requirements as sensitive, so we always ensure this is only shared with those who need it.
- Also consider how you are going to use data and if anyone else will need the data and why. Data can be managed and risks mitigated with thorough planning & of course good management.
- Store securely; have a separate secure drive for data which has permitted access only.
- Password documents and do not send the password in the same communications as the data.
- Regularly delete data. When creating the GDPR policy for each event, plan how long you need to keep data for. For example, for an annual event you may keep data until the next event has happened for connections and comparisons. By regularly deleting data it means storing as little data as possible so if there was a breach it would minimise the impact.
- Password protect documents and send the password separately i.e. use a different communications channel to share passwords and access information.
- Only send relevant information. If they don’t need it, take the information out. For example, a hotel rooming list, they only need names, so remove other information. Over the years we have been sent lots of customer data and sometimes this has included reams of data we didn’t need and very occasionally data we shouldn’t have seen. So, make sure you edit and only include the relevant data.
- Delete your emails once sent and ensure all data is secure.
- Saving Data to memory sticks – check your companies GDPR policy as many organisations do not allow this. If this is necessary, data should be password protected and data deleted at the earliest opportunity.
- Only send to people who need to see it, if they regularly need to view data, access to a secure, shared platform is a better solution.
- When sending data, include GDPR guidelines, so they know how you want the data handled. Be sure to remind them to delete after use.
GDPR for events doesn’t have to be complicated, it just needs careful planning in the early stages. Collect the minimum amount of data and have a process in place to manage data.
Remember: Plan – Process – Protect.